Skip to content

Instantly share code, notes, and snippets.

@jiphex

jiphex/sudo-weirdness.md

Created April 16, 2014 17:10
Show Gist options
  • Save jiphex/10908559 to your computer and use it in GitHub Desktop.
Save jiphex/10908559 to your computer and use it in GitHub Desktop.
Download ZIP
Sudo Weirdness
Raw
sudo-weirdness.md

Sudo Weirdness

In a continuing series of documenting weird things that I find on Linux in case I have to come back to them in the future, today I came across some weirdness when trying to do something very specific with sudo.

The sudoers man page is long and complicated, it's even mentioned in an XKCD Comic.

In this case, I wanted to express the following:

Users in a specified group, "managed", must be able to execute /usr/bin/git as a specific (non-root) user, "person", without specifying a password.

From the documentation, it looks like this should be expressed as follows:

%managed ALL = (person) NOPASSWD: /usr/bin/git

However, this wouldn't work. Users in the managed group were consistently prompted for a password when trying to run the git command.

It turned out, for some reason, it was necessary to specify a group, as follows:

%managed ALL = (person:people) NOPASSWD: /usr/bin/git

This allowed users in the group to run the following command without a password:

sudo -u person -g people /usr/bin/git

This is despite the following passage in the sudoers manpage:

A Runas_Spec determines the user and/or the group that a command may be run as. A fully-specified Runas_Spec consists of two Runas_Lists (as defined above) separated by a colon (‘:’) and enclosed in a set of parentheses. The first Runas_List indicates which users the command may be run as via sudo's ‑u option. The second defines a list of groups that can be specified via sudo's ‑g option. If both Runas_Lists are specified, the command may be run with any combination of users and groups listed in their respective Runas_Lists. If only the first is specified, the command may be run as any user in the list but no ‑g option may be specified. If the first Runas_List is empty but the second is specified, the command may be run as the invoking user with the group set to any listed in the Runas_List. If both Runas_Lists are empty, the command may only be run as the invoking user. If no Runas_Spec is specified the command may be run as root and no group may be specified.

So, god knows why that didn't work. I'm open to comments via email.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment