Sudoers Command
I can't understand the difference in this two command's
USER ALL=(ALL) NOPASSWD: ALL
AND
USER ALL=(OTHERUSER) NOPASSWD: ALL
Can anyone explain the () change?
Thanks
command-line unix privileges sudoers
add a comment |
I can't understand the difference in this two command's
USER ALL=(ALL) NOPASSWD: ALL
AND
USER ALL=(OTHERUSER) NOPASSWD: ALL
Can anyone explain the () change?
Thanks
command-line unix privileges sudoers
add a comment |
I can't understand the difference in this two command's
USER ALL=(ALL) NOPASSWD: ALL
AND
USER ALL=(OTHERUSER) NOPASSWD: ALL
Can anyone explain the () change?
Thanks
command-line unix privileges sudoers
I can't understand the difference in this two command's
USER ALL=(ALL) NOPASSWD: ALL
AND
USER ALL=(OTHERUSER) NOPASSWD: ALL
Can anyone explain the () change?
Thanks
command-line unix privileges sudoers
command-line unix privileges sudoers
asked Nov 22 at 16:45
Pedro Macedo Vilas
31
31
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
From man 5 sudoers
:
The basic structure of a user specification is
who where = (as_whom) what
.
And
The reserved word
ALL
is a built-in alias that always causes a match to succeed.
In your case the difference is in (as_whom)
field:
(ALL)
means it's possible forUSER
to run commands as any user.
(OTHERUSER)
means it's possible forUSER
to run commands asOTHERUSER
(e.g.sudo -u OTHERUSER whoami
).
Note it doesn't mean
USER
cannot run commands asYETANOTHERUSER
. IfUSER
tries to run something asYETANOTHERUSER
then the line with(OTHERUSER)
won't match and the parser will continue; some later line may match.
So theUSER
can execute sudo commands asOTHERUSER
name or will have only the privileges of theOTHERUSER
?.
– Pedro Macedo Vilas
Nov 22 at 18:11
@PedroMacedoVilas The user chooses whom to impersonate explicitly withsudo -u chosen_user some_command
, like in the example I added to my answer. If the user is allowed to runsome_command
aschosen_user
then the command will run with privileges ofchosen_user
.
– Kamil Maciorowski
Nov 22 at 18:19
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377626%2fsudoers-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
From man 5 sudoers
:
The basic structure of a user specification is
who where = (as_whom) what
.
And
The reserved word
ALL
is a built-in alias that always causes a match to succeed.
In your case the difference is in (as_whom)
field:
(ALL)
means it's possible forUSER
to run commands as any user.
(OTHERUSER)
means it's possible forUSER
to run commands asOTHERUSER
(e.g.sudo -u OTHERUSER whoami
).
Note it doesn't mean
USER
cannot run commands asYETANOTHERUSER
. IfUSER
tries to run something asYETANOTHERUSER
then the line with(OTHERUSER)
won't match and the parser will continue; some later line may match.
So theUSER
can execute sudo commands asOTHERUSER
name or will have only the privileges of theOTHERUSER
?.
– Pedro Macedo Vilas
Nov 22 at 18:11
@PedroMacedoVilas The user chooses whom to impersonate explicitly withsudo -u chosen_user some_command
, like in the example I added to my answer. If the user is allowed to runsome_command
aschosen_user
then the command will run with privileges ofchosen_user
.
– Kamil Maciorowski
Nov 22 at 18:19
add a comment |
From man 5 sudoers
:
The basic structure of a user specification is
who where = (as_whom) what
.
And
The reserved word
ALL
is a built-in alias that always causes a match to succeed.
In your case the difference is in (as_whom)
field:
(ALL)
means it's possible forUSER
to run commands as any user.
(OTHERUSER)
means it's possible forUSER
to run commands asOTHERUSER
(e.g.sudo -u OTHERUSER whoami
).
Note it doesn't mean
USER
cannot run commands asYETANOTHERUSER
. IfUSER
tries to run something asYETANOTHERUSER
then the line with(OTHERUSER)
won't match and the parser will continue; some later line may match.
So theUSER
can execute sudo commands asOTHERUSER
name or will have only the privileges of theOTHERUSER
?.
– Pedro Macedo Vilas
Nov 22 at 18:11
@PedroMacedoVilas The user chooses whom to impersonate explicitly withsudo -u chosen_user some_command
, like in the example I added to my answer. If the user is allowed to runsome_command
aschosen_user
then the command will run with privileges ofchosen_user
.
– Kamil Maciorowski
Nov 22 at 18:19
add a comment |
From man 5 sudoers
:
The basic structure of a user specification is
who where = (as_whom) what
.
And
The reserved word
ALL
is a built-in alias that always causes a match to succeed.
In your case the difference is in (as_whom)
field:
(ALL)
means it's possible forUSER
to run commands as any user.
(OTHERUSER)
means it's possible forUSER
to run commands asOTHERUSER
(e.g.sudo -u OTHERUSER whoami
).
Note it doesn't mean
USER
cannot run commands asYETANOTHERUSER
. IfUSER
tries to run something asYETANOTHERUSER
then the line with(OTHERUSER)
won't match and the parser will continue; some later line may match.
From man 5 sudoers
:
The basic structure of a user specification is
who where = (as_whom) what
.
And
The reserved word
ALL
is a built-in alias that always causes a match to succeed.
In your case the difference is in (as_whom)
field:
(ALL)
means it's possible forUSER
to run commands as any user.
(OTHERUSER)
means it's possible forUSER
to run commands asOTHERUSER
(e.g.sudo -u OTHERUSER whoami
).
Note it doesn't mean
USER
cannot run commands asYETANOTHERUSER
. IfUSER
tries to run something asYETANOTHERUSER
then the line with(OTHERUSER)
won't match and the parser will continue; some later line may match.
edited Nov 22 at 18:09
answered Nov 22 at 17:22
Kamil Maciorowski
24.5k155277
24.5k155277
So theUSER
can execute sudo commands asOTHERUSER
name or will have only the privileges of theOTHERUSER
?.
– Pedro Macedo Vilas
Nov 22 at 18:11
@PedroMacedoVilas The user chooses whom to impersonate explicitly withsudo -u chosen_user some_command
, like in the example I added to my answer. If the user is allowed to runsome_command
aschosen_user
then the command will run with privileges ofchosen_user
.
– Kamil Maciorowski
Nov 22 at 18:19
add a comment |
So theUSER
can execute sudo commands asOTHERUSER
name or will have only the privileges of theOTHERUSER
?.
– Pedro Macedo Vilas
Nov 22 at 18:11
@PedroMacedoVilas The user chooses whom to impersonate explicitly withsudo -u chosen_user some_command
, like in the example I added to my answer. If the user is allowed to runsome_command
aschosen_user
then the command will run with privileges ofchosen_user
.
– Kamil Maciorowski
Nov 22 at 18:19
So the
USER
can execute sudo commands as OTHERUSER
name or will have only the privileges of the OTHERUSER
?.– Pedro Macedo Vilas
Nov 22 at 18:11
So the
USER
can execute sudo commands as OTHERUSER
name or will have only the privileges of the OTHERUSER
?.– Pedro Macedo Vilas
Nov 22 at 18:11
@PedroMacedoVilas The user chooses whom to impersonate explicitly with
sudo -u chosen_user some_command
, like in the example I added to my answer. If the user is allowed to run some_command
as chosen_user
then the command will run with privileges of chosen_user
.– Kamil Maciorowski
Nov 22 at 18:19
@PedroMacedoVilas The user chooses whom to impersonate explicitly with
sudo -u chosen_user some_command
, like in the example I added to my answer. If the user is allowed to run some_command
as chosen_user
then the command will run with privileges of chosen_user
.– Kamil Maciorowski
Nov 22 at 18:19
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377626%2fsudoers-command%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown