What is the difference between `root ALL=(ALL:ALL) ALL` and `root ALL=(ALL) ALL`?
While the sudoers
manpage can be a bit initmidating, there are examples given which help clarify things:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user
dgb
is now allowed to run/bin/ls
asoperator
, but/bin/kill
and/usr/bin/lprm
asroot
.We can extend this to allow
dgb
to run/bin/ls
with either the user or group set tooperator
:dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ /usr/bin/lprm
We can infer that, given a sudoers
line of the form:
A B = (C:D) E
D
refers to the groups that can be used.
So the third ALL
specifies that the user has can run the command under any group.
If the (ALL)
is specified instead of (ALL:ALL)
, then sudo
cannot be used with -g
by that user for those commands:
Runas_Spec
A Runas_Spec determines the user and/or the group that a command may
be run as. ... The second defines a list of groups that
can be specified via `sudo`'s `-g` option. If both Runas_Lists are
specified, the command may be run with any combination of users and
groups listed in their respective Runas_Lists. If only the first is
specified, the command may be run as any user in the list but no `-g`
option may be specified.
(The examples above come from the same section.)