What is the difference between `root ALL=(ALL:ALL) ALL` and `root ALL=(ALL) ALL`?

While the sudoers manpage can be a bit initmidating, there are examples given which help clarify things:

 dgb     boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm

Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill and /usr/bin/lprm as root.

We can extend this to allow dgb to run /bin/ls with either the user or group set to operator:

 dgb     boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
         /usr/bin/lprm

We can infer that, given a sudoers line of the form:

A B = (C:D) E

D refers to the groups that can be used.

So the third ALL specifies that the user has can run the command under any group.


If the (ALL) is specified instead of (ALL:ALL), then sudo cannot be used with -g by that user for those commands:

Runas_Spec
  A Runas_Spec determines the user and/or the group that a command may 
  be run as.             ...  The second defines a list of groups that
  can be specified via `sudo`'s `-g` option.  If both Runas_Lists are
  specified, the command may be run with any combination of users and
  groups listed in their respective Runas_Lists. If only the first is
  specified, the command may be run as any user in the list but no `-g`
  option may be specified.

(The examples above come from the same section.)

Tags:

Sudo