What is the proper sudoers syntax to add a user?
Note: I'm answering 1., since Ignacio already answered 2..
In the following sudo entry:
superadm ALL=(ALL) ALL
there are four fields:
- The first one specifies a user that will be granted privileges for some command(s).
- The second one is rarely used. It's a list of hostnames on which this sudo entry will be effective. On standard setups only one host is relevant (localhost) so this field is usually left as
ALL. - The fourth field is the list of commands
superadmwill be able to run with elevated privileges.ALLmeans all commands. Otherwise use a comma-separated list of commands. - The third field (the one written
(…)that is optional) specifies which users (and groups) thesuperadmuser will be able to run the following commands as.ALLmeans they can choose anything (unrestricted). It this field is omitted, it means the same as(root).
Example:
alan ALL = (root, bin : operator, system) /bin/ls, /bin/kill
Here, alan is allowed to run the two commands /bin/ls and /bin/kill as root (or bin), possibly with additional operator or system groups privileges.
So alan may choose to run ls as the bin user and with operator's group privileges like this:
sudo -u bin -g operator /bin/ls /whatever/directory
If -u is omitted, it's the same as -u root. If -g is omitted, no additional group privileges are granted.
From the sudoers(5) man page, DESCRIPTION section, Runas_Spec subsection:
The first Runas_List indicates which users the command may be run as via
sudo’s-uoption.
...
If no Runas_Spec is specified the command may be run as
rootand no group may be specified.
So there is no functional difference when trying to run commands as root, i.e., when not using -u with sudo. The difference matters when trying to run commands as other users; the latter will prevent this, but the former will allow it.