What is the proper sudoers syntax to add a user?
Note: I'm answering 1., since Ignacio already answered 2..
In the following sudo
entry:
superadm ALL=(ALL) ALL
there are four fields:
- The first one specifies a user that will be granted privileges for some command(s).
- The second one is rarely used. It's a list of hostnames on which this sudo entry will be effective. On standard setups only one host is relevant (localhost) so this field is usually left as
ALL
. - The fourth field is the list of commands
superadm
will be able to run with elevated privileges.ALL
means all commands. Otherwise use a comma-separated list of commands. - The third field (the one written
(…)
that is optional) specifies which users (and groups) thesuperadm
user will be able to run the following commands as.ALL
means they can choose anything (unrestricted). It this field is omitted, it means the same as(root)
.
Example:
alan ALL = (root, bin : operator, system) /bin/ls, /bin/kill
Here, alan
is allowed to run the two commands /bin/ls
and /bin/kill
as root
(or bin
), possibly with additional operator
or system
groups privileges.
So alan
may choose to run ls
as the bin
user and with operator
's group privileges like this:
sudo -u bin -g operator /bin/ls /whatever/directory
If -u
is omitted, it's the same as -u root
. If -g
is omitted, no additional group privileges are granted.
From the sudoers(5)
man page, DESCRIPTION section, Runas_Spec subsection:
The first Runas_List indicates which users the command may be run as via
sudo
’s-u
option.
...
If no Runas_Spec is specified the command may be run as
root
and no group may be specified.
So there is no functional difference when trying to run commands as root
, i.e., when not using -u
with sudo
. The difference matters when trying to run commands as other users; the latter will prevent this, but the former will allow it.