sudo -v chooses different rule
VrIgHtEr opened this issue · 1 comments
sudo -v does not choose the same rule as sudo some_command
Setup: arch linux
Sudo version 1.9.15p4
Sudoers policy plugin version 1.9.15p4
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.15p4
Sudoers audit plugin version 1.9.15p4
I have a setup where I have (among others) a user called cedric. It is a member of the wheel group.
The last line in the sudoers file is set to @includedir /etc/sudoers.d and in /etc/sudoers.d I have the following two files:
000-wheelcontaining the rule%wheel ALL=(ALL:ALL) ALL001-cedriccontaining the rulecedric ALL=(ALL:ALL) NOPASSWD: ALL
If I run sudo -k followed by sudo echo test then the rule in 001-cedric is correctly picked up as the last matching rule and I am not asked for a password.
However if I run sudo -k followed by sudo -v then I am asked for a password, because only the rule in 000-wheel is matched, even though the one in 001-cedric should override it because it comes later.
If I delete the 000-wheel file and try the same thing again sudo -k ; sudo -v then I am not asked for a password (as I expected) so sudo -v is actually able to use the rule in 001-cedric just fine.
It appears that sudo -v is using slightly different rule selection logic.
Yes, sudo -v is handled differently from a regular command since there may be multiple commands permitted. Here's the sudoers manual entry for the verifypw option:
sudo with the -v option.
It has the following possible values:
- all
- All the user's sudoers file entries for the current
host must have the
NOPASSWDflag set to avoid entering a password. - always
- The user must always enter a password to use the
-voption. - any
- At least one of the user's sudoers file entries for
the current host must have the
NOPASSWDflag set to avoid entering a password. - never
- The user need never enter a password to use the
-voption.
If no value is specified, a value of all is implied. Negating the option results in a value of never being used. The default value is all.