sudo -v chooses different rule
VrIgHtEr opened this issue · 1 comments
sudo -v
does not choose the same rule as sudo some_command
Setup: arch linux
Sudo version 1.9.15p4
Sudoers policy plugin version 1.9.15p4
Sudoers file grammar version 50
Sudoers I/O plugin version 1.9.15p4
Sudoers audit plugin version 1.9.15p4
I have a setup where I have (among others) a user called cedric
. It is a member of the wheel
group.
The last line in the sudoers file is set to @includedir /etc/sudoers.d
and in /etc/sudoers.d
I have the following two files:
000-wheel
containing the rule%wheel ALL=(ALL:ALL) ALL
001-cedric
containing the rulecedric ALL=(ALL:ALL) NOPASSWD: ALL
If I run sudo -k
followed by sudo echo test
then the rule in 001-cedric
is correctly picked up as the last matching rule and I am not asked for a password.
However if I run sudo -k
followed by sudo -v
then I am asked for a password, because only the rule in 000-wheel
is matched, even though the one in 001-cedric
should override it because it comes later.
If I delete the 000-wheel
file and try the same thing again sudo -k ; sudo -v
then I am not asked for a password (as I expected) so sudo -v
is actually able to use the rule in 001-cedric
just fine.
It appears that sudo -v
is using slightly different rule selection logic.
Yes, sudo -v
is handled differently from a regular command since there may be multiple commands permitted. Here's the sudoers manual entry for the verifypw option:
sudo
with the -v
option.
It has the following possible values:
- all
- All the user's sudoers file entries for the current
host must have the
NOPASSWD
flag set to avoid entering a password. - always
- The user must always enter a password to use the
-v
option. - any
- At least one of the user's sudoers file entries for
the current host must have the
NOPASSWD
flag set to avoid entering a password. - never
- The user need never enter a password to use the
-v
option.
If no value is specified, a value of all is implied. Negating the option results in a value of never being used. The default value is all.