What is the difference between `root ALL=(ALL:ALL) ALL` and `root ALL=(ALL) ALL`?
This line is from my Ubuntu 14.04
root ALL=(ALL:ALL) ALL
What is the meaning of the third ALL?
What is the difference between the above line and root ALL=(ALL) ALL?
Solution 1:
While the sudoers manpage can be a bit initmidating, there are examples given which help clarify things:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprmThen user
dgbis now allowed to run/bin/lsasoperator, but/bin/killand/usr/bin/lprmasroot.We can extend this to allow
dgbto run/bin/lswith either the user or group set tooperator:dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ /usr/bin/lprm
We can infer that, given a sudoers line of the form:
A B = (C:D) E
D refers to the groups that can be used.
So the third ALL specifies that the user has can run the command under any group.
If the (ALL) is specified instead of (ALL:ALL), then sudo cannot be used with -g by that user for those commands:
Runas_Spec
A Runas_Spec determines the user and/or the group that a command may
be run as. ... The second defines a list of groups that
can be specified via `sudo`'s `-g` option. If both Runas_Lists are
specified, the command may be run with any combination of users and
groups listed in their respective Runas_Lists. If only the first is
specified, the command may be run as any user in the list but no `-g`
option may be specified.
(The examples above come from the same section.)
Solution 2:
Found an interesting documentation
root ALL=(ALL:ALL) ALL
-
The first field indicates the username that the rule will apply to
(root). -
First “ALL” indicates that this rule applies to all hosts.
-
Second “ALL” indicates that the root user can run commands as all
users. -
Third “ALL” indicates that the root user can run commands as all
groups. -
Forth “ALL” indicates these rules apply to all commands.