What is the difference between `root ALL=(ALL:ALL) ALL` and `root ALL=(ALL) ALL`?

This line is from my Ubuntu 14.04

root    ALL=(ALL:ALL) ALL

What is the meaning of the third ALL?

What is the difference between the above line and root ALL=(ALL) ALL?


Solution 1:

While the sudoers manpage can be a bit initmidating, there are examples given which help clarify things:

 dgb     boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm

Then user dgb is now allowed to run /bin/ls as operator, but /bin/kill and /usr/bin/lprm as root.

We can extend this to allow dgb to run /bin/ls with either the user or group set to operator:

 dgb     boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
         /usr/bin/lprm

We can infer that, given a sudoers line of the form:

A B = (C:D) E

D refers to the groups that can be used.

So the third ALL specifies that the user has can run the command under any group.


If the (ALL) is specified instead of (ALL:ALL), then sudo cannot be used with -g by that user for those commands:

Runas_Spec
  A Runas_Spec determines the user and/or the group that a command may 
  be run as.             ...  The second defines a list of groups that
  can be specified via `sudo`'s `-g` option.  If both Runas_Lists are
  specified, the command may be run with any combination of users and
  groups listed in their respective Runas_Lists. If only the first is
  specified, the command may be run as any user in the list but no `-g`
  option may be specified.

(The examples above come from the same section.)

Solution 2:

Found an interesting documentation

root ALL=(ALL:ALL) ALL

  • The first field indicates the username that the rule will apply to
    (root).

  • First “ALL” indicates that this rule applies to all hosts.

  • Second “ALL” indicates that the root user can run commands as all
    users.

  • Third “ALL” indicates that the root user can run commands as all
    groups.

  • Forth “ALL” indicates these rules apply to all commands.