#116705 sudo; sudo should check most specific rule first

Package:
sudo
Source:
sudo
Description:
Provide limited super user privileges to specific users
Submitter:
Ian Eure
Date:
2022-01-31 20:15:10 UTC
Severity:
wishlist
#116705#5
Date:
2001-10-22 22:17:42 UTC
From:
To:
consider the following scenario. you want a certain group of users to
be able to run a few commands as a different user. they must be run
non-interactively, therefore must not prompt for a password.

so, you add the following lines to /etc/sudoers:
Cmnd_Alias	THECOMMANDS = /bin/true, /bin/false
%thegroup		ALL=(user) NOPASSWD: THECOMMANDS

which works great.

however, one of your users (let's give them the completely fictional
username "ieure") is an admin, and needs full sudo access, but should
be asked for their password. . you add the following line:
ieure			ALL=(ALL) ALL

which doesn't work great, since this rule gets applied when ieure runs
'sudo -u user /bin/true', which then prompts for a password.

if i move the "ieure ALL=(ALL) ALL" line above the %thegroup line, it
works. looks like it just takes the last match, instead of the most
specific.
--- Begin /etc/pam.d/sudo (modified conffile)
auth	required	pam_ldap.so

--- End /etc/pam.d/sudo