What do the "ALL"s in the line " %admin ALL=(ALL) ALL " in Ubuntu's /etc/sudoers file stand for?
38,991
There is a manual page for sudoers(5).
Basically:
-
%admin
– the group named "admin
" (%
prefix) -
ALL=
– on all hosts (if you distribute the samesudoers
file to many computers) -
(ALL)
– as any target user -
ALL
– can run any command
A more restricted example would be:
%mailadmin snow,rain=(root) /usr/sbin/postfix, /usr/sbin/postsuper, /usr/bin/doveadm
nobody ALL=(root) NOPASSWD: /usr/sbin/rndc reload
In this case, the group mailadmin
is allowed to run mail server control tools as user root
on hosts named "snow
" and "rain
". The user nobody
is allowed to run rndc reload
as root, on all hosts, without being asked for any password. (Normally sudo asks for the invoker's own password.)
Related videos on Youtube
Author by
Sri Kadimisetty
Updated on September 18, 2022Comments
-
Sri Kadimisetty over 1 year
What does each ALL mean? I understand that the whole line indicates that the admin group members get admininstartive privileges, but would like to know more info about the position of the ALLS and if they each refer to a different set of permissions or something like that?
$sudo cat /etc/sudoers ... # User privilege Information root ALL=(ALL) ALL #... %sudo ALL=(ALL) ALL # #includedir /etc/sudoers.d #Members of the admin group may gain root privileges %admin ALL=(ALL) ALL #
If it matters: OS: Ubuntu : 10.4
-
colan almost 12 yearsWhat about the extra "ALL" after the ":" in "ALL=(ALL:ALL) ALL"?
-
user1686 almost 12 years@colan: List of allowed groups for switching with the
-g
option. It's under "User Specification" in the manpage.