Sudo science
Oct. 4th, 2005 06:11 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
sawylFollowing a massive rationalisation of our extremely crufty sudoers file, I uncovered the following nasty: the order of
PASSWD and NOPASSWD matters if you're using the ALL macro. For example:
sawyl rushmore = NOPASSWD: /bin/kill, PASSWD: ALL
requires a password for all commands on host rushmore, even though it looks as though /bin/kill should work without one. If the PASSWD and NOPASSWD definitions are reordered, the problem goes away and everything works as expected.
Although I was pretty surprised by this at first, it actually makes good sense. It makes it possible to define a whole bunch of commands, maybe through a macro like ALL, with one type of authentication and then override the command definition by explicitly specifying a different type of behaviour in the user and host definition.
