{"id":620,"date":"2019-01-19T20:14:19","date_gmt":"2019-01-19T19:14:19","guid":{"rendered":"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=620"},"modified":"2019-01-19T20:14:19","modified_gmt":"2019-01-19T19:14:19","slug":"sudo-rule-preference","status":"publish","type":"post","link":"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=620","title":{"rendered":"SUDO Rule Preference"},"content":{"rendered":"\n<p>sudo has a <strong>last\u00a0match<\/strong> policy, <strong>NOT<\/strong> best match! So, if %wheel is allowed to execute everything as anybody with password, but you want a member of %wheel to execute a specific command without password, the rule for the password-less command has to be ordered <strong>after<\/strong> the general rule:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">%wheel ALL=(ALL) ALL <br>wheelmember ALL=(ALL) NOPASSWD: \/usr\/bin\/mycommand<br><\/pre>\n\n\n\n<p>It says so in man 5 sudoers:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).<br><\/pre>\n\n\n\n<p>Nevertheless, it was counter-intuitive for me. I expected first or best match, but not last match&#8230; Another quirk: When using visudo &#8220;:w&#8221; won&#8217;t update the sudoers file. You have to &#8220;:wq&#8221;.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>sudo has a last\u00a0match policy, NOT best match! So, if %wheel is allowed to execute everything as anybody with password, but you want a member of %wheel to execute a specific command without password, the rule for the password-less command has to be ordered after the general rule: %wheel ALL=(ALL) ALL wheelmember ALL=(ALL) NOPASSWD: \/usr\/bin\/mycommand &hellip; <a href=\"https:\/\/tollana.d-tor.org\/notes-to-self\/?p=620\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SUDO Rule Preference<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,77],"tags":[144],"class_list":["post-620","post","type-post","status-publish","format-standard","hentry","category-desktop","category-linux","tag-sudo"],"_links":{"self":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=620"}],"version-history":[{"count":1,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/620\/revisions"}],"predecessor-version":[{"id":621,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=\/wp\/v2\/posts\/620\/revisions\/621"}],"wp:attachment":[{"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tollana.d-tor.org\/notes-to-self\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}