Home / server / Questions / 545407
Accepted
Rooster
Asked: 2013-10-12 06:33:59 +0800 CST

sudo use on a user in multiple groups asking for password when one group has no password

  • 772

so I have a user running sudo and they are in both wheel and other_group. other_group shouldn't need a password but wheel does. My question is : does wheel requiring a password for sudo negate the fact that other_group doesn't need a password?

heres a snippet from running sudo visudo:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

%other_group        ALL=(ALL)       NOPASSWD: ALL
linux

1 Answers

  1. Best Answer

    Normally the last match wins for sudo. From the sudoers man page

    When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

    Are you absolutely sure that the user is in both groups ?

    On a Centos system I have to hand this works as expected 

    %wheel  ALL=(ALL)       ALL
%other_group    ALL=(ALL) NOPASSWD: ALL

    No password required because other_group is after wheel.

    %other_group    ALL=(ALL) NOPASSWD: ALL
%wheel  ALL=(ALL)       ALL

    Asks for a password as wheel is after other_group.

    • 3