Sudo version: 1.7.2p1
I have the following (sanitised) lines in my sudoers file (at the end of the file):
Runas_Alias GROUPALIASNAME = user1,user2, user3
Cmnd_Alias APP = /path/to/binary/setup -f *, /path/to/binary/patchbinary
%groupname
ALL=(root)NOPASSWD:SOFTWARE,(GROUPALIASNAME)NOPASSWD:APP
If I run "sudo -ll" as a user from %groupname (user3) I get the following:
Sudoers entry:
RunAsUsers: root
Commands:
NOPASSWD: /bin/rpm, /usr/bin/up2date, /usr/bin/yum
RunAsUsers: user1, user2, user3
Commands:
/path/to/binary/setup -f *,
/path/to/binary/patchbinary
I can't seem to get the second "nopasswd" entry to work. I've tried removing all whitespace, adding whitespace. I've tried "NoPasswd:all" which just makes it give "all" rather than "nopasswd:all". I know the rule is matching because clearly I can see the very specific entries expanding. The entry being at the end should rule out any conflicting rules. Any ideas or suggestions on diagnosing this? Unfortunately its a 'secure' machine so applying patches/updating sudo isn't an option. **The reference to "SOFTWARE" is just a default sudoers entry.
EDIT: For now I have worked around the issue by splitting the 1 line into 2 lines. I made no other modifications than to insert a line break with %groupname ALL= and it now correctly shows the right to execute the command with no password. However it still requires a password.
To aide debugging and maintainability you should split your rules:
%groupname ALL=(root) NOPASSWD: SOFTWARE
%groupname ALL=(GROUPALIASNAME) NOPASSWD: APP
Splitting your rules onto different lines makes it clearer what you are trying to do.
Ensure that the user you are trying to run sudo as, is in %groupname.
Ensure that you are using something like sudo -u user1 (etc) so the Runas_alias is actually effected.
The other thing you need to do, is if you are testing changes as the destination user, if you just added your user to %groupname, you need to log out and log back in for the group add to actually work.