System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Meaning of % in %sysadmin ALL=NOPASSWD:/bin/su - root???-sudoers file

 
gany59
Regular Advisor

Meaning of % in %sysadmin ALL=NOPASSWD:/bin/su - root???-sudoers file

i have seen the below line on the /etc/sudoers file

%sysadmin ALL=NOPASSWD:/bin/su - root

So it says that the person belongs to the sysadmin can able swith over to root without password, but what is the symbol(%) like percentage.. what was the meaning of that. Thanks!
2 REPLIES
Matti_Kurkela
Honored Contributor

Re: Meaning of % in %sysadmin ALL=NOPASSWD:/bin/su - root???-sudoers file

The "%" sign tells sudo you're giving sudo access to all users in _group_ "sysadmin", not to _user_ "sysadmin" only.

MK
MK
Michael Steele_2
Honored Contributor

Re: Meaning of % in %sysadmin ALL=NOPASSWD:/bin/su - root???-sudoers file

Everything in sudo is group related: If you see %sysadmin then there will be an entry in the /etc/group file for sysadmin.

If you see:

"...DISCOVER ALL=NOPASSWD:/bin/su - root..."

: then DISCOVER will be a made up SUDO group that has no entry in /etc/group, but, will have a pointer to a real /etc/group group. Like this:

User_Alias DISCOVER = %oracle

##########################

%sysadmin ALL=NOPASSWD:/bin/su - root

This means for any user belonging to the /etc/group 'sysadmin' a password is not required when running a sudo command. "...:/bin/su - root..." is a notorius security flaw in SUDO since configuration says "..Ok for any user in the /etc/group 'sysadmin' to log directly into root without using a password.

The reason that it is a flaw is because it bypasses THE ROOT PASSWORD. (* So why have a root password if you're going to do this? *)
Support Fatherhood - Stop Family Law