HPE Community
Operating System - HP-UX
1820485 Members
2381 Online
109624 Solutions
New Discussion юеВ

Meaning of % in %sysadmin ALL=NOPASSWD:/bin/su - root???-sudoers file

 
gany59
Regular Advisor

тАО04-25-2011 12:32 AM

тАО04-25-2011 12:32 AM

Meaning of % in %sysadmin ALL=NOPASSWD:/bin/su - root???-sudoers file

i have seen the below line on the /etc/sudoers file

%sysadmin ALL=NOPASSWD:/bin/su - root

So it says that the person belongs to the sysadmin can able swith over to root without password, but what is the symbol(%) like percentage.. what was the meaning of that. Thanks!
0 Kudos
Reply
2 REPLIES 2
Matti_Kurkela
Honored Contributor

тАО04-25-2011 04:40 AM

тАО04-25-2011 04:40 AM

Re: Meaning of % in %sysadmin ALL=NOPASSWD:/bin/su - root???-sudoers file

The "%" sign tells sudo you're giving sudo access to all users in _group_ "sysadmin", not to _user_ "sysadmin" only.

MK
MK
0 Kudos
Reply
Michael Steele_2
Honored Contributor

тАО04-25-2011 08:17 AM

тАО04-25-2011 08:17 AM

Re: Meaning of % in %sysadmin ALL=NOPASSWD:/bin/su - root???-sudoers file

Everything in sudo is group related: If you see %sysadmin then there will be an entry in the /etc/group file for sysadmin.

If you see:

"...DISCOVER ALL=NOPASSWD:/bin/su - root..."

: then DISCOVER will be a made up SUDO group that has no entry in /etc/group, but, will have a pointer to a real /etc/group group. Like this:

User_Alias DISCOVER = %oracle

##########################

%sysadmin ALL=NOPASSWD:/bin/su - root

This means for any user belonging to the /etc/group 'sysadmin' a password is not required when running a sudo command. "...:/bin/su - root..." is a notorius security flaw in SUDO since configuration says "..Ok for any user in the /etc/group 'sysadmin' to log directly into root without using a password.

The reason that it is a flaw is because it bypasses THE ROOT PASSWORD. (* So why have a root password if you're going to do this? *)
Support Fatherhood - Stop Family Law
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.