On sudoers.d rules precendece

Disclaimer: this is a bit of a repost, but I thought I might share the experience so that others have an easier time finding the solution.

So, yesterday I learned something interesting about sudoers rules precedence.

I wanted to make a script that detected the current status of tlp to display it in waybar, and for that I needed to execute tlp-stat as root. Because it’s a script that is executed every 10 seconds or so I can’t have sudo asking for my password every single time, so I added a sudoers rule.

I already had a rule for the wheel group, to which my user fermino belongs, that makes sudo ask for my password every time I call it.

So far, /etc/sudoers.d/wheel looked like this:

%wheel ALL=(ALL:ALL) ALL

And /etc/sudoers.d/fermino like this:

fermino ALL=(ALL) NOPASSWD:/usr/bin/tlp-stat

Everything looks quite ok, right? Well, it didn’t work. I logged out and back in, I even rebooted the computer, and still nothing. I started thinking about the precedence of rules, maybe the rule for wheel was being parsed first…

Well, it turns out it’s the exact opposite: all the rules are parsed and the last match is used. Because of the filenames, wheel was the one parsed last, and so when I tried calling /usr/bin/tlp-stat, sudo asked for my password.

A not so quick google search and I found the answer here. I double checked and evidently, the last rule was the group one.

$ sudo -l

User fermino may run the following commands on fermino-zb:
    (ALL) NOPASSWD: /usr/bin/tlp-stat
    (ALL : ALL) ALL

The solution was renaming the files so that the no-password rule was parsed last. I did that and everything started working :)

# ls /etc/sudoers.d

10_wheel  20_fermino

I hope it is of use for at least somebody, I had a bit of a hard time finding it. You can find here the original post.