In the original report:
> The running result of sudo -l still contains NOPASSWD:
[...]
> User steven may run the following commands on vpn:
> (ALL : ALL) NOPASSWD: ALL
> (ALL) ALL
> (ALL) ALL
From sudoers(5):
When multiple entries match for a user, they are applied in order. Where
there are multiple matches, the last match is used (which is not necesā
sarily the most specific match).
So yes, the NOPASSWD does meet the criteria, but the search keeps going
(either in LDAP or in the local file) and finds some more entries. The
last-match says to ask for a password.
Of note: given that the order cannot be guaranteed in LDAP results,
sudoers.ldap(5) mentions the "sudoOrder" attribute.
You may need to switch the order of the values in your nsswitch.conf(5)
file.
--
David Magda
