Goal

As a system administrator, I want to use boolean logic to control sudo actions. For example, I want to specify that a user should be member of groups `groupa` *and *`groupb` to execute an action, using '&' to specify the intersection of the groups:

%groupa&%groupb    ALL=(ALL) /usr/bin/roxctl

Or, I may want to specify that a user is a member of groupa *or *groupb to run a specified command, using '||' to specify the OR operator:

%groupa||%groupb    ALL=(ALL) /usr/bin/oc

Workarounds

Currently there several workaround for this, which are not ideal:

Using a dedicated group.

This workaround requires the creation of a new group, that only contains users who are members of both 'groupa' and 'groupb'. This often requires interactions with external identity teams to create and manage, slowing operations and presenting additional overheads.

Creating a wrapper script

Alternatively, administrators often create a wrapper script to check that users are members of both 'groupa' and 'groupb', and permitting users to execute this script:

#!/bin/bash
# Check if the user is a member of both groups
if groups "$USER" | grep -q '\bgroupa\b' && groups "$USER" | grep -q '\bgroupb\b'; then
    exec /path/to/command "$@"
else
    echo "You are not allowed to run this command."
    exit 1
fi

This is also not ideal. It requires administrators to both maintain custom scripts and the sudoers files, and may introduce additional attack surfaces if the script is not properly created or maintained.

Acceptance criteria

• System administrators can specify a boolean 'AND' of groups for sudoers rules (%groupa&%groupb)
• System administrators can specify a boolean 'OR' of groups for sudoers rules (%groupa||%groupb)