top of page

The Sudo Chronicles

Oct 2, 2024

4 min read

3

47

0




To edit the sudoers file always use visudo. It locks the file so multiple people can't be editing it at the same time, performs basic validity checks, and checks for syntax errors. It also creates /etc/sudoers.tmp where your changes are written to. After all the post checks are A-OK then the changes are written to /etc/sudoers.


If we want to change the default /etc/sudoers you simply execute sudo visudo.

My recommendation is to leave the default file alone and create a drop-in file in /etc/sudoers.d/.


But on a single-user machine it's easiest to just remove the # from either %wheel line as you see from the example below. Names beginning with a % indicate group names. Use the NOPASSWD line if you don't want to be prompted for a password. If it's a single-user system, I think NOPASSWD: ALL should be your choice, unless you love typing in your password. :)


## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL


If you choose to be prompted for a password I recommend you add this line to /etc/sudoers config. You can use whatever value you want, this means it will prompt you again for the sudo password in 120 minutes.


Defaults timestamp_timeout = 120


You add a user to the wheel group like this. usermod -aG wheel peter. If you want to remove a user from the group. gpasswd -d peter wheel.

There are multiple ways to see if peter is in the wheel group. groups peter or id peter.

To see all members of the wheel group you can do lid -g wheel or grep wheel /etc/group.


Let's say I wanted to create a specific sudo file for the devops group we should do sudo visudo -f /etc/sudoers.d/devgroup.


Let's accomplish the following steps:

  • Create a user alias and list all users we want to have sudo access.

  • Create a command alias and list all commands they can run as root.

  • List on what machines, as what user, and what commands the group can run, that's the last line.


User_Alias DEVOPS_GRP_1=batman,kevin,bacon Cmnd_Alias DEVOPS_CMDS=/usr/bin/cat, /bin/updatedb, /usr/bin/mandb, /usr/bin/passwd [a-zA-Z]*, !/usr/bin/passwd root, /usr/bin/ls DEVOPS_GRP_1 ALL = DEVOPS_CMDS


This might look foreign at first but I would study /etc/sudoers, it will give you plenty of information to work with and also man sudoers.


So what's happening here is that users, batman, kevin and bacon can run these commands as root, cat, updatedb, mandb, the passwd command for all users except root and finally the ls command.


The final line is broken down this way:

user/group servername/servergroup = (runas user) command.

So for instance, in the following line, the user willywonka can on ALL hosts, issue the command lvm as user jordan.


willywonka ALL=(jordan) /usr/sbin/lvm


Or let's give willywonka permission to change passwords for any user except root. Since NOPASSWD is set he will not have to provide his password.


willywonka ALL=(root) NOPASSWD: /usr/bin/passwd, ! /usr/bin/passwd root


Sudo Aliases


As you can see from the willywonka example, he can do that on ALL hosts. The first field after the username specifies which hosts he can execute the passwd command. Instead of using ALL, we can create a Host_Alias. For example.


# Host alias specification Host_Alias PROD = mx1, web01, web02, dns01 Host_Alias DEV = sql01, dapp01, dfront01

Let's create an example.


User_Alias DEVOPS_GRP_1 group = john, laura, michael Host_Alias DEV = sql01, dapp01, dfront01 Runas_Alias DB = mysql Cmnd_Alais DBCMD = /usr/bin/mysql DEVOPS_GRP_1 DEV = (DB) DBCMD

This means that the DEVOPS_GRP_1 group (user alias), can execute on the DEV (host alias), as the DB (runas alias), commands listed in DBCMD (cmd alias).


sudo -u mysql mysql -u root -p

This would connect to mysql as the runas user mysql. The user mysql must have execute permission on the binary for this to work.


Changing the default editor


If you are like me and want to use neovim to edit files and visudo opens nano you can accomplish this a couple of different ways. Add this to your ~/.bashrc file.

export EDITOR="/usr/bin/nvim"

source ~/.bashrc

sudo -E visudo

The -E option is used to preserve the user's environment. Since the EDITOR variable is only valid in your environment you have to use the -E option, otherwise Nano is used.


You can also check to see if you have a shell script in your /etc/profile.d/ that defines the default editor for you. For example, nano-default-editor.sh.


A third option is to edit the /etc/sudoers.conf file and add this line.

Defaults editor=/usr/bin/nvim


Then visudo always open up in neovim.


Checking rules


sudo -l is a neat command to see which sudo rules apply to the current user. If you want to see what sudo rules apply to another user do sudo -U willy -l.


If I haven't covered something here look at https://www.sudo.ws/docs/readme/readme/

or check out the man pages for sudoers, it has a lot of info and many examples.

Comments
Share Your ThoughtsBe the first to write a comment.

© 2035 by Maya Nelson.
Powered and secured by Wix

Call

123-456-7890

Write

info@mysite.com

Follow

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
bottom of page