====== Sudoers ======

**General Information**

Configuration of sudoers. 

**Checklist**
  * Distro(s): Any

----

===== Config Locations =====

The most maintainable method is to leave the main sudoers file as vanilla as possible. \\
Additional sudo access can be given with additional files in /etc/sudoers.d/

  * Main sudoers file: /etc/sudoers
  * Additional sudoers directory: /etc/sudoers.d/

----

===== /etc/sudoers =====

The main system sudoers file should contain this include statement to ensure all files in /etc/sudoers.d/ will be read from:
<code bash>
#includedir /etc/sudoers.d
</code>
  * Note: The "#" in this case does not mean a comment and will work as intended

----

===== /etc/sudoers.d/ =====
The sudoers.d directory holds additional files that contain group specific sudoers configuration.

These files should:
  * Owner/group: chown root:root
  * Permissions: chmod 440
  * Initially be created with "visudo -f /etc/sudoers.d/<filename>" to ensure no syntax errors.

----

===== sudoers.d files =====

Example sudoers.d files.

Single user, no password when using sudo
<code bash>
rjones ALL=(root)      NOPASSWD:ALL
</code>

Group of users, no password when using sudo
<code bash>
User_Alias SYSADMINS = rjones, tux, ltorvalds

SYSADMINS ALL=(root)      NOPASSWD:ALL
</code>

Group of users given elevated access to specific commands
<code>
User_Alias LOGUSERS = operator, rjones

Cmnd_Alias LOGFILEVIEW = /bin/grep /var/log/*, /usr/bin/tail /var/log/*, /usr/bin/less /var/log/*, /bin/more /var/log/*, /bin/cat /var/log/*, /bin/ls /var/log/*

LOGUSERS ALL = NOPASSWD:LOGFILEVIEW
</code>