General Information
Configuration of sudoers.
Checklist
The most maintainable method is to leave the main sudoers file as vanilla as possible.
Additional sudo access can be given with additional files in /etc/sudoers.d/
The main system sudoers file should contain this include statement to ensure all files in /etc/sudoers.d/ will be read from:
#includedir /etc/sudoers.d
The sudoers.d directory holds additional files that contain group specific sudoers configuration.
These files should:
Example sudoers.d files.
Single user, no password when using sudo
rjones ALL=(root) NOPASSWD:ALL
Group of users, no password when using sudo
User_Alias SYSADMINS = rjones, tux, ltorvalds SYSADMINS ALL=(root) NOPASSWD:ALL
Group of users given elevated access to specific commands
User_Alias LOGUSERS = operator, rjones Cmnd_Alias LOGFILEVIEW = /bin/grep /var/log/*, /usr/bin/tail /var/log/*, /usr/bin/less /var/log/*, /bin/more /var/log/*, /bin/cat /var/log/*, /bin/ls /var/log/* LOGUSERS ALL = NOPASSWD:LOGFILEVIEW