Sudoers

General Information

Configuration of sudoers.

Checklist

• Distro(s): Any

The most maintainable method is to leave the main sudoers file as vanilla as possible.
Additional sudo access can be given with additional files in /etc/sudoers.d/

• Main sudoers file: /etc/sudoers
• Additional sudoers directory: /etc/sudoers.d/

The main system sudoers file should contain this include statement to ensure all files in /etc/sudoers.d/ will be read from:

#includedir /etc/sudoers.d

• Note: The “#” in this case does not mean a comment and will work as intended

The sudoers.d directory holds additional files that contain group specific sudoers configuration.

These files should:

• Owner/group: chown root:root
• Permissions: chmod 440
• Initially be created with “visudo -f /etc/sudoers.d/<filename>” to ensure no syntax errors.

Example sudoers.d files.

Single user, no password when using sudo

rjones ALL=(root)      NOPASSWD:ALL

Group of users, no password when using sudo

User_Alias SYSADMINS = rjones, tux, ltorvalds
 
SYSADMINS ALL=(root)      NOPASSWD:ALL

Group of users given elevated access to specific commands

User_Alias LOGUSERS = operator, rjones

Cmnd_Alias LOGFILEVIEW = /bin/grep /var/log/*, /usr/bin/tail /var/log/*, /usr/bin/less /var/log/*, /bin/more /var/log/*, /bin/cat /var/log/*, /bin/ls /var/log/*

LOGUSERS ALL = NOPASSWD:LOGFILEVIEW