[[linux_wiki:sudoers]]

Sudoers

General Information

Configuration of sudoers.

Checklist

  • Distro(s): Any

The most maintainable method is to leave the main sudoers file as vanilla as possible.
Additional sudo access can be given with additional files in /etc/sudoers.d/

  • Main sudoers file: /etc/sudoers
  • Additional sudoers directory: /etc/sudoers.d/

The main system sudoers file should contain this include statement to ensure all files in /etc/sudoers.d/ will be read from:

#includedir /etc/sudoers.d
  • Note: The “#” in this case does not mean a comment and will work as intended

The sudoers.d directory holds additional files that contain group specific sudoers configuration.

These files should:

  • Owner/group: chown root:root
  • Permissions: chmod 440
  • Initially be created with “visudo -f /etc/sudoers.d/<filename>” to ensure no syntax errors.

Example sudoers.d files.

Single user, no password when using sudo

rjones ALL=(root)      NOPASSWD:ALL

Group of users, no password when using sudo

User_Alias SYSADMINS = rjones, tux, ltorvalds
 
SYSADMINS ALL=(root)      NOPASSWD:ALL

Group of users given elevated access to specific commands

User_Alias LOGUSERS = operator, rjones

Cmnd_Alias LOGFILEVIEW = /bin/grep /var/log/*, /usr/bin/tail /var/log/*, /usr/bin/less /var/log/*, /bin/more /var/log/*, /bin/cat /var/log/*, /bin/ls /var/log/*

LOGUSERS ALL = NOPASSWD:LOGFILEVIEW
  • linux_wiki/sudoers.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)