This is an old revision of the document!
Sudoers
General Information
Configuration of sudoers.
Checklist
- Distro(s): Enterprise Linux 6
Config Locations
The most maintainable method is to leave the main sudoers file as vanilla as possible.
Additional sudo access can be given with additional files in /etc/sudoers.d/
- Main sudoers file: /etc/sudoers
- Additional sudoers directory: /etc/sudoers.d/
/etc/sudoers
The main system sudoers file should contain this include statement to ensure all files in /etc/sudoers.d/ will be read from:
#includedir /etc/sudoers.d
- Note: The “#” in this case does not mean a comment and will work as intended
/etc/sudoers.d/
The sudoers.d directory holds additional files that contain group specific sudoers configuration.
These files should:
- Owner/group: chown root:root
- Permissions: chmod 440
- Initially be created with “visudo -f /etc/sudoers.d/<filename>” to ensure no syntax errors.
sudoers.d files
Example sudoers.d files.
Single user, no password when using sudo
rjones ALL=(root) NOPASSWD:ALL
Group of users, no password when using sudo
User_Alias SYSADMINS = rjones, tux, ltorvalds SYSADMINS ALL=(root) NOPASSWD:ALL
Group of users given elevated access to specific commands
User_Alias LOGUSERS = operator, rjones Cmnd_Alias LOGFILEVIEW = /bin/grep /var/log/*, /usr/bin/tail /var/log/*, /usr/bin/less /var/log/*, /bin/more /var/log/*, /bin/cat /var/log/*, /bin/ls /var/log/* LOGUSERS ALL = NOPASSWD:LOGFILEVIEW