Difference between revisions of "Sudo"
m |
|||
| Line 2: | Line 2: | ||
Use `visudo` to make changes to /etc/sudoers. | Use `visudo` to make changes to /etc/sudoers. | ||
| + | |||
| + | == NOPASSWD does not work == | ||
| + | |||
| + | If you set the NOPASSWD option for a user or group in '''sudo''' and it does not seem to work then you most likely have the order of statements wrong. The last statement in a '''sudoers''' file wins. Don't forget the files imported from '''/etc/sudoers.d'''. For example, the following will not work if '''noah''' is also a member of the '''sudo''' group becaue the '''sudo''' group definition comes after and overrides the '''NOPASSWD''' option. | ||
| + | <pre> | ||
| + | noah ALL=(ALL) NOPASSWD:ALL | ||
| + | |||
| + | # Allow members of group sudo to execute any command | ||
| + | %sudo ALL=(ALL:ALL) ALL | ||
| + | </pre> | ||
| + | The fix is to define the '''noah''' user options after the '''sudo''' group. | ||
| + | <pre> | ||
| + | # Allow members of group sudo to execute any command | ||
| + | %sudo ALL=(ALL:ALL) ALL | ||
| + | |||
| + | noah ALL=(ALL) NOPASSWD:ALL | ||
| + | </pre> | ||
== Set timestamp timeout == | == Set timestamp timeout == | ||
| − | The following sets the timestamp timeout to 30 minutes for the given | + | The following sets the timestamp timeout to 30 minutes for the given username, '''noah'''. |
| − | |||
<pre> | <pre> | ||
| − | Defaults: | + | Defaults:noah timestamp_timeout=30 |
</pre> | </pre> | ||
The following sets the timestamp timeout to 30 minutes for all users: | The following sets the timestamp timeout to 30 minutes for all users: | ||
| − | |||
<pre> | <pre> | ||
Defaults timestamp_timeout=30 | Defaults timestamp_timeout=30 | ||
| Line 19: | Line 34: | ||
== No password == | == No password == | ||
| − | Allow a specific user to sudo without a password: | + | Allow a specific user, '''noah''' to sudo without a password: |
| − | |||
<pre> | <pre> | ||
| − | + | noah ALL=(ALL) NOPASSWD:ALL | |
</pre> | </pre> | ||
| − | Allow all users in the admin group to sudo without a password: | + | Allow all users in the '''admin''' group to sudo without a password: |
| − | |||
<pre> | <pre> | ||
| − | %admin ALL=NOPASSWD: ALL | + | %admin ALL=(ALL) NOPASSWD:ALL |
</pre> | </pre> | ||
Revision as of 18:20, 16 June 2015
Use `visudo` to make changes to /etc/sudoers.
NOPASSWD does not work
If you set the NOPASSWD option for a user or group in sudo and it does not seem to work then you most likely have the order of statements wrong. The last statement in a sudoers file wins. Don't forget the files imported from /etc/sudoers.d. For example, the following will not work if noah is also a member of the sudo group becaue the sudo group definition comes after and overrides the NOPASSWD option.
noah ALL=(ALL) NOPASSWD:ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
The fix is to define the noah user options after the sudo group.
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL noah ALL=(ALL) NOPASSWD:ALL
Set timestamp timeout
The following sets the timestamp timeout to 30 minutes for the given username, noah.
Defaults:noah timestamp_timeout=30
The following sets the timestamp timeout to 30 minutes for all users:
Defaults timestamp_timeout=30
No password
Allow a specific user, noah to sudo without a password:
noah ALL=(ALL) NOPASSWD:ALL
Allow all users in the admin group to sudo without a password:
%admin ALL=(ALL) NOPASSWD:ALL
