Difference between revisions of "Sudo"

From Noah.org
Jump to: navigation, search
m (Set timestamp timeout)
Line 3: Line 3:
 
Use `visudo` to make changes to /etc/sudoers.
 
Use `visudo` to make changes to /etc/sudoers.
  
 +
== I broke /etc/sudoers and now I can't run sudo to fix it ==
 +
 +
It's just like when you lock your keys in the car. If you have the '''policy kit''' utilities installed then you likely have a utility celled '''pkexec'''' installed. This is like a lightweight sudo. So just edit your '''/etc/sshd-config file and be on your way:
 +
<pre>
 +
pkexec vim /etc/sudoers
 +
</pre>
 +
If that doesn't work then you're have to resort to rebooting the machine in '''singke usereeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
 
== NOPASSWD does not work ==
 
== NOPASSWD does not work ==
  
If you set the NOPASSWD option for a user or group in '''sudo''' and it does not seem to work then you most likely have the order of statements wrong. The last statement in a '''sudoers''' file wins. Don't forget the files imported from '''/etc/sudoers.d'''. For example, the following will not work if '''noah''' is also a member of the '''sudo''' group becaue the '''sudo''' group definition comes after and overrides the '''NOPASSWD''' option.
+
If you set the NOPASSWD option for a user or group in '''sudo''' and it does not seem to work then you most likely have the order of statements wrong. The last statement in a '''sudoers''' file wins. Don't forget the files imported from '''/etc/sudoers.d'''. For example, the following will not work if '''noah''' is also a member of the '''sudo''' group because the '''sudo''' group definition comes after and overrides the '''NOPASSWD''' option.
 
<pre>
 
<pre>
 
noah ALL=(ALL) NOPASSWD:ALL
 
noah ALL=(ALL) NOPASSWD:ALL

Revision as of 23:39, 11 August 2015


Use `visudo` to make changes to /etc/sudoers.

I broke /etc/sudoers and now I can't run sudo to fix it

It's just like when you lock your keys in the car. If you have the policy kit utilities installed then you likely have a utility celled pkexec' installed. This is like a lightweight sudo. So just edit your /etc/sshd-config file and be on your way:

pkexec vim /etc/sudoers

If that doesn't work then you're have to resort to rebooting the machine in singke usereeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

NOPASSWD does not work

If you set the NOPASSWD option for a user or group in sudo and it does not seem to work then you most likely have the order of statements wrong. The last statement in a sudoers file wins. Don't forget the files imported from /etc/sudoers.d. For example, the following will not work if noah is also a member of the sudo group because the sudo group definition comes after and overrides the NOPASSWD option.

noah ALL=(ALL) NOPASSWD:ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

The fix is to define the noah user options after the sudo group.

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

noah ALL=(ALL) NOPASSWD:ALL

Set timestamp timeout

The following sets the timestamp timeout to 30 minutes for the given username, noah.

Defaults:noah timestamp_timeout=30

The following sets the timestamp timeout to 30 minutes for all users:

Defaults timestamp_timeout=30

Remove timestamp

Sometimes for scripting you want sudo authentication to be consistent. If sudo is going to ask for a password then it is preferable to have it ask every time rather than ask once and then not again unless a timeout is reached in which case it will ask again. This can be difficult to script for. It's easier just to expect the password every time. You can pass sudo an option, -k to clear the timestamp. Note that there is a similar -K option (capital K) which must be use alone without a command to be run. Also note that the NOPASSWD option will still override the -k option.

sudo -k id

No password

Allow a specific user, noah to sudo without a password:

noah ALL=(ALL) NOPASSWD:ALL

Allow all users in the admin group to sudo without a password:

%admin ALL=(ALL) NOPASSWD:ALL