/munetakaJupyterHub/Computer/2024/Linux/sudoers.md

§2024-11-01

¶A Short Introduction

Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. Sudo operates on a per-command basis, it is not a replacement for the shell.

¶Granting sudo Access

We’ll need to grant sudo access to a user to make him a “sudoer”. User and group sudo privileges are defined in the /etc/sudoers file. We can either add the user directly to this file or add the user to the sudo group.

sudo usermod -aG sudo alexlai

sudo visudo editor, or in Debian /sbin/visudo to edit
- -r--r----- 1 root root 1671 Feb 8 2022 /etc/sudoers
- Let’s add a user to the file by inserting:
  - alexlai ALL=(ALL) NOPASSWD:ALL

¶/etc/sudoers

Syntax

%adm ALL=(ALL) NOPASSWD: ALL
- This means “any user in the adm group on any host may run any command as any user without a password”. The first ALL refers to hosts, the second to target users and the last to allowed commands. A password will be required if you leave out the "NOPASSWD:".

 sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults	use_pty

# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"

# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"

# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"

# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"

# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"

# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"

# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# The first ALL allows the root user to run commands as any user.
# The second ALL (after the colon) allows running commands as any group. 
# This is useful for managing permissions related to group ownership.

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

¶ /etc/sudoers.d directory

# ls -l /etc/sudoers*
-r--r----- 1 root root 1771 Feb  3  2024 /etc/sudoers

/etc/sudoers.d:
total 4
-r--r----- 1 root root 1096 Jun 27  2023 README

The /etc/sudoers.d directory is part of the configuration for the sudo command on Unix-like systems. It allows system administrators to manage sudo permissions in a more modular and organized way. Here’s how it works:

1.Overview

Modularity: Instead of placing all sudo permissions in the main /etc/sudoers file, you can create separate files in the /etc/sudoers.d directory. This makes it easier to manage permissions, especially on larger systems or when using multiple administrators.
File Naming: Any file within this directory must have a unique name. The filenames should be descriptive to make it clear what permissions are being granted. It's a good practice to avoid using spaces or special characters.

Configuration

File Permissions: Each file in /etc/sudoers.d should be owned by root and have permissions set to 0440 (read-only for the owner and group). This ensures that only authorized users can modify these files.
File Content: The syntax for files in /etc/sudoers.d is the same as for the /etc/sudoers file. You can specify users, commands, and hostnames, and you can use ALL to match any user, host, or command.

Inclusion in sudoers: The sudo configuration will automatically include all files in /etc/sudoers.d, provided they follow the correct syntax and permissions.

$ sudo ls -l /etc/sudoers.d
total 16
-r--r----- 1 root root 1096 Feb  8  2022 README
-rw-r--r-- 1 root root  130 Sep 27 14:39 wildduck         <-- 0440  ???
-rw-r--r-- 1 root root   74 Sep 27 14:41 wildduck-webmail
-rw-r--r-- 1 root root   66 Sep 27 14:41 zone-mta
alexlai@mail:~$ cat /etc/sudoers.d/wildduck
deploy ALL = (root) NOPASSWD: /usr/bin/systemctl restart wildduck
deploy ALL = (root) NOPASSWD: /usr/bin/systemctl restart haraka