Adding Users To Sudoers

Debian’s sudo group is sudo.

gpasswd -a xed sudo

I think CentOS uses the admin group. Old timey cool systems might use the group wheel.

Editing The sudoers File

Best to start the sudo editing process with the special command for that purpose. It will ensure proper and secure locking, etc.

$ sudo visudo

Did that end in horrible disaster? In other words, did it attack you with a stupid editor like nano? You’re probably using Ubuntu. Try this:

$ sudo update-alternatives --config editor

Complete Access No Password

Here’s a normal permissive entry:

xed ALL=(ALL)NOPASSWD:ALL

Put this at the bottom or it might get overruled by later rules (like the one for the admin group in Ubuntu). Yes, this is true in Debian now too; in bookworm I have found that the subsequent includes overwrite your intentions. So definitely put rules like this absolutely last.

Exempt A Certain Command

If you have command that everyone should be able to run, this seems to work.

ALL ALL=NOPASSWD:/pro/tools/kicktheprinter

Here’s a more restrictive entry letting a particular person run a particular command.

xed ALL=(ALL)NOPASSWD:/sbin/shutdown

Using rsync With Remote Sudo

Sometimes you’re on a computer that you have full control over behind some kind of firewall (home network NAT address or a compute node on a cluster) and you want to get a bunch of files from some publicly available machine. You can log into that machine, but for some reason (Mac or Ubuntu, or sshd rules, for instance) you can’t log in as root. So you can’t log into this machine and push the files to the destination because the destination is hidden. You can’t get the files you need because you need to use sudo (which I’m presuming you have permissions for) on the source. Here’s what to do.

First, make sure that sudo visudo on the source machine doesn’t have this:

Defaults requiretty

Comment that out if it does.

Also you should set up a NOPASSWD rule for this user or for the rsync command. Next you want to run a command like this on the destination:

rsync -a -P -e ssh --rsync-path="sudo rsync" myuser@sourcehost:/src/files /dst/

Or even:

sudo rsync -aP -e ssh --rsync-path="sudo rsync" xed@192.168.0.103:/src/ /dst/

Sometimes when attempting this you get the following annoying error.

Error: sudo: sorry, you must have a tty to run sudo

The cure for this is to find this line in the sudoers file and comment it out.

Defaults requiretty

I did this and it then worked fine.

General Entry Format

1      2    3   4        5
%admin ALL=(ALL)NOPASSWD:/usr/bin/apt-get
xed    ALL=(ALL)         ALL
$Who $OnHosts=($AsUser)$Tag_Spec:$Command

  1. The user or group of users for whom this rule applies. Who= User name, or group name preceeded by %. User_Alias EMERGENCYADMIN = ruben, jack

  2. This entry applies when run on a host that matches this. This means that this field is sort of useless if the sudoers file is not shared among various machines. It allows for a master copy to serve for an entire complex installation of machines. OnHosts= List of hosts ( raven,kiwi ) or 192.168.30.0/24. 

    Host_Alias CLUSTERNODES = 192.168.1.0/24
Host_Alias LAPTOPS = blackswan, awk, duck, goose

  3. Whom can the user execute the command as. AsUser= [Similar to User_Alias format].

  4. Tags. Since EXEC and SETENV are sketchy, and PASSWD is default, only NOPASSWD is really relevant. Tag_Spec= NOPASSWD | PASSWD | NOEXEC | EXEC | SETENV | NOSETENV

  5. Command= The command to execute. Needs full path. 

    Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/halt, /sbin/reboot

Don’t do this because it’s trivial to get around with sudo cp:

Cmnd_Alias MOSTSTUFF = ALL,!/usr/bin/passwd

Timeout

It’s very frustrating to keep having to type a password in if your work takes more than 5 minutes. To extend this add something like this to the Defaults section of the sudoers file. The numbers are minutes.

Defaults timestamp_timeout=30
Defaults:xed timestamp_timeout=-1
User_Alias CLUMSYUSERS = ann, bob
Defaults:CLUMSYUSERS timestamp_timeout=0

For bob and ann, they have to enter a password everytime. For xed, it’s never needed. For everyone else it’s 30 minutes (normally 5).

Scripts

Often you need a script that needs to be run as root but it’s easy to forget the sudo. Here is how you can set up scripts to run lines as sudo if you forgot to do it when executing the script.

# How to upgrade to root/sudo if regular user.
SUDO=''; if (( $EUID != 0 )); then SUDO='sudo'; fi
${SUDO} smartctl -a /dev/${1} > /tmp/drivereport