Editing The sudoers File
Best to start the sudo editing process with the special command for that purpose. It will ensure proper and secure locking, etc.
$ sudo visudo
Did that end in horrible disaster? In other words, did it attack you with a stupid editor like nano? You’re probably using Ubuntu. Try this:
$ sudo update-alternatives --config editor
Complete Access No Password
Here’s a normal permissive entry:
Put this at the bottom or it might get overruled by later rules (like the one for the admin group in Ubuntu).
Exempt A Certain Command
Here’s a more restrictive entry:
Using rsync With Remote Sudo
Sometimes you’re on a computer that you have full control over behind some kind of firewall (home network NAT address or a compute node on a cluster) and you want to get a bunch of files from some publicly available machine. You can log into that machine, but for some reason (Mac or Ubuntu, or sshd rules, for instance) you can’t log in as root. So you can’t log into this machine and push the files to the destination because the destination is hidden. You can’t get the files you need because you need to use sudo (which I’m presuming you have permissions for) on the source. Here’s what to do.
First, make sure that
sudo visudo on the source machine doesn’t have
Comment that out if it does.
Also you should set up a
NOPASSWD rule for this user or for the
rsync command. Next you want to run a command like this on the
rsync -a -P -e ssh --rsync-path="sudo rsync" myuser@sourcehost:/src/files /dst/
sudo rsync -aP -e ssh --rsync-path="sudo rsync" firstname.lastname@example.org:/src/ /dst/
Sometimes when attempting this you get the following annoying error.
Error: sudo: sorry, you must have a tty to run sudo
The cure for this is to find this line in the sudoers file and comment it out.
I did this and it then worked fine.
General Entry Format
1 2 3 4 5 %admin ALL=(ALL)NOPASSWD:/usr/bin/apt-get xed ALL=(ALL) ALL
The user or group of users for whom this rule applies. Who= User name, or group name preceeded by %. User_Alias EMERGENCYADMIN = ruben, jack
This entry applies when run on a host that matches this. This means that this field is sort of useless if the sudoers file is not shared among various machines. It allows for a master copy to serve for an entire complex installation of machines. OnHosts= List of hosts ( raven,kiwi ) or 192.168.30.0/24.
Host_Alias CLUSTERNODES = 192.168.1.0/24 Host_Alias LAPTOPS = blackswan, awk, duck, goose
Whom can the user execute the command as. AsUser= [Similar to User_Alias format].
Tags. Since EXEC and SETENV are sketchy, and PASSWD is default, only NOPASSWD is really relevant. Tag_Spec= NOPASSWD | PASSWD | NOEXEC | EXEC | SETENV | NOSETENV
Command= The command to execute. Needs full path.
Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/halt, /sbin/reboot
Don’t do this because it’s trivial to get around with sudo cp:
Cmnd_Alias MOSTSTUFF = ALL,!/usr/bin/passwd
It’s very frustrating to keep having to type a password in if your work takes more than 5 minutes. To extend this add something like this to the Defaults section of the sudoers file. The numbers are minutes.
Defaults timestamp_timeout=30 Defaults:xed timestamp_timeout=-1 User_Alias CLUMSYUSERS = ann, bob Defaults:CLUMSYUSERS timestamp_timeout=0
For bob and ann, they have to enter a password everytime. For xed, it’s never needed. For everyone else it’s 30 minutes (normally 5).