Re: sudoers

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: James Dugger
Date:  
To: Main PLUG discussion list
Subject: Re: sudoers
Michael,

The following line:

     %sudo ALL=(ALL)  NOPASSWD:  ALL


literally means:

      ALL users in the sudo group can execute ALL commands as ALL users
from ALL places without a password.


Without any lines after this. The only thing that you would need to do is
add users to the sudo group (/etc/group). Thus the line:

     $ sudo useradd -G sudo <user>


The %sudo portion of the stanza tells Linux to look in the /etc/group file
for a line starting with "sudo" and include any users listed on that line
in the sudo group. This way you don't have to add them individually as
separate lines in the sudoers file. For example lets say you have 3 users
(john, jane, sam) that you want to have sudo rights w/o a password. It
could be done in one of two ways:

1st- in sudoers

     jane ALL=(ALL)  NOPASSWD:  ALL
     john ALL=(ALL)  NOPASSWD:  ALL
     sam ALL=(ALL)  NOPASSWD:  ALL


or

2nd - in sudoers and /etc/group

     %sudo ALL=(ALL)  NOPASSWD:  ALL


in /etc/group

     sudo:x:##:john,jane,sam


Both work but programmatically the 2nd option eliminates redundant code
when writing scripts and allows the use of additional shell commands (and
arguably more simple ones) to be used to maintain file changes (i.e. sudo
useradd -a -G sudo <user>). When scripting it is easier add the use of
usermod and useradd to a script than to use commands like sed -i and then
having to escape special characters like "%, (, and )" when making changes
or updates.



On Mon, Jul 14, 2014 at 7:48 PM, Michael Havens <> wrote:

> I was wondering: these are the instructions I was given to make it so I
> don't need to input my password after I sudo.
> ---
> sudo visudo
> <password>
>
> comment out the line:
>
> %sudo ALL=(ALL:ALL) ALL
>
> and add a new line below it like this:
>
> %sudo ALL=(ALL) NOPASSWD: ALL
>
> sudo useradd -G sudo <user>
> ---
> I was thinking that with the script being like that I probably don't need
> the last line because the way it is I am telling it no one needs a password
> with sudo. It would probably be more secure to have:
>
> %sudo ALL=(ALL) NOPASSWD: <desired users>
>
> is that correct? If I had multiple users who I wanted to not use a
> password would I separate the users with a space or comma? If I only wanted
> one user to be able to sudo it would be:
>
> %sudo <user>=(ALL) NOPASSWD: <user>
>
> what is the point of th ALL surrounded by parentheses?
> :-)~MIKE~(-:
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>




--
James

*Linkedin <http://www.linkedin.com/pub/james-h-dugger/15/64b/74a/>*
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss