Sudo

From Leo's Notes
(Redirected from Sudoers)
Last edited on 15 June 2020, at 01:58.

Overview

In a nutshell, sudo permissions are defined in /etc/sudoers and /etc/sudoers.d/. Permissions are defined like so:

%groupname workstation=/bin/command
username workstation=/bin/command
username workstation=(run-as user) /bin/command

Replace any of the above with ALL to have it match anyone. eg:

ALL ALL=ALL

You can use NOPASSWD: /bin/command to have it not prompt for the user's password.

You can verify whether your changes worked by listing sudo access:

# sudo -l

Configure sudo to include /etc/sudoers.d/

Additional sudo configs can be placed in /etc/sudoers.d/. Files placed here must have the permissions set to 0440.

For example:

# cd /etc/sudoers.d
# echo "gandalf ALL=(root) NOPASSWD: /usr/sbin/dmidecode" > run_dmidecode
# chmod 0440 run_dmidecode

Ensure the #includedir directive is defined in /etc/sudoers. This is disabled by default on some distributions and none of the config files there will be loaded.

Regular Expression Matching

Sudoers does not support regular expression matching. It only supports glob expansion, which only works for file names and paths.

If regular expression is absolutely necessary, use a wrapper script instead.

For example, this script will only allow 'yum install' to run on package names matching a particular regex and not packages that are local files.

#!/bin/bash

if [ -f "$1" ] ; then
        echo "Error: Cannot install local package file."
        exit
fi

if  ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]] ; then
        echo "Error: Invaild package name."
        exit
fi

yum install "$1"

The sudoers file would look something like this:

sa-lleung@uc.ucalgary.ca ALL=(root) NOPASSWD: /bin/yum-wrapper.sh

The script could be made a bit smarter to allow multiple argument parsing.

Troubleshooting

sudo: sorry, you must have a tty to run sudo

If you get the error while trying to run sudo through a script or a non-interactive shell:

sudo: sorry, you must have a tty to run sudo

Ensure that you do not require a TTY in your /etc/sudoers configuration. Either comment out or use !requiretty.

## In /etc/sudoers
## From 
Defaults   requiretty

## To one of:
Defaults     !requiretty
# Defaults   requiretty

A one-liner to fix this:

# sed -i s'/Defaults requiretty/#Defaults requiretty'/g /etc/sudoers

As a side note, if you just want to run a command as another user, you could also try su instead. For example:

# su $username -c 'whoami'

sudo: no tty present and no askpass program specified

If you get

sudo: no tty present and no askpass program specified

Make sure you have NOPASSWD set in your /etc/sudoers file.

Eg. The files should have a line like:

<USER> <host>=NOPASSWD:<command>