Overview[edit | edit source]
In a nutshell, sudo permissions are defined in
/etc/sudoers.d/. Permissions are defined like so:
%groupname workstation=/bin/command username workstation=/bin/command username workstation=(run-as user) /bin/command
Replace any of the above with
ALL to have it match anyone. eg:
You can use
NOPASSWD: /bin/command to have it not prompt for the user's password.
You can verify whether your changes worked by listing sudo access:
# sudo -l
Configure sudo to include /etc/sudoers.d/[edit | edit source]
Additional sudo configs can be placed in
/etc/sudoers.d/. Files placed here must have the permissions set to 0440.
# cd /etc/sudoers.d # echo "gandalf ALL=(root) NOPASSWD: /usr/sbin/dmidecode" > run_dmidecode # chmod 0440 run_dmidecode
#includedir directive is defined in
/etc/sudoers. This is disabled by default on some distributions and none of the config files there will be loaded.
Regular Expression Matching[edit | edit source]
Sudoers does not support regular expression matching. It only supports glob expansion, which only works for file names and paths.
If regular expression is absolutely necessary, use a wrapper script instead.
For example, this script will only allow 'yum install' to run on package names matching a particular regex and not packages that are local files.
#!/bin/bash if [ -f "$1" ] ; then echo "Error: Cannot install local package file." exit fi if ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]] ; then echo "Error: Invaild package name." exit fi yum install "$1"
The sudoers file would look something like this:
firstname.lastname@example.org ALL=(root) NOPASSWD: /bin/yum-wrapper.sh
The script could be made a bit smarter to allow multiple argument parsing.
Troubleshooting[edit | edit source]
sudo: sorry, you must have a tty to run sudo[edit | edit source]
If you get the error while trying to run
sudo through a script or a non-interactive shell:
sudo: sorry, you must have a tty to run sudo
Ensure that you do not require a TTY in your
/etc/sudoers configuration. Either comment out or use
## In /etc/sudoers ## From Defaults requiretty ## To one of: Defaults !requiretty # Defaults requiretty
A one-liner to fix this:
# sed -i s'/Defaults requiretty/#Defaults requiretty'/g /etc/sudoers
As a side note, if you just want to run a command as another user, you could also try
su instead. For example:
# su $username -c 'whoami'
sudo: no tty present and no askpass program specified[edit | edit source]
If you get
sudo: no tty present and no askpass program specified
Make sure you have
NOPASSWD set in your
Eg. The files should have a line like: