Sudo example configuration

Bruce Dubbs bruce.dubbs at
Tue Sep 29 22:45:47 PDT 2009

DJ Lucas wrote:
> On 09/29/2009 10:46 PM, Bruce Dubbs wrote:
>> DJ Lucas wrote:
>>> Anybody have any objection to providing a sudoers group and adding more
>>> secure/common example to the sudoers file?  Something to the effect of...
>>> groupadd -g<##>  sudoers&&
>>> echo -e "%sudoers\tALL=(ALL)\tALL">>  /etc/sudoers&&
>>> usermod -a -G sudoers<your user name>
>>> ...instead of the current admin user with no password example?
>> I really don't have an objection, but what we have now is just as easy.  The
>> superuser just needs to run visudo and add a name to the ADMIN user alias.
>> Is that really any harder than adding a user to a group.
> Dang it, I knew I was gonna have to read the man page!  :-) No...I was 
> going more for what is a common use case today...but I suppose that kind 
> of icks what learning can be done by reading the manual page.  For our 
> purposes, we could get the intended result from:
> <username> <$hostname>=(ALL) NOPASSWD:ALL
>> I don't like tabs in configuration files (or source code).
>> The (ALL) really doesn't apply to many users any more.
> I'm not sure if you confused the positions, or if these were two 
> separate thoughts.  

Two separate thoughts.  You had \t in the echo.

> I'll separate, but answer as if confused/transposed 
> for anybody who reads, as that's how I understood your comments here at 
> first.  The '(ALL)' allows the user to choose all users to run the 
> command could also be any previously defined user alias or a 
> valid user name as well.

I did not remember correctly.  What we have is:

user hostlist = (userlist) commandlist

* user is the name of the user or group to which this rule applies
* hostlist is a list of hosts this rule applies to
* userlist is a list of users that this rule can be run as. and must be
   enclosed in ( )
* commandlist is a list of commands that this rule states can be executed

The userlist token is optional – if excluded, it defaults to root

I had swapped userlist and hostlist in my memory. ALL and (ALL) are a bit 
ambiguous.  :)

> But, yes I agree, very few people lock down commands to specific users 
> anymore, and just run everything that needs elevated privileges as the 
> superuser and change perms if needed when done.  I'm guilty as 
> it is because of relaxed sudoers files. ;-)
>> I'm not even sure how
>> I'd use sudo to run something on another host.
> You can't directly (at least not that I know of), it is intended for 
> shared sudoers files (or included sudoers files) across the network.

OK.  I sorta see.  The sudoer file is in /etc which is never shared AFAIK, but 
if the sudoer file includes a shared file, then it could be appropriate.

> See the example above 'ALL' before the equal sign just lets it match 
> unconditionally, any host. 'ALL' always matches unconditionally and is 
> actually not really security conscious IMO, but su is not easily 
> scritped, so I can justify it for my own use. ;-)
>> The sudoers file can be very complex or very easy (like the current example).
>> I'd prefer to leave it as it is.
> The second point of my original post is that I severely dislike the 
> NOPASSWD option.  Granted, an admin shouldn't leave a console 
> unattended, but in the event that she does, then she has some form of 
> protection.  Having now reviewed the manual page fully, the default 
> timeout is 5 minutes (before you have to enter your password again).  I 
> really don't care for the generous use of 'ALL', but I can live with it.

I don't have a problem with removing the NOPASSWD option.

   -- Bruce

More information about the blfs-dev mailing list