[blfs-support] Using and Configuring Sudo

Pierre Labastie pierre.labastie at neuf.fr
Thu Nov 21 12:50:30 PST 2013


Le 21/11/2013 19:45, Dan McGhee a écrit :
> This is the first time I have setup and configured 'sudo' in an LFS 
> build.  I'm trying to learn this so that if I add an account for someone 
> besides me I can set it up.
> 
> I want to be able to run halt, shutdown and reboot without invoking sudo 
> or su and without using a password.  I know I can do this by adding 
> /sbin to my LFS path, but that would forestall any learning I'm trying 
> to do.
> 
> I think that the first thing I must do is add aliases to either .bashrc 
> or .bash_profile for 'sudo reboot' et al.  Once I figure out which file 
> to put that in I think it's just a matter of
> 
> alias=<something> <comand>
> 
> Then I need to edit the line "dan ALL=(ALL) ALL" in /etc/sudoers to read:
> 
> dan ALL=(ALL) ALL:NOPASSWD /sbin/halt,/sbin/shutdown,/sbin/reboot
> 
> Am I on the right track?
> 
Hi Dan,

I think you want:
dan ALL=(ALL) NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot

allows user dan to run only those three commands, without a password

or maybe:
dan ALL=(ALL) ALL, NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot

allows user Dan to run any command with a password, and the 3 commands without
a password.

But beware:
the first ALL (the one after dan) means that user dan can run the commands
when connected from anywhere. Since those commands are for machine
maintenance, I would restrict the user to run from the machine. So the
beginning before the '=' sign might be:
dan dan_machine =

Then the (ALL) in parenthesis means that the command can be run as any user.
since the default is root, I would suppress that part (I guess you want the
commands to be run as root).
So the line could eventually be:
dan dan_machine = NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot

I suggest you add a file (say 10-dan) in /etc/sudoers.d containing only that
line. (If /etc/sudoers.d does not exist, create it as root with mode 550).
The file 10-dan should have mode 440, and should belong to root too.
Once you have created /etc/sudoers.d, then it is advised to use:
su -c 'sudoedit /etc/sudoers.d/10-dan'
(if that does not open the editor you like, add EDITOR=/usr/bin/youreditor
before sudoedit).

Now, if you want user dan to be able to run any command as any user from any
host (giving his own password), the file may read:
dan dan_machine = NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot
dan ALL=(ALL) ALL

Hope it helps
Regards
Pierre



More information about the blfs-support mailing list