[blfs-support] Using and Configuring Sudo

Dan McGhee beesnees at grm.net
Thu Nov 21 13:25:46 PST 2013


On 11/21/2013 02:50 PM, Pierre Labastie wrote:
> Le 21/11/2013 19:45, Dan McGhee a écrit :
>> This is the first time I have setup and configured 'sudo' in an LFS
>> build.  I'm trying to learn this so that if I add an account for someone
>> besides me I can set it up.
>>
>> I want to be able to run halt, shutdown and reboot without invoking sudo
>> or su and without using a password.  I know I can do this by adding
>> /sbin to my LFS path, but that would forestall any learning I'm trying
>> to do.
>>
>> I think that the first thing I must do is add aliases to either .bashrc
>> or .bash_profile for 'sudo reboot' et al.  Once I figure out which file
>> to put that in I think it's just a matter of
>>
>> alias=<something> <comand>
>>
>> Then I need to edit the line "dan ALL=(ALL) ALL" in /etc/sudoers to read:
>>
>> dan ALL=(ALL) ALL:NOPASSWD /sbin/halt,/sbin/shutdown,/sbin/reboot
>>
>> Am I on the right track?
>>
> Hi Dan,
>
> I think you want:
> dan ALL=(ALL) NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot
>
> allows user dan to run only those three commands, without a password
>
> or maybe:
> dan ALL=(ALL) ALL, NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot
>
> allows user Dan to run any command with a password, and the 3 commands without
> a password.
>
> But beware:
> the first ALL (the one after dan) means that user dan can run the commands
> when connected from anywhere. Since those commands are for machine
> maintenance, I would restrict the user to run from the machine. So the
> beginning before the '=' sign might be:
> dan dan_machine =
>
> Then the (ALL) in parenthesis means that the command can be run as any user.
> since the default is root, I would suppress that part (I guess you want the
> commands to be run as root).
> So the line could eventually be:
> dan dan_machine = NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot
>
> I suggest you add a file (say 10-dan) in /etc/sudoers.d containing only that
> line. (If /etc/sudoers.d does not exist, create it as root with mode 550).
> The file 10-dan should have mode 440, and should belong to root too.
> Once you have created /etc/sudoers.d, then it is advised to use:
> su -c 'sudoedit /etc/sudoers.d/10-dan'
> (if that does not open the editor you like, add EDITOR=/usr/bin/youreditor
> before sudoedit).
>
> Now, if you want user dan to be able to run any command as any user from any
> host (giving his own password), the file may read:
> dan dan_machine = NOPASSWD: /sbin/halt,/sbin/shutdown,/sbin/reboot
> dan ALL=(ALL) ALL
>
> Hope it helps
> Regards
> Pierre
It does, Pierre.  Thanks.  Much, much clearer than the "official" 
documentation.

Dan




More information about the blfs-support mailing list