Configuration Information
The sudoers
file can be quite complicated. It is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The installation installs a default configuration that has no privileges installed for any user.
A couple of common configuration changes are to set the path for the super user and to allow members of the wheel group to execute all commands after providing their own credentials. Use the following commands to create the /etc/sudoers.d/00-sudo
configuration file as the root
user:
cat > /etc/sudoers.d/00-sudo << "EOF"
Defaults secure_path="/usr/sbin:/usr/bin"
%wheel ALL=(ALL) ALL
EOF
Note
In very simple installations where there is only one user, it may be easier to just edit the /etc/sudoers
file directly. In that case, the secure_path
entry may not be needed and using sudo -E ... can import the non-privileged user's full environment into the privileged session.
The files in the /etc/sudoers.d
directory are parsed in sorted lexical order. Be careful that entries in an added file do not overwrite previous entries.
For details, see man sudoers.
Note
The Sudo developers highly recommend using the visudo program to edit the sudoers
file. This will provide basic sanity checking like syntax parsing and file permission to avoid some possible mistakes that could lead to a vulnerable configuration.
If PAM is installed on the system, Sudo is built with PAM support. In that case, issue the following command as the root
user to create the PAM configuration file:
cat > /etc/pam.d/sudo << "EOF"
# Begin /etc/pam.d/sudo
# include the default auth settings
auth include system-auth
# include the default account settings
account include system-account
# Set default environment variables for the service user
session required pam_env.so
# include system session defaults
session include system-session
# End /etc/pam.d/sudo
EOF
chmod 644 /etc/pam.d/sudo