Overview[edit | edit source]
In a nutshell, sudo permissions are defined in /etc/sudoers
and /etc/sudoers.d/
. Permissions are defined like so:
%groupname workstation=/bin/command
username workstation=/bin/command
username workstation=(run-as user) /bin/command
Replace any of the above with ALL
to have it match anyone. eg:
ALL ALL=ALL
You can use NOPASSWD: /bin/command
to have it not prompt for the user's password.
You can verify whether your changes worked by listing sudo access:
# sudo -l
Configure sudo to include /etc/sudoers.d/[edit | edit source]
Additional sudo configs can be placed in /etc/sudoers.d/
. Files placed here must have the permissions set to 0440.
For example:
# cd /etc/sudoers.d
# echo "gandalf ALL=(root) NOPASSWD: /usr/sbin/dmidecode" > run_dmidecode
# chmod 0440 run_dmidecode
Ensure the #includedir
directive is defined in /etc/sudoers
. This is disabled by default on some distributions and none of the config files there will be loaded.
Regular Expression Matching[edit | edit source]
Sudoers does not support regular expression matching. It only supports glob expansion, which only works for file names and paths.
If regular expression is absolutely necessary, use a wrapper script instead.
For example, this script will only allow 'yum install' to run on package names matching a particular regex and not packages that are local files.
#!/bin/bash
if [ -f "$1" ] ; then
echo "Error: Cannot install local package file."
exit
fi
if ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]] ; then
echo "Error: Invaild package name."
exit
fi
yum install "$1"
The sudoers file would look something like this:
sa-lleung@uc.ucalgary.ca ALL=(root) NOPASSWD: /bin/yum-wrapper.sh
The script could be made a bit smarter to allow multiple argument parsing.
Troubleshooting[edit | edit source]
sudo: sorry, you must have a tty to run sudo[edit | edit source]
If you get the error while trying to run sudo
through a script or a non-interactive shell:
sudo: sorry, you must have a tty to run sudo
Ensure that you do not require a TTY in your /etc/sudoers
configuration. Either comment out or use !requiretty
.
## In /etc/sudoers
## From
Defaults requiretty
## To one of:
Defaults !requiretty
# Defaults requiretty
A one-liner to fix this:
# sed -i s'/Defaults requiretty/#Defaults requiretty'/g /etc/sudoers
As a side note, if you just want to run a command as another user, you could also try su
instead. For example:
# su $username -c 'whoami'
sudo: no tty present and no askpass program specified[edit | edit source]
If you get
sudo: no tty present and no askpass program specified
Make sure you have NOPASSWD
set in your /etc/sudoers
file.
Eg. The files should have a line like:
<USER> <host>=NOPASSWD:<command>