Sudo

From Leo's Notes
(Redirected from Sudoers)
Last edited on 15 June 2020, at 01:58.

Overview[edit | edit source]

In a nutshell, sudo permissions are defined in /etc/sudoers and /etc/sudoers.d/. Permissions are defined like so: 

%groupname workstation=/bin/command
username workstation=/bin/command
username workstation=(run-as user) /bin/command

Replace any of the above with ALL to have it match anyone. eg: 

ALL ALL=ALL

You can use NOPASSWD: /bin/command to have it not prompt for the user's password.

You can verify whether your changes worked by listing sudo access: 

# sudo -l

Configure sudo to include /etc/sudoers.d/[edit | edit source]

Additional sudo configs can be placed in /etc/sudoers.d/. Files placed here must have the permissions set to 0440.

For example: 

# cd /etc/sudoers.d
# echo "gandalf ALL=(root) NOPASSWD: /usr/sbin/dmidecode" > run_dmidecode
# chmod 0440 run_dmidecode

Ensure the #includedir directive is defined in /etc/sudoers. This is disabled by default on some distributions and none of the config files there will be loaded.

Regular Expression Matching[edit | edit source]

Sudoers does not support regular expression matching. It only supports glob expansion, which only works for file names and paths.

If regular expression is absolutely necessary, use a wrapper script instead.

For example, this script will only allow 'yum install' to run on package names matching a particular regex and not packages that are local files. 

#!/bin/bash

if [ -f "$1" ] ; then
        echo "Error: Cannot install local package file."
        exit
fi

if  ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]] ; then
        echo "Error: Invaild package name."
        exit
fi

yum install "$1"

The sudoers file would look something like this: 

sa-lleung@uc.ucalgary.ca ALL=(root) NOPASSWD: /bin/yum-wrapper.sh

The script could be made a bit smarter to allow multiple argument parsing.

Troubleshooting[edit | edit source]

sudo: sorry, you must have a tty to run sudo[edit | edit source]

If you get the error while trying to run sudo through a script or a non-interactive shell: 

sudo: sorry, you must have a tty to run sudo

Ensure that you do not require a TTY in your /etc/sudoers configuration. Either comment out or use !requiretty. 

## In /etc/sudoers
## From 
Defaults   requiretty

## To one of:
Defaults     !requiretty
# Defaults   requiretty

A one-liner to fix this: 

# sed -i s'/Defaults requiretty/#Defaults requiretty'/g /etc/sudoers

As a side note, if you just want to run a command as another user, you could also try su instead. For example: 

# su $username -c 'whoami'

sudo: no tty present and no askpass program specified[edit | edit source]

If you get 

sudo: no tty present and no askpass program specified

Make sure you have NOPASSWD set in your /etc/sudoers file.

Eg. The files should have a line like: 

<USER> <host>=NOPASSWD:<command>


Various Linux Notes
Linux Tools and Utilites
Package Management
Linux Distributions
Networking
Containers