You are not logged in.

#1 2019-01-15 21:56:58

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,000

Use files in /etc/sudoers.d so you can run sudo commands no password

What the title says fellow nixers. People used to slap things like this directly into "visudo", still do and it still works but apparently there's a new and improved way to do this by placing files in the /etc/sudoers.d directory. These are sourced by visudo and outside of the really basic example I'm going to demonstrate here. There's apparently mucho cool stuff you can do with this.

Ok let's look at a part of the visudo file itself. This ...

#includedir /etc/sudoers.d

Just wanting to point out, that the above line looks commented, it's not, files in /etc/sudoers.d are included default.

Next up, there's a README in /etc/sudoers.d ... read it, it'll just tell you some file naming conventions which you can't use. There's only a couple of them no worries. What started this was wanting to install ps_mem onto a Linux Mint OS I've been playing with for old times sake. Remembered I had a how-to up on it here already, so dug it up. Tried the method I had here and for reasons I never bothered figuring out, it didn't work with pip. So being the lazy arse I am, hmmmm, Hoas had an alternate method. LM already comes with git out-of-box so whamo did it that way.

Now that was ok, once installed could run it in terminal with "sudo ~/bin/ps-mem" whoop ! However I did mention I'm lazy so this wasn't how I wanted it. Already show's using NOPASSWD: in visudo but remember it's not really the recommended way to go about this. Enter sudoers.d.

Create a file in /etc/sudoers.d ... However someone chooses to do so, file manager or terminal. Terminal ..

sudo touch /etc/sudoers.d/myfile

So with that I've got a file named myfile in that location. Time to edit it with elevated privileges of course. Here's what I have ...

# Adding some commands I don't need to enter password to run.
myusername ALL=(ALL) NOPASSWD: /home/myusername/bin/ps-mem, /sbin/poweroff, /sbin/reboot

First one is the one dealing with running ps-mem w/o password required. Notice you can add as many of these as you like. Separate them with a comma(,) at the end of each, a space and then just add the next. The other two there are to be able to poweroff and reboot in terminal or via keybind w/o entering a password. These are just examples fellows. Again ... supposed to be much you can do with files here, run a script w/o pass, stuff you can do with groups etc etc.

Created a .bash_aliases file in my users /home and added an alias to make running ps-mem easy. The following.

alias mem="sudo /home/myusername/bin/ps-mem"

Now just type mem in terminal and ps-mem runs and shows me all it's memory stats goodness. Hope this is useful to anyone. Happy nixing !!!! smile

Last edited by BLizgreat! (2019-01-15 21:57:47)

Offline

#2 2019-01-18 16:12:20

onlain
Member
Registered: 2016-04-22
Posts: 39

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

delicious post!

just like complement, i share this tutorial which helped me in the past: Sudo: You're Doing It Wrong

Last edited by onlain (2019-01-20 19:18:32)

Offline

#3 2019-01-18 16:27:22

S7.L
Member
Registered: 2018-09-16
Posts: 338

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

Is there any advantage to this over the below directly in /etc/sudoers ?

%sudo   ALL=(ALL) NOPASSWD: /sbin/reboot, /sbin/poweroff

Offline

#4 2019-01-18 23:15:38

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

S7.L wrote:

Is there any advantage to this over the below directly in /etc/sudoers ?

%sudo   ALL=(ALL) NOPASSWD: /sbin/reboot, /sbin/poweroff

It's what Debian recommend rather than just streight in /etc/sudoers for some reason having all your rules in separate files where you can't read all of them and forget which file belongs to which rule is supposed to be better (according to them).

I suppose there's the issue of people using nano rather than visudo to edit & messing up permissions to be considered, but for me, no not really any huge advantage.

It's the exact same story with /etc/apt/sources.list vs  /etc/apt/sources.list.d/*  just makes finding rogue entries harder. It's "The right way(TM)" though.

Last edited by Bearded_Blunder (2019-01-18 23:16:43)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#5 2019-01-19 03:15:48

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,000

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

Thanks onlain ...

S7.L it's just become the recommended method now. Generally speaking they do the same thing but actually do agree with Debian or whoever else upstream who made this call. Think it keeps things somewhat cleaner and better organized. As for not being able to keep track of what-does-what etc. No offense but think that'd some down to the admin. You can add comments to whichever files created in /etc/sudoers.d and tell yourself/others as much or as little about what the files are, what the lines contained in them do. Also as long as you follow the simple naming conventions, there's only a couple and both are noted in the README file kept in /etc/sudoers. Long way of saying in addition to using # comments throughout a file, someone can also name the files to pretty much let whoever know what they do in general.

ie: sudonopasswd ( If someone wants to be overly anal that is, shrugs.) Think reasonable use of comments in a file is more than enough to keep whoever from being confused about any of this. Really don't see any legit reasons someone would need 14,000 files nor commands like this in sudoers or sudoers.d. Also believe these are persistent, meaning even if sudoers is upgraded, these remain, whereas direct edits to sudoers can/would be overwritten if upgraded.

Last edited by BLizgreat! (2019-01-19 03:22:12)

Offline

#6 2019-01-19 03:27:02

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

BLizgreat! wrote:

You can add comments to whichever files created in /etc/sudoers.d and tell yourself/others as much or as little about what the files are, what the lines contained in them do.

Taking over a system from some other admin, you have to open *each* of the files, the whole lot.. taking notes as you go (especially if you're at a tty) to know all that's there, instead of simply inspecting /etc/sudoers
Now, so far as I'm aware there isn't even an equivalent of "apt-cache policy" which at least will tell you all that's configured including what's in ...list.d/*

Yes administrators *can* and *should* have policies and naming conventions in place, including comments, I'll stand by it being *exra effort* for no significant gain though.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#7 2019-01-19 03:48:16

damo
....moderator....
Registered: 2015-08-20
Posts: 4,903

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

Although if there are multiple users, then adding/removing per-user settings files would be much easier (and safer?) than editing sudoers.


Be Excellent to Each Other...

FORUM RULES and posting guidelines «» Help page for forum post formatting
Artwork on DeviantArt  «» BunsenLabs on DeviantArt

Offline

#8 2019-01-19 03:54:22

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,000

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

No worries however someone wants to go about whatever is up to them. Actually agree with the change in this case. Which is rare, shrugs. Noted this is the generally approved method of adding stuff to sudoers, stays persistent, easy enough to know what things do ( use meaningful comments etc.)

Anyway just wanted to slap this puppy up because I'd read this is the new/approved way to go about doing this type of thing but there didn't seem to be much documentation on it, was enough to figure it out. Still more can't hurt, so putting what I discovered about it up here in the BL forums.

Offline

#9 2019-01-19 04:02:48

DeepDayze
Member
From: In Linux Land
Registered: 2017-05-28
Posts: 676

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

damo wrote:

Although if there are multiple users, then adding/removing per-user settings files would be much easier (and safer?) than editing sudoers.

Yes that's a good idea for special settings for certain users. A good convention would  be the filename be named the account name of the user it pertains to then have the special sudo settings inside it for that user.

One question: do the changes take effect once a file is created in sudoers.d folder?


Real Men Use Linux

Offline

#10 2019-01-19 04:06:29

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

One question: do the changes take effect once a file is created in sudoers.d folder?

They seemed to when I created an entry for Domain Admins as a group, when I was playing with joining Bunsen to Active Directory.
I think the config gets a fresh read anytime sudo gets used.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#11 2019-01-19 04:20:42

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,000

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

Yeah believe they do/did. Would suggest it gets sourced, checked everytime someone runs a sudo command ? Yeah it does, lol ... managed to bork things up and had to reboot into recovery to get into a root shell and fix the stupid thing. Arghhhh. smile

Offline

#12 2019-01-19 04:25:32

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 730

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

managed to bork things up and had to reboot into recovery to get into a root shell and fix the stupid thing

Now, that one is where there may be some genuine advantage, if you b0rk it.. you know all you need to do is zap the last file you edited or added in /etc/sudoers.d/ smile

Still don't see much *other* advantage, but there is that one.


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Offline

#13 2019-01-19 13:21:19

S7.L
Member
Registered: 2018-09-16
Posts: 338

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

damo wrote:

Although if there are multiple users, then adding/removing per-user settings files would be much easier (and safer?) than editing sudoers.

I suppose that would be its use case for more than one user but even so wouldn't groups take care of that also, tier based dependent upon what the user needs you just add them to whatever group has the needed privilege ?

Admin wouldnt give sudo rights to someone who doesnt need it or shouldnt.

So say a group of 5 workers need access to poweroff/reboot the computer you would add them to a group called leave followed by the edit to sudoers.

Single user case like the owner of said personal computer who doesnt share it i dont see the point.

This is a good article on what im talking about.

https://www.networkworld.com/article/32 … -sudo.html

Last edited by S7.L (2019-01-19 14:41:27)

Offline

#14 2019-01-20 16:13:53

BLizgreat!
Resident Babbler - vll!
Registered: 2015-10-03
Posts: 1,000

Re: Use files in /etc/sudoers.d so you can run sudo commands no password

^ Like most things gnu/Linux what someone does, how they do it, much just comes down to choice. Though also pretty obvious there are better and worse ways to go about whatever end goal. In this case am just going to abide by what upstream advises and accept it as good or best practice. Actually agree with them in this anyway.

It just keeps sudoers cleaner. Particularly if someone likes to use this type of thing often and as noted files setup with sudoers.d won't be overwritten if there are upgrades so makes sense just to go ahead and use it as advised. That's only 2 cents and my outlook on this topic though.

Offline

Board footer

Powered by FluxBB