Help Editing Sudoers File

[Rubicone]

I need to allow 3 users designated as the leaders for vaious projects the ability to add new users. Now this can be achieved using the sudo command (eg. sudo -u jsmith useradd). But for this to work the sudoers file needs to be edited and I don't know quite how to do that. If anyone has knowledge and can provide some examples that would be great. TIA.

 

[TonyRic]

You need to have write privs to write to that file. To do that you need to be root.

su -
type root passwd here
visudo
make changes and save file

or:

su -
type root passwd here
vi /etc/sudoers
make changes and save file

 

[CTho9305]

i think he's asking about the syntax of the sudoers file. I would like to know too - i haven't been able to get it to work the way I want.

 

[Rubicone]

You are right CTho9305 I would like some examples on actually writing the sudoers' file to the specifications indicated in my initial post.

 

[TonyRic]

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password (Will not prompt user for a password)
%wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now




BTW, if you type as root 'man sudoers' you will get alot of info on the file.

 

[Rubicone]

Just so I understand this correctly under the section User privilege specification if I insert the line jsmith ALL = /sbin/useradd in the sudoers file and save the changes, then the user jsmith will be allowed to utilize the useradd command? No other changes are required?

 

[Barnaby W. Füi]

here's my sudoers file.

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
# Host alias specification
# User alias specification

# Cmnd alias specification
Cmnd_Alias HALT=/sbin/halt
Cmnd_Alias AUMIX=/usr/bin/aumix
Cmnd_Alias PUMP=/sbin/pump
Cmnd_Alias WINE=/usr/local/bin/wine
Cmnd_Alias MOUNT=/bin/mount
Cmnd_Alias UMOUNT=/bin/umount
Cmnd_Alias MODPROBE=/sbin/modprobe
Cmnd_Alias SHUTDOWN=/sbin/shutdown

# User privilege specification
root ALL=(ALL) ALL
death ALL=NOPASSWD:HALT,NOPASSWD:AUMIX,NOPASSWDUMP,NOPASSWD:WINE,NOPASSWD:MOUNT,NOPASSWD:UMOUNT,NOPASSWD:MODPROBE,NOPASSWD:SHUTDOWN

 

[CTho9305]

lets say I wanna give my account apt privileges. even after RTFM'ing and looking at your examples, I dont know what to do exactly.

 

[Kovu]

If you let me know EXACTUALLY what you want to do I would be happy to actually do you a sample sudoers file for you to see what is going on, but if you would rather figure it out youself, and to be honest this is the best way to learn.. try this site: http://www.courtesan.com/sudo/sample.sudoers it is pretty comprehencive, and has LOADS of example situations...

 

[cleverhandle]

<< lets say I wanna give my account apt privileges. even after RTFM'ing and looking at your examples, I dont know what to do exactly. >>



The most direct way would be to add a line to the user privilege specification section:

username hostname=/path/to/apt

Fill in your username, computer's hostname, and path appropriately. That's it - you will be able to type "sudo apt [arguments]" at the command line, enter your password (not the root password), and you're set. All the other aliasing stuff is just to keep things more organized and readable when the permissions settings get more complicated.

For example, say that there are 3 big commands used along with apt (I have no idea, just an example). You could use a command alias to make things more readable, especially if you needed to assign these commands to different users and groups. In the command alias section, add:

Cmnd_Alias PACKAGE=/path/to/apt,/path/to/prog1,/path/to/prog2,/path/to/prog3

Then, instead of having to write out all those commands again in the privilege section, you would use:

username hostname=PACKAGE

If you didn't want to prompted for a password, use:

username hostname=NOPASSWDACKAGE

etc, etc, etc. You should be able to get through the sudoers man page from here. But basically, the aliases are just convenient shorthand - you can do everything in the privilege section if you don't mind typing it all out.

edit: damn smilies - obviously that's supposed to be ": P" at the end there.

 

[cleverhandle]

As for the original poster, you would do something similar, though you might want to use a User Alias since you're assigning privileges to three people. So in the User Alias section add:

User_Alias PROJECT=jim,bob,joe

Then in the privilege section use

PROJECT hostname=/usr/sbin/adduser

Or, if the commands will be run from several machines,

PROJECT ALL=/usr/sbin/adduser

 

[Rubicone]

If the 3 users, all being heads of their respective groups, are themselves part of leaders group - can I simply specify the group, or must I indicate the username of each individual? Is there a reason why you are using adduser rather than useradd? Since the machine does not have a hostname but only an IP address can I replace the hostname with the IP address?

User_Alias PROJECT = leaders

PROJECT 10.10.10.50 = /usr/sbin/useradd

 

[cleverhandle]

To specify a local system group in the privileges section, use % - you don't even need the alias then. So you would just say

%leaders hostname=/usr/sbin/adduser

I wasn't being particular with my command choice. On Slack, adduser is a perl front end to useradd - I don't know if this is true everywhere. As for the hostname/address, you can probably use localhost to specify your machine. I've never tried with IP addresses, so I can't say how that would work.

 

[Rubicone]

By adding the line specified I got a syntax error when trying to save the file. BTW I am using RH 7.2 distro. Other suggesions are appreciated and welcomed.

 

[cleverhandle]

Perhaps you need tabs rather than spaces, I don't know... But come on, man... play around with it until visudo stops complaining about syntax. Read the sudoers man page in case I goofed up. But surely you can finish it from this point on.

 

[Rubicone]

Hey I am a newbie at this and need all the help I can get.

 

[n0cmonkey]

/etc/sudoers:

#Command aliases. This is just a test since I dont really need this:
Cmnd_Alias TEST = /usr/local/bin/nmap

#Host aliases. This is another test, since I dont need this either:
Host_Alias BF = buddyf

#I hate that stupid lecture
Defaults !lecture

#Allow root and wheel users to do what they want as root:
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL

#specific users stuff:
#This allows the user n0c (me) to run on BF (the machine) everything listed under TEST command alias (nmap):
%n0c BF = TEST

This works for me (just tested it after flipping through the man page. Learn to use the man pages. They are very helpful.