Sudo is a program that allows administrators to grant limited root rights to users and keep a log of root activity. The basic philosophy is to give as few rights as possible while still allowing people to perform their tasks normally. The difference with the su command is that the user enters their account password rather than the root user password.
Sudo on Debian has a fifteen minute (maybe) timeout after entering the password. This means that when you first enter the root password, you have 15 minutes during which you can execute the next command without entering the password. The timeout can be reset immediately using the command sudo -k.
Installing sudo on Debian 7
aptitude install sudoA configuration file is created during installation /etc/sudoers and directory /etc/sudoers.d, which we will talk about a little later.
sudo command options
-k- allows you to reset the timeout until you need to enter the password again. If you specify a command that may require a password, the timeout will be reset specifically for that command.
-h- a small hint will be displayed on the standard output.
-V- the version of sudo and plugins will be displayed. If you run as root, all settings will be displayed.
-g group - allows you to specify which group the command will be launched from.
-H- specifies the directory that will be specified in the HOME environment variable.
-i- simulates initial entry. If the command is not specified, it will log you in, so you can become root instead of using sudo su.
-l[l]- if the command is not specified, then a list of available commands for the calling user (or the user specified with the -U parameter) will be displayed. If a command is specified and it is available, the full path to the command and available parameters will be displayed. If the command is not available, sudo will exit with status 1. If you use the -ll option or specify -l twice, a more verbose output format will be used.
-s- the shell specified in the SHELL environment variable will be launched. If a command is specified, it will be passed to the running shell for execution.
-U user- together with the -l parameter, allows you to display the privileges of a specific user. By default, root and users with all privileges (ALL) have access to privilege lists.
-u user- the specified command will be run as the specified user, not as root.
-v- allows you to extend the timeout by 15 minutes or whatever is specified in sudoers), but not execute any commands.
Most of the available options are listed here, but not all. To see the full list use the command man sudo.
Setting up sudo on Debian 7
It is recommended to set all user settings in files in the directory /etc/sudoers.d, not in the main file /etc/sudoers. That is, you can create a file with any name in the directory /etc/sudoers.d and already list the necessary settings in it.
File /etc/sudoers it is recommended to edit using the utility visudo, since it locks the file and checks the correctness of the directives when closing. visudo uses a default text editor, which can be overridden in sudoers directive like:
The sudo command is very important for managing access rights in the Linux operating system. Thanks to this small command, you can grant permissions to perform certain actions on behalf of the administrator to other users, without giving them the superuser password itself. Also, you do not need to always be under a superuser account to occasionally perform administrative actions.
It would seem that such a small team, with a minimum of capabilities and the simplest possible use, but in fact it can do much more. In this article we will look at how sudo is configured in Linux to control access to system functions and user capabilities.
How does sudo work?
Before we move on to setting up access to the sudo utility, let's look at how it works. There are two ways to gain administrator rights in Linux. You can switch to the root user using the su command, or you can pass the desired command as a parameter to the sudo utility, which will execute it with administrator rights. Moreover, the second method is preferable, because you will not forget that you are using root rights and will not do anything unnecessary.The team name means substitute user do or super user do. The utility allows you to run programs as another user, but most often as the root user. The utility was developed back in 1980 by Bob Cogshell and Cliff Spencer. During this time, many developers have changed and many features have been added.
sudo works thanks to the SUID access flag. If this flag is set for a program, then it is executed not on behalf of the user who launched it, but on behalf of the owner, given that the file is owned by sudo, then the utility is executed as root. It then reads its settings, asks for the user's password, and decides whether the user can be allowed to run commands as an administrator. If yes, then the command passed in the parameter is executed.
Now that you know the theory, let's look at how to set up sudo on Linux.
Setting up sudo on Linux
All sudo settings are located in the /etc/sudores file. Here you can configure a lot of parameters, starting from who will be allowed to execute commands on behalf of the superuser and ending with limiting the set of available commands.To open a file for editing, type the following command as superuser:
You can also specify the text editor in which you want to edit the configuration file:
# EDITOR=nano visudo
Next we will look at the most interesting settings that you can set in this file. But first, let's look at the basic file syntax. It consists of two types of strings, these are aliases that allow you to create lists of users and flags, as well as the rules themselves, which specify how the sudo command will behave. The alias syntax looks like this:
type alias_name = element1, element2, element3
The type specifies what type of Alice should be created, the name is the name that will be used, and the list of elements specifies the elements that will be implied when referring to this name.
The description of user permissions has a slightly different syntax:
user host = (other_user:group) teams
The user specifies the user or group for which we are creating the rule, the host is the computer for which this rule will apply. Another user - under the guise of which user the first one can execute commands, and the last one can execute allowed commands. An alias can be used instead of any of the parameters. And now setting up sudo in Debian and other distributions.
Main settings
The Defaults alias allows you to set standard parameters for the utility’s operation, which we will consider in this section. Such an alias begins with the word Defaults, followed by the name of the flag. If there is a ! symbol in front of the name, this means that the flag needs to be turned on; otherwise, turn it off:Disable the introduction the first time you use it:
Defaults!lecture
The superuser cannot do sudo:
Defaults !root_sudo
Now if you try to run sudo sudo nothing will work:
Change the home directory for the target user, leaving the current user's folder as the home directory by default:
Defaults set_home
Save the list of groups of the current user:
Defaults !preserve_groups
Request superuser password instead of user password:
Next, let's look at the variables that you can set values to set the desired settings:
Set the number of password attempts before sudo quits, default is 3:
Defaults passwd_tries=5
The number of minutes that will pass before sudo asks for a password again is 5 by default. If you set the value to 0, it will always ask for a password, no matter how long ago you used the utility:
Defaults timestamp_timeout=10
The following parameter specifies the number of minutes that sudo will wait for a password to be retyped if it is entered incorrectly:
Defaults passwd_timeout=10
You can change the message that is displayed when prompted for a password:
Defaults passprompt="Your password:"
You can specify another user, not root, from which all commands will be executed, for this use:
Defaults runas_default="user"
You can log all attempts to connect to sudo:
Defaults logfile=/var/log/sudo
Then we try to check the operation of the log:
$ sudo cat /var/log/sudo
These were all the most interesting sudo settings that you may need, next we will look at how to set sudo access rights for users.
Setting up sudo users
We have already discussed above the syntax for setting up actions for users; here everything is more complicated than with aliases, but you can figure it out. For example, let's allow any user to use sudo, from any host, and execute any command:ALL ALL = (ALL) ALL
Such a team is very unsafe; it allows everyone and everything. The first ALL is to allow all users, the second ALL is for all hosts, the third ALL is to allow login as any user, and the fourth is to allow any command to be executed. But another construction is used much more often:
%wheel ALL = (ALL) ALL
It means the same as the previous one, only here we do not allow all users to use sudo, but only those who are members of the wheel group.
%wheel ALL = (root) ALL
Here we have already limited the possible choice of users to only the root user. You can also specify the user group on behalf of which he can execute commands:
%wheel ALL = (root:admins) ALL
This means that you can run the command as root or another user from the admins group. We can also specify commands that the user can execute. For example:
User_Alias Users = user1,user2,user3
Runas_Alias Admins = root,admin
Host_Alias Hosts = host1,host2
Cmd_Alias Cmds = /bin/mount,/bin/umount
Users Hosts = (Admins) Cmds
This means that users from the Users list will be able to execute Cmds commands on behalf of Amdins users on Hosts hosts.
There are still a few words left to say about flags. The NOPASSWD flag tells you not to prompt for a password when executing this rule. For example, to allow all users to run the mount command with sudo without a password:
ALL ALL = (root) NOPASSWD: /bin/mount
You can also prevent this particular command from being executed at all using the NOEXEC flag:
ALL ALL = (root) NOEXEC /bin/mount
You can check whether the /etc/sudores file was configured correctly and see all the created rules using the command: 
All installed flags and settings are displayed here, as well as the permissions of this user.
conclusions
In this article we looked at how to configure sudo in Linux. As you can see, despite the fact that this is a very simple utility, it hides a lot of useful settings that you can use on your system. If you have any questions, ask in the comments!As a Linux administrator, I have always used and sudo, And su. And as a system administrator, it is very important that you know the difference between them. For those who have no general idea about the difference between the two or always confuse them - here is a list of 12 Q&A (questions and answers) that are aimed to help you understand the intricacies of sudo and su.
NOTE- This article is specific to Ubuntu only. Although some information may apply to most popular distributions.
Sudo vs Su
This series of questions and answers should clarify some of the features of sudo vs su for many Ubuntu users.
Q1. How are sudo and su used? What is the difference between them?
Answer.Sudo is used to run a particular command with root permission. The interesting thing is that when you use sudo for a specific command, the system will ask you for the current user's password. After entering the password, the command is launched with superuser privileges.
Here's an example:
$ apt-get install skype E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied) E: Unable to lock the administration directory (/var/lib/dpkg/), are you root ? $ sudo apt-get install skype password for mylinuxbook: Reading package lists... Done Building dependency tree Reading state information... Done ... ...
As you can see, first I tried to install Skype using the command apt-get but I got permission denied error. Then I used sudo along with the same command system and password system for the mylinuxbook user. After entering the correct password, the command is completed successfully.
On the other hand, su is used to switch any user. The configured password for the corresponding user is enabled. If su is used without options, it falls to the root user account. In this case, the system requests the superuser password.
Here's an example:
$ su mylinuxbook Password: mylinuxbook@mylinuxbook-Inspiron-1525:~$
In the above example, I used su to switch to the mylinuxbook user account and after entering the password for mylinuxbook, I was able to do this.
Here's another example:
$ su Password: su: Authentication failure
In the example above, I ran su to enable root account permissions for a normal user, but it couldn't because I didn't have a root password configured. Distributions such as Ubuntu do not have superuser passwords configured by default. Once it is set up, you will be able to use this password.
Q2. What if I don't want to configure an administrator password in my Ubuntu, but still want to switch to superuser?
Answer. In this case, you can try the command " sudo su". Here is an example:
$ sudo su password for mylinuxbook: root@mylinuxbook-Inspiron-1525:/home/mylinuxbook#
Once sudo has been used to start su, the system prompts you for the current user's password rather than the superuser password. Once this was entered, the current account was transferred to the account.
Q3. What if I want to use su to navigate to other user accounts, but don't want to remember each and every user password?
Answer. Well, in that case, just use the su command, enter the administrator password and switch to the account. From here, using su, you can switch to any user account without using passwords.
Q4. If sudo is used to do something with root privileges, then why is the current user's password needed and not the root password?
Answer. Well, it's not exactly like any normal user can do sudo and run commands that require superuser privileges. You, as a user, must be sudoer Same. This means that you must have privileges to use sudo. If you are a valid sudoer, the system only asks for a password to make sure you understand that you are doing some work that requires root privileges, and you should double-check everything before you actually do it.
Now the question arises about sudoers. How to become a user sudoer? A user can become a sudoer if they are added to the sudo group. Here's an example:
$ sudo adder
Just replace with the actual username for the account. Please note that previously (before Ubuntu 12.04) the group had to be called admin, but now this is not necessary.
You can use the command " group" to check all groups that this user is in. Here's an example:
$ groups mylinuxbook mylinuxbook: mylinuxbook adm cdrom sudo dip plugdev lpadmin sambashare
So you see that the user " mylinuxbook" is part of all of these groups, including the sudo groups, and therefore sudoer.
Q5. I noticed that as soon as I used sudo, my root permissions remained for a long time, although after a while everything returned to normal. What is this?
Answer. Ubuntu remembers the password for sudo for about 15 minutes. This means that once you have used sudo to run a command, the system will not prompt you for a password if you run other commands that require root privileges to run. Although you will have to use " sudo" before each team.
Q6. What are the advantages of sudo over su?
Answer. Sudo has many advantages over su.
Here is the list:
Q7. Can any user perform sudo operations?
Answer. No, only trusted users or sudoers can perform sudo operations. Here is the official page that describes how and what a sudoer user can do.
Q8. I'm interested in su. How can I configure the use of su in a way that achieves functionality similar to suda?
Answer. If you are running su, this means that you already have a superuser password configured. To achieve functionality similar to sudo, i.e. to run just one command with root privileges using su, all you need to do is use the option -c from the su team.
Here's an example:
$ su -c "apt-get install skype" Password:
Just enter the password and only this command will work with superuser privileges. Although this is the same as sudo, the only difference is that you need to enter the superuser password instead of the current user password.
Q9. I'm working with sudo. How can I customize my use of sudo in a way that achieves similar functionality to su?
Answer. To achieve su functionality via sudo, try the option -i sudo commands.
Here's an example:
$ sudo -i password for mylinuxbook: root@mylinuxbook-Inspiron-1525:~#
You see that with " sudo -i", the root account was switched although the password entered was for the current user (mylinuxbook in this case).
Q10. My account's root password has not yet been activated. Can I use sudo to enable the superuser password?
Answer. To activate the superuser password, you can use the command passwd in the following way:
$ sudo passwd root
This command requires root privileges, so you will have to use sudo.
Q12. Can I use sudo to grant special rights to users?
Answer. Configuration file for sudo - /etc/sudoers. It cannot be edited manually using an editor. For this purpose it is recommended to use the command visudo.
Here's the exact command:
$sudo visudo
and this is what you get:
This command will open a temporary file /etc/sudoers.tmp in nano editor for editing. Visudo makes sure that there is no conflict when multiple copies of the same file are edited.
To understand how to grant limited rights, understand the design of this configuration file, .
In any Linux system there is always one privileged user - root. This user has the rights to perform any actions, delete any files and change any settings. It is almost impossible to somehow limit the freedom of action of root. On the other hand, all other users of the system usually do not have most of the necessary rights, such as the right to install programs, since this is an administrative operation that only root has rights to. Another common operation, accessible only to the superuser, is copying and changing files in system folders where a regular user does not have access.
Previously, this problem was solved quite simply: if you had the root password, you could log into the system under his account or temporarily obtain his rights using the su command. Then perform all the necessary operations and return back to the normal user. In principle, this scheme works well, but it has many significant drawbacks, in particular, it is impossible in any way (more precisely, it is very difficult) to limit administrative privileges to only a certain range of tasks.
Therefore, in modern Linux distributions, instead of the root account, the sudo utility is used for administration.
In Ubuntu, by default, the root account is completely disabled, i.e. There is no way you can become root without enabling it. root is disabled, i.e. it is present in the system, you just can’t log into it. If you want to return the ability to use root, see the paragraph below about enabling the root account.
What is sudo
sudo is a utility that grants root privileges to perform administrative operations according to its settings. It allows you to easily control access to important applications on the system. By default, when installing Ubuntu, the first user (the one created during installation) is given full rights to use sudo. Those. in fact, the first user has the same freedom of action as root. However, this behavior of sudo is easy to change; see below in the paragraph about setting up sudo.
Where is sudo used?
sudo is used whenever you run something from the System Administration menu. For example, when you launch Synaptic you will be asked to enter your password. Synaptic is an installed software management program, so to run it you need administrator rights, which you get through sudo by entering your password.
However, not all programs that require administrative privileges automatically run through sudo. Typically, you have to manually launch programs with administrator rights.
Running graphical programs with administrator rights
To launch graphical programs with administrator rights, you can use the program launch dialog, which is called up by default by the keyboard shortcut Alt + F2.
Let's say we need to launch the Nautilus file manager with administrator rights in order to somehow change the contents of system folders through the graphical interface. To do this, enter the command in the application launch dialog
Gksudo nautilus
gksudo can be substituted with gksu , and KDE users should also write kdesu instead of gksudo . You will be asked to enter your password, and if you have the necessary rights, Nautilus will start as an administrator. You can launch any graphical software with administrator rights by simply writing in the launch dialog
Gksudo<имя_команды>
Be extremely careful when working in applications running with administrator rights. You can perform any operation without any warnings from the system, in particular, delete system files, making the system inoperable.
Running programs with administrator rights in the terminal
To run a command in a terminal with administrator rights, simply type sudo in front of it:
Sudo<команда>
You will be asked to enter your password. Be careful when entering the password no way is not displayed, this is normal and done for security purposes, just type to the end and press Enter. After entering the password, the specified command will be executed as root.
The system remembers the entered password for some time (keeps the sudo session open). Therefore, subsequent executions of sudo may not require entering a password. To guarantee termination of the sudo session, type in the terminal
Additionally, errors related to channels in Linux are common. When executing a command
Sudo cat test.txt | grep text > result.txt
with root rights only cat will execute, so the file result.txt may not register. You either need to write sudo before each command, or temporarily switch to superuser.
Gaining superuser rights to run multiple commands
Sometimes it becomes necessary to run several commands in a row with administrator rights. In this case, you can temporarily become a superuser using one of the following commands:
Sudo -s sudo -i
This will put you in superuser mode (with restrictions imposed through the sudo settings), as indicated by the # symbol at the end of the command line prompt. These commands are similar in action to su , however: - sudo -s- does not change the home directory to /root, the home directory of the calling user remains home sudo -s, which is usually very convenient. - sudo -i- will also change the home directory to /root.
To exit back to normal user mode, type exit or simply press Ctrl + D.
Using a traditional root account and the su command
Unlocking the root account leads to unnecessary risks (working constantly under root, you have 100,500 ways to “shoot yourself in the foot”), and also makes it easier for an attacker to gain access to your computer.
Ubuntu 11.04 and earlier
To log in as root, just give it a password:
Sudo passwd root
Then on the login screen, click Other... and enter the username (root) and password that you set.
Ubuntu 11.10 and older
Starting with version 11.10, the lightdm login manager was installed, and logging in as root is a little more complicated.
1. Set the root password. Enter in terminal:
Sudo passwd root
2. Turn on the “Enter login” item. Enter in terminal:
Gksu gedit /etc/lightdm/lightdm.conf
At the end of the file add:
Greeter-show-manual-login=true
3. Reboot lightdm. Enter in terminal:
Sudo service lightdm restart
That’s it, the “Login” item will appear on the login screen. In the login field we enter “root”, in the password field - the password that we set in the first stage.
To reverse lock the root account, you will need to rollback the changes in the lightdm settings, and also lock the root account with the command in the terminal:
Sudo passwd -l root
Setting up sudo and permissions to run various commands
sudo allows you to allow or disable users from running a specific set of programs. All settings related to access rights are stored in a file /etc/sudoers. This is not an ordinary file. To edit it necessary(for security reasons) use the command
Sudo visudo
By default, it says that all members of the group admin have full access to sudo, as indicated by the line
%admin ALL=(ALL) ALL
You can read more about the syntax and customization options of this file by running
Man sudoers
If you make a mistake when editing this file, you may completely lose access to administrative functions. If this happens, you need to boot into recovery mode, and you will automatically receive administrator rights and be able to fix everything. You can also edit this file from a LiveCD.
Allow a user to execute a command without entering a password
In order to prevent the system from asking for a password for certain commands, it is necessary to add sudoers after the line # Cmnd alias specification add a line where you list the desired commands with the full path separated by commas (the path of the command can be found by running which command_name:
# Cmnd alias specification Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /usr/sbin/pm-hibernate, /sbin/reboot
And add the line to the end of the file
Username ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS
Attention! The above steps do not replace the need to enter the sudo command before your command
Creating synonyms (aliases)
To not only avoid having to enter a password for sudo, but also to avoid having to enter sudo at all, do the following: open the .bashrc file located in your home directory
nano ~/ bashrcand add the lines to the end of the file
alias reboot ="sudo reboot" alias poweroff ="sudo poweroff" alias pm-hibernate="sudo pm-hibernate" alias hibernate ="sudo pm-hibernate" alias shutdown ="sudo shutdown"The validity period of the entered password
Perhaps you want to change the length of time that sudo lasts without entering a password. This can be easily achieved by adding something like the following to /etc/sudoers (visudo):
Defaults:foo timestamp_timeout=20
Here's sudo for the user foo valid without the need to enter a password for 20 minutes. If you want sudo to always require a password, set timestamp_timeout to 0.
sudo doesn't ask for password
sudo without a password is a terrible security hole, anyone is allowed to do whatever they want. If you allowed this on purpose, immediately return it back to how it was.
However, in some cases, sudo suddenly stops requiring a password on its own. If you do visudo , you can see something like this line, which the user apparently did not add:
ALL ALL=(ALL) NOPASSWD:ALL
Most likely, this disastrous line was added when installing a program like Connect Manager from MTS or Megafon. In this case, it needs to be changed to a line that allows only this Connect Manager to be run as root, something like this:
Username ALL= NOPASSWD: /path/to/program
There are other options for solving the problem, a short discussion.
Paradoxically, the sudo command does not prevent running an administrator session inside a regular user session. Because with its help you can run the same su command:
$sudo su
And this is even in Ubuntu, where there is no root account; more precisely, there is no default password. But using sudo makes it unnecessary even for the su command. But it is not prohibited to set a superuser password - after all, to do this it is enough to give the command
$sudo passwd
in order to use su in the usual way in the future. And even, if desired, log in as root when registering in the system.
However, here too the sudo command provides an “ideologically correct” method, and not even just one. These are the -s and -i options, which prolong, although in slightly different ways, the action of the sudo command for an indefinite period, until the “secondary session” is terminated with the exit command.
The -s option, when opening a secondary root session, preserves all the environment variables of the original user. However, if you add the -H option to it, then these variables will be read again from the profile files of the administrator’s home directory, that is, /root, as when starting an interactive shell instance. However, the directory that was current at the time the command was entered will not change, nor will the appearance of the command line prompt change.
The -i option completely reproduces the root environment, launching its command shell as a login shell. Of course, in this case, the current directory changes to /root, and the command line prompt takes on the form described in the corresponding variable in the profile file of the administrator shell (in bash - PS1).
In practice, the difference between both forms of gaining permanent administrator rights is not great, especially in bash. But in zsh, with the appropriate settings of the profile files, if desired, you can achieve a significantly different environment in each of these cases. True, how much the user needs this is a big question. But the fact that when using the -H options, being in permanent administrative mode does not appear outwardly in any way is fraught with errors. And makes using the -i option preferable in most cases.
By the way, the capabilities of sudo are not limited to running commands as an administrator: by specifying the -u username option, they can be executed on behalf of the user whose login is specified as its value. This can be useful when viewing or copying another user's dot files and dot directories, which are often readable and editable only by the owner.
By the way, the sudo command can be run so that it asks for the password of the user under whose name the command will be executed (for example, an administrator), and not the one who requires his authority. There is an option -targetpw for this. And to make the root password requirement permanent, it is enough to define, for example, an alias like
Alias sudo -targetpw
Requiring the root password to be entered when running sudo is the default behavior in some distributions, for example, as they say, in Suse.
The sudo command has many more options - I listed above only those that I had to use. The rest are easy to look up in man sudo. Of those not listed, I will also mention the -b option, which instructs to run the “supervisory” command in the background. It can be useful when performing long-term actions, for example, when copying USB images to a flash drive with the dd command.
As we just saw, the sudo command gives the user almost unlimited powers for any system-wide actions, as well as for manipulating other people's user data. In this regard, let us ask the following questions:
- whether any user can gain administrator rights through the sudo command, and
- can he perform all administrative actions using it?
If we talk about the Ubuntu family, in which this mechanism was first used “out of the box”, then “out of the box” the answer to the first question will be negative, to the second - positive. In general, this depends on the settings of the sudo program, which are described in the /etc/sudoers file. And in it you can set rules that allow only certain users to execute certain commands. In summary it looks like this:
Username host = command
Here, as you might guess, username is the name of the user for whom this rule is set, host is the name of the machine from which he can resort to this rule, command is a specific command, the use of which this user is allowed from this machine. The command must be given with a full absolute path (that is, /sbin/fdisk, not fdisk). The command description field can include multiple values separated by commas, for example:
Username ALL = /sbin/fdisk,/bin/mount
In Ubuntu, the default rules for user access to administrative privileges are described as follows:
# User privilege specification root ALL=(ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
That is, the root user, as expected, can execute any commands from any hosts. But only users who are members of the admin group (analogous to the wheel group, which was discussed in) can obtain its rights. A user created during a normal installation automatically becomes a member of this group - and therefore has full administrative rights available to him without any further settings. However, other users whose accounts will be created subsequently are deprived of this privilege. Unless, of course, they were specifically included in the admin group.
In other distributions that do not use sudo out of the box, you will need to edit its configuration file - the same /etc/sudoers mentioned above.
The /etc/sudoers file is a regular text file, and, accordingly, it can be edited in any text editor (or, say, using ed or sed). However, there is a certain risk of screwing something up (due to ordinary typos), even to the point of completely blocking your access to superuser privileges. Of course, these situations can be corrected - for example, by rebooting in single-user mode. However, it is better not to hit them. And therefore, a more reliable means of modifying /etc/sudoers would be to use a utility specifically designed for this purpose - visudo.
The visudo utility does not do anything supernatural - it simply opens /etc/sudoers in a text editor described by the superuser EDITOR variable (if one is not defined, it will again be classic vi - hence the name) and allows you to edit it in the usual way, and then exit editor with saving the results using its standard means. However, before this, the editing result is checked for correctness. And if a violation of the syntax accepted for /etc/sudoers is detected, a corresponding warning is issued. After which you can return to editing, refuse the changes made, or still accept them (of course, at personal responsibility).
The visudo utility does not guarantee 100% editing success. Since it only checks the consistency of the syntax, but not the “correctness of the rules themselves.” That is, if an error is made in specifying the path to the command required for a given rule, this command via sudo will not work.
However, in reality it usually looks much simpler and not at all scary. So, in Fedora 11, in the sample config /etc/sudoers I only had to uncomment the line
%wheel ALL=(ALL) ALL
to give the user from the specified group (and I included myself there in advance, as described in) all the rights granted to the administrator. At the same time, you could give yourself the opportunity to use sudo without a password. This would require uncommenting the line
# %wheel ALL=(ALL) NOPASSWD: ALL
But I limited myself to making the password last longer by adding (the initially missing line
Defaults timestamp_timeout=10
where the timeout value is specified in minutes. By the way, if you change it to zero -
Defaults timestamp_timeout=0
then the password will be requested every time you use the sudo command.
You can, on the contrary, disable the timeout for the sudo action by entering a negative value for it:
Defaults timestamp_timeout=-1
In this case, the password will be requested only the first time you call this command.
A closer look at the /etc/sudoers file will easily reveal opportunities to give certain users or groups only a limited set of rights. However, this is where the subtleties of real administration begin. I simply deprived my double-experimenter of access to any administrative actions in order to stop all his attempts in this field. However, even this does not always allow me to cope with him - just as Timur Shaov is unable to cope with his lyrical hero.
