Root and Sudo: Difference between revisions

From Chalphy Cyber Cavaliers
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
I covered root and sudo briefly in [[Linux 101]]. But I will talk more about the configuration behind them here.
==Sudoers==
==Sudoers==


Line 5: Line 7:
Defaults mail_badpass
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
Defaults use_pty
# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"
# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"
# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"


# Host alias specification
# Host alias specification
Line 47: Line 22:
# See sudoers(5) for more information on "@include" directives:
# See sudoers(5) for more information on "@include" directives:


brendan ALL = (root)
@includedir /etc/sudoers.d</nowiki>
 
The lines of note here are the one that begins with root and the one that begins with %sudo. These lines specify permissions for specific users and user groups. The default specification grants the group sudo the ability to run commands as root with sudo and also says if you are root, you may also use sudo to prevent compatibility issues. Root can do anything, but it would give you an error if you didn't have that root line.


@includedir /etc/sudoers.d</nowiki>
You can specify users to allow to use sudo and other groups too. And you can change how much freedom they are given. The statements by default are written like this:
<code>who where=(as_whom) what</code>
 
This is a statement I used on my laptop because my browser needs to be run as root:
<code>brendan ALL=(root) NOPASSWD: /usr/bin/firefox-esr</code>
 
It is worth noting also that because you won't be able to edit the sudoers file again if you mess up (unless you have the system configured so you can login as root with a password), there is a special command called '''visudo''' which helps you out.

Latest revision as of 19:37, 2 May 2024

I covered root and sudo briefly in Linux 101. But I will talk more about the configuration behind them here.

Sudoers

I mentioned the Sudoers file briefly in the main Linux write up, but here we will go more in depth about it. Here is a typical Sudoers file:

Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

The lines of note here are the one that begins with root and the one that begins with %sudo. These lines specify permissions for specific users and user groups. The default specification grants the group sudo the ability to run commands as root with sudo and also says if you are root, you may also use sudo to prevent compatibility issues. Root can do anything, but it would give you an error if you didn't have that root line.

You can specify users to allow to use sudo and other groups too. And you can change how much freedom they are given. The statements by default are written like this: who where=(as_whom) what

This is a statement I used on my laptop because my browser needs to be run as root: brendan ALL=(root) NOPASSWD: /usr/bin/firefox-esr

It is worth noting also that because you won't be able to edit the sudoers file again if you mess up (unless you have the system configured so you can login as root with a password), there is a special command called visudo which helps you out.