Root and Sudo: Difference between revisions

From Chalphy Cyber Cavaliers
(Created page with "Root and Sudo")
 
No edit summary
Line 1: Line 1:
Root and Sudo
==Sudoers==
 
I mentioned the Sudoers file briefly in the main Linux write up, but here we will go more in depth about it. Here is a typical Sudoers file:
<code>
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
Defaults use_pty
 
# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
 
# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"
 
# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"
 
# While you shouldn't normally run git as root, you need to with etckeeper
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
 
# Per-user preferences; root won't have sensible values for them.
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
 
# "sudo scp" or "sudo rsync" should be able to use your SSH agent.
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
 
# Ditto for GPG agent
#Defaults:%sudo env_keep += "GPG_AGENT_INFO"
 
# Host alias specification
 
# User alias specification
 
# Cmnd alias specification
 
# User privilege specification
root ALL=(ALL:ALL) ALL
 
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
 
# See sudoers(5) for more information on "@include" directives:
 
brendan ALL = (root) NOPASSWD: /usr/bin/firefox-esr
 
@includedir /etc/sudoers.d
</code>

Revision as of 19:13, 2 May 2024

Sudoers

I mentioned the Sudoers file briefly in the main Linux write up, but here we will go more in depth about it. Here is a typical Sudoers file: Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

  1. This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
  2. (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)

Defaults use_pty

  1. This preserves proxy settings from user environments of root
  2. equivalent users (group sudo)
  3. Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
  1. This allows running arbitrary commands, but so does ALL, and it means
  2. different sudoers have their choice of editor respected.
  3. Defaults:%sudo env_keep += "EDITOR"
  1. Completely harmless preservation of a user preference.
  2. Defaults:%sudo env_keep += "GREP_COLOR"
  1. While you shouldn't normally run git as root, you need to with etckeeper
  2. Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
  1. Per-user preferences; root won't have sensible values for them.
  2. Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
  1. "sudo scp" or "sudo rsync" should be able to use your SSH agent.
  2. Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
  1. Ditto for GPG agent
  2. Defaults:%sudo env_keep += "GPG_AGENT_INFO"
  1. Host alias specification
  1. User alias specification
  1. Cmnd alias specification
  1. User privilege specification

root ALL=(ALL:ALL) ALL

  1. Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

  1. See sudoers(5) for more information on "@include" directives:

brendan ALL = (root) NOPASSWD: /usr/bin/firefox-esr

@includedir /etc/sudoers.d