Root and Sudo: Difference between revisions
Duffsigpatch (talk | contribs) (Created page with "Root and Sudo") |
Duffsigpatch (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
==Sudoers== | |||
I mentioned the Sudoers file briefly in the main Linux write up, but here we will go more in depth about it. Here is a typical Sudoers file: | |||
<code> | |||
Defaults env_reset | |||
Defaults mail_badpass | |||
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | |||
# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu | |||
# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532) | |||
Defaults use_pty | |||
# This preserves proxy settings from user environments of root | |||
# equivalent users (group sudo) | |||
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" | |||
# This allows running arbitrary commands, but so does ALL, and it means | |||
# different sudoers have their choice of editor respected. | |||
#Defaults:%sudo env_keep += "EDITOR" | |||
# Completely harmless preservation of a user preference. | |||
#Defaults:%sudo env_keep += "GREP_COLOR" | |||
# While you shouldn't normally run git as root, you need to with etckeeper | |||
#Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*" | |||
# Per-user preferences; root won't have sensible values for them. | |||
#Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME" | |||
# "sudo scp" or "sudo rsync" should be able to use your SSH agent. | |||
#Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" | |||
# Ditto for GPG agent | |||
#Defaults:%sudo env_keep += "GPG_AGENT_INFO" | |||
# Host alias specification | |||
# User alias specification | |||
# Cmnd alias specification | |||
# User privilege specification | |||
root ALL=(ALL:ALL) ALL | |||
# Allow members of group sudo to execute any command | |||
%sudo ALL=(ALL:ALL) ALL | |||
# See sudoers(5) for more information on "@include" directives: | |||
brendan ALL = (root) NOPASSWD: /usr/bin/firefox-esr | |||
@includedir /etc/sudoers.d | |||
</code> | |||
Revision as of 19:13, 2 May 2024
Sudoers
I mentioned the Sudoers file briefly in the main Linux write up, but here we will go more in depth about it. Here is a typical Sudoers file:
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
- This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
- (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
Defaults use_pty
- This preserves proxy settings from user environments of root
- equivalent users (group sudo)
- Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
- This allows running arbitrary commands, but so does ALL, and it means
- different sudoers have their choice of editor respected.
- Defaults:%sudo env_keep += "EDITOR"
- Completely harmless preservation of a user preference.
- Defaults:%sudo env_keep += "GREP_COLOR"
- While you shouldn't normally run git as root, you need to with etckeeper
- Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*"
- Per-user preferences; root won't have sensible values for them.
- Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME"
- "sudo scp" or "sudo rsync" should be able to use your SSH agent.
- Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK"
- Ditto for GPG agent
- Defaults:%sudo env_keep += "GPG_AGENT_INFO"
- Host alias specification
- User alias specification
- Cmnd alias specification
- User privilege specification
root ALL=(ALL:ALL) ALL
- Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
- See sudoers(5) for more information on "@include" directives:
brendan ALL = (root) NOPASSWD: /usr/bin/firefox-esr
@includedir /etc/sudoers.d