Sudoers

Updated: September 28, 2024

Creating backups on linux systems including cold storage, local and remote with rsync.

Editor
Arguments
Cron

EDITOR

sudo EDITOR=vim visudo 		# use vim to edit a file when using visudo command.

We can configure who can use sudo commands by editing the /etc/sudoers file, or by adding configuration to the /etc/sudoers.d directory. To edit the sudoers file, we should always use the visudo command.

Let’s check out the root user in the sudoers configuration. The root user can do anything: ALL(ALL:ALL) ALL.

What’s this mean?

host(user:group) cmds

-root ALL=(ALL:ALL) ALL - This applies to user root root -ALL=(ALL:ALL) ALL - This rule applies to all user root logged in from all hosts root ALL=(-ALL:ALL) ALL - User root can run commands as all users root ALL=(ALL:-ALL) ALL - User root can run commands as all groups root ALL=(ALL:ALL) -ALL - These rules apply to all commands

vagrant ALL(ALL:ALL) NOPASSWD:ALL

This allows user vagrant to run all commands using sudo without a password.

%group We can try editing a group. The following will allow group www-data to run sudo service php5-fpm * commands without a password, great for deployment!

%www-data ALL(ALL:ALL) NOPASSWD:/usr/sbin/service php5-fpm *

Here’s the same configuration as a comma-separated list of multiple commands. This let’s us get more specific on which service commands we can use with php5-fpm:

%www-data ALL(ALL:ALL) NOPASSWD:/usr/sbin/service php5-fpm reload,/usr/sbin/service php5-fpm restart,

We can enforce the use of a password with some commands, but no password for others:

%admin ALL NOPASSWD:/bin/mkdir, PASSWD:/bin/rm

/etc/sudoers.d We cam add configuration files into /etc/sudoers.d. These are loaded automatically. These should be owned by root, with permissions 0440 (so user root can read it but not write it!).

!!! Be sure to log in / sudo su up to the root user BEFORE making any file, as any issues will result in lack of ability to use sudo!

On the destination machine

Find out the path to rsync: which rsync Edit the /etc/sudoers file: sudo visudo (see also: must I use visudo?) Add the line ALL=NOPASSWD:, where username is the login name of the user that rsync will use to log on. That user must be able to use sudo Then, on the source machine, specify that sudo rsync shall be used:

rsync … –rsync-path=“sudo rsync” … Using it without the NOPASSWD on the destination machine will result in the message

Sudoers

Updated: September 28, 2024

Table of Contents

EDITOR

!!! Be sure to log in / sudo su up to the root user BEFORE making any file, as any issues will result in lack of ability to use sudo!

sudo: no tty present and no askpass program specified