adding local content in /etc/sudoers.d/ instead of directly modifying sodoers file via visudo

permissions sudo security users user-management
97,584

As this question says, /etc/sudoers is a system-wide configuration file that can be automatically changed by system upgrades and is highly fragile to improper changes. You can potentially lose access or make your system unbootable with an improper change.

$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#

(... some other content ...)

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Contrary to what you might expect, the #includedir directive is not a comment. It has the effect of causing sudo to also read and parse any files in the /etc/sudoers.d directory (that do not end in '~' or contain a '.' character).

$ ls -l /etc/sud*
-r--r----- 1 root root  755 sty 20 17:03 /etc/sudoers

/etc/sudoers.d:
total 7
-r--r----- 1 root root 958 mar 30  2016 README
$ sudo cat /etc/sudoers.d/README
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
# 
#   #includedir /etc/sudoers.d
# 
# This will cause sudo to read and parse any files in the /etc/sudoers.d 
# directory that do not end in '~' or contain a '.' character.
# 
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
# 
# Note also, that because sudoers contents can vary widely, no attempt is 
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable 
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#

Unlike /etc/sudoers, the contents of /etc/sudoers.d survive system upgrades, so it's preferrable to create a file there than to modify /etc/sudoers.

You might want to edit files in this directory with the visudo command:

$ sudo visudo -f /etc/sudoers.d/veracrypt
  GNU nano 2.5.3        File: /etc/sudoers.d/veracrypt.tmp                      

# Users in the veracryptusers group are allowed to run veracrypt as root.
%veracryptusers ALL=(root) NOPASSWD:/usr/bin/veracrypt

Please note that visudo may use a different editor instead of nano as described at https://help.ubuntu.com/community/Sudoers

Here are a few more links that I found helpful:

Share:
97,584

Related videos on Youtube

Pawel Debski
Author by

Pawel Debski

Salesforce, Cornerstone on Demand, GxP Validation, TIBCO, WebMethods, SAP, Java, Microsoft.Net C#, SQL, Oracle, Informatica, Business Objects, IT Outsourcing To join us: cv ! econsulting @ pl To contract us: salesteam ! econsulting @ pl

Updated on September 18, 2022

Comments

  • Pawel Debski
    Pawel Debski over 1 year

    Can you please direct me to some examples and more detailed instruction on /etc/sudoers.d/

    I'd like to give some group permission to sudo some commands, but in a proper way not to create unnecessary loopholes in the Ubuntu security model on a multi-user machine.

    In ancient times I did some simple sudoers customisations, but apparently now /etc/sudoers.d/ is a more proper way and I'd like to better understand it.

  • tobltobs
    tobltobs over 6 years
    It is not true that mistakes in files in /etc/sudoers.dcan not bring down sudo. Those files are concatenated to /etc/sudoers. The same rules apply to those files.
  • Pawel Debski
    Pawel Debski over 6 years
    That's right right that you CAN bring the system down by improper file, howver it is LESS LIKELY. #includedir is not merely a simple stupid concatenation - while including there are some check done so the most obvious errors shall be detected and that you can easily recover. Be careful however - you can always hurt yourself with a sharp knife, so handle it with care ;-)
  • Xunnamius
    Xunnamius almost 6 years

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I allow a user to only run the apt-get update command with sudo?
Allow chown command to www-data user
Sudo is not asking for password on Ubuntu 16.04
How to add my user account to admin group (13.10 desktop)
How can user mount an encrypted file container in VeraCrypt?
how to change a user home directory to adirectory that already exits?
How to add flags and/or arguments to a command in the 'sudoers' file
How to run IntelliJ IDEA as a dedicated system user?
Allow paswordless user to change to another passwordless user
Sudo is also user login password - why? how to change?