How to properly configure sudoers file, on debian wheezy?
Solution 1
You haven't added any sudo rule, so you can't use sudo for anything.
The command adduser USERNAME sudo
adds the specified user to the group called sudo
. A group with that name must exist; create it with addgroup sudo
if it doesn't. After adding the user to the group, the user must log out and back in for the group membership to take effect.
sudo
is not a special group name. It's a convention to allow users in the group called sudo
to run commands as root via the sudo
utility. This requires the following line in the sudoers
file:
%sudo ALL = (ALL) ALL
Run visudo
to edit the sudoers file, never edit it directly.
I have no idea why you believe that “that only protects aptitude”. There is nothing special about aptitude. Once you've authorized a user to run commands as root, that user can run sudo aptitude …
or sudo apt-get …
or sudo service …
, or sudoedit
to edit files that require root permission to edit. Being in the sudoers file doesn't directly change the privileges of your user, what it does is that it allows you to run sudo
to run commands as root. Commands run as root only when you run them through sudo
. Some programs may do that automatically, especially GUI programs where the user interface runs without special privileges and only the backend runs as root, but commands executed as root are always executed by sudo
.
Solution 2
What may have happened is: sudo is caching your password. So, after you've correctly completed the implementation of sudo on your system, you have to enter the password for the first command, and after that it's cached for some time. If that happens and you run the sequence
sudo aptitude install sendmail
sudo apt-get install sendmail
Then you'll have to provide a password on the first command, but not on the second (at least while you are still within the timeout). This may feel like it's protecting only the first command, but not the second. Without further information (complete shell transcripts), there's no way to tell...
Related videos on Youtube
mahieddine
Updated on September 18, 2022Comments
-
mahieddine over 1 year
I have seen many blog posts that say, it is enough to do
aptitude install sudo su root adduser USERNAME sudo
But that only protects
aptitude
, in other words:aptitude install sendmail
will ask for password, you need to besudo
to runaptitude
apt-get install sendmail
won't ask for password, nosudo
privileges neededIf you edit protected files, like files in
etc
it won't ask for password, nosudo
privileges neededYou can run and stop services like
apache
, it won't ask for password, nosudo
privileges needed
How to fix this? This is my sudoers file:
This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$ # Host alias specification # User alias specification # Cmnd alias specification
This is the output of
sudo -l
:Matching Defaults entries for root on this host: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User root may run the following commands on this host: (ALL : ALL) ALL (ALL : ALL) ALL
-
Admin over 10 yearsAfter
su root
, you're logged in as theroot
user, so you have full access to everything. To get back to being a regular use who has to usesudo
for privileged operations, logout of the shell running asroot
. -
Admin over 9 yearsI am new in Linux but Debian wiki says - adduser username sudo wiki.debian.org/sudo
-
Josef about 10 yearsYes. The one doesn't exclude the other. The correct answer does nicely explain how to set up sudo correctly, and in that sense, it answers the question. It does not explain why, in the words of the question, "that only protects aptitude". Gilles writes himself: "I have no idea why you believe that “that only protects aptitude”". As I said, to really understand that phenomenon, more information is necessary. I think a downvote is a bit harsh given that my answer is factually correct, addresses the original question and fills a gap in the existing answer.
-
Hauke Laging about 10 yearsHe has run
sudo -l
as root. Even if there are useful definitions for users they would not have been shown. Thus your guess "You haven't added any sudo rule" may be wrong. -
Gilles 'SO- stop being evil' about 10 years@HaukeLaging I don't understand your comment. “You haven't added any sudo rule” isn't a guess: the
sudoers
file is in the question. -
Hauke Laging about 10 yearsI was close to getting depressed, realizing that I was too focussed on the
sudo -l
output but luckily... It seems that the question content cannot be the whole file because it is not consistent with the output. At least mysudo
version does not claim "User root may run the following commands" with asudoers
without any command definition (like the one in the question). -
Gilles 'SO- stop being evil' about 10 years@HaukeLaging You're right, I checked with wheezy and indeed
sudo -l
just says “User root is not allowed to run sudo on darkstar.”. And thesudo
group is in the sudoers file by default on wheezy. The requisite entries may have been moved into a file under/etc/sudoers.d
. In any case, whatever the sudoers file contains, it wouldn't do what Fischer assumes. -
Gilles 'SO- stop being evil' about 10 yearsGood idea, this may be the source of Fischer's confusion.