sudoers - simple explanation requested
Everytime I want to be able to run something that requires me to be a sudoer
too many times, I need to google for the formatting of /etc/sudoers
to remind me again what exactly is the proper way to write it.
Now I see different writing styles in my sudoers
file, which is the consequence of different google results over the months. I've also noticed that the second example (below) seems to work in XFCE, but not in Cinnamon (Gnome 3). This could be totally unrelated, but nontheless I'd like to know once and for all, what is the correct grammar of the sudoer line, and what is the difference between the given examples?
redsandro ALL=NOPASSWD:/path/to/command
redsandro ALL=(ALL) NOPASSWD:/path/to/command
redsandro ALL=(ALL:ALL) NOPASSWD:/path/to/command
Also, what are all the ALL
's for? One user, one command, yet I need to use the ALL
keyword up to three times? Am I doing this wrong?
Of course, omitting NOPASSWD:
makes you enter your password before you are permitted to run the command, but one point of confusion is the usage of =
and :
, for the final command that is the subject of the line can be prepended by either =
, :
, , or
)
, confusing grammar for similar semantics.
It's more than just a user and a command:
redsandro host=(user:group) tag:commands
host
specifies the host names this line is valid for. Unless you are sharing asudoers file among different hosts that need different rules using the special valueALL
meaning "all hosts" is a good choice.user
specifies which users you can use with the-u
options to run the command. If you omit this you can't use the-u
option.group
specifies which groups you can use with the-g
options. If you omit it you can't use the-g
option.
Both user
and group
understand the special value ALL
as "all users/groups"
If you omit the whole (user:group)
thing you can't use -u
and -g
but only run the command as root.
-
tag
lets you specify some options, likeNOPASSWD
So with your first example you can run the command as root but can't use -u
and -g
to run it as any other user or group.
With example 2. you can run the command as root or use -u
to run it as any other user.
With 3. you can run the command as root or use -u
or -g
to run the command as any other user or group.
Let's take this one apart:redsandro ALL=(ALL:ALL) NOPASSWD:/path/to/command
redsandro is the username we're giving permission to. Put a % at the front to make it apply to a group.
ALL is a name for this rule. Sudoers can do a lot more than just grant global permissions. That's where it gets complicated though.
= needs no explanation
ALL:ALL reads as (who_to_run_it_as:what_group_to_run_it_as). This way you can allow running a command, but only in the context of a specific user or group.
NOPASSWD: tells it to turn the password prompt off.
/path/to/command lets you specify specific commands path_to_commmand, another_command
The thing to remember is that while sudo is mostly used by home users to escalate to root privileges, it can be and is used to control access to specific commands in a much more granular way.