How do I edit /etc/sudoers from a script?

linux shell sudo

I need to edit /etc/sudoers from a script to add/remove stuff from white lists.

Assuming I have a command that would work on a normal file, how could I apply it to /etc/sudoers?

Can I copy and modify it, then have visudo replace the original with the modified copy? By providing my own script in $EDITOR?

Or can I just use the same locks and cp?

The question is more about potential issues than about just finding something that works.


Solution 1:

Old thread, but what about:

echo 'foobar ALL=(ALL:ALL) ALL' | sudo EDITOR='tee -a' visudo

Solution 2:

Use visudo for this with a custom editor. This solves all the race conditions and "hack" problems with Brian's solution.

#!/bin/sh
if [ -z "$1" ]; then
  echo "Starting up visudo with this script as first parameter"
  export EDITOR=$0 && sudo -E visudo
else
  echo "Changing sudoers"
  echo "# Dummy change to sudoers" >> $1
fi

This script will add the line "# Dummy change to sudoers" to the end of sudoers. No hacks and no race conditions.

Annotated version that explains how this actually works:

if [ -z "$1" ]; then

  # When you run the script, you will run this block since $1 is empty.

  echo "Starting up visudo with this script as first parameter"

  # We first set this script as the EDITOR and then starts visudo.
  # Visudo will now start and use THIS SCRIPT as its editor
  export EDITOR=$0 && sudo -E visudo
else

  # When visudo starts this script, it will provide the name of the sudoers 
  # file as the first parameter and $1 will be non-empty. Because of that, 
  # visudo will run this block.

  echo "Changing sudoers"

  # We change the sudoers file and then exit  
  echo "# Dummy change to sudoers" >> $1
fi

Solution 3:

You should make your edits to a temporary file, then use visudo -c -f sudoers.temp to confirm that the changes are valid and then copy it over the top of /etc/sudoers

#!/bin/sh
if [ -f "/etc/sudoers.tmp" ]; then
    exit 1
fi
touch /etc/sudoers.tmp
edit_sudoers /tmp/sudoers.new
visudo -c -f /tmp/sudoers.new
if [ "$?" -eq "0" ]; then
    cp /tmp/sudoers.new /etc/sudoers
fi
rm /etc/sudoers.tmp

Solution 4:

On most distributions (at least Debian-based, Redhat-based, openSUSE-based, etc.), you can insert a custom script into the /etc/sudoers.d/ directory, with rights 0440 - For more information see man sudo ("Including other files from within sudo") or the same information on the official site.

It might help.

Solution 5:

visudo is supposed to be the human interface for editing /etc/sudoers. You can achieve the same by replacing the file directly, but you have to take care yourself about concurrent editing and syntax validation. Mind the r--r----- permissions.

Related

Cannot execute RUN mkdir in a Dockerfile
ASP.NET: This method cannot be called during the application's pre-start initialization stage
Setting up a JavaScript variable from Spring model by using Thymeleaf
Shell one liner to prepend to a file
How to get city name from latitude and longitude coordinates in Google Maps?
Rubocop Linelength: How to ignore lines with comments?
Turn off deprecated errors in PHP 5.3
NoMethodError: undefined method `last_comment' after upgrading to rake 11
Dealing with nginx 400 "The plain HTTP request was sent to HTTPS port" error
What is the difference between find(), findOrFail(), first(), firstOrFail(), get(), list(), toArray()
Hello World in Python [duplicate]
Converting a column within pandas dataframe from int to string