Why does the system have /etc/sudoers.d? How should I edit it?
Last time, I asked about the risk of these (in /etc/sudoers):
user_name ALL=(ALL) /usr/bin/vim /etc/httpd/confs/httpd.conf
%group_name ALL=(ALL) /usr/bin/vim /etc/httpd/confs/httpd.conf
While I was thinking about this problem, I found /etc/sudoers.d directory. Files in the directory should have similar functions to /etc/sudoers (meaning the scripts above are still problematic even in /etc/sudoers.d), and however one article said we should not use the directory because we cannot use visudo
to edit files in it. That is, we lose the right to use sudo
if we make a mistake in the directory.
If that is true, why do we have /etc/sudoers.d? Or do we have a good way to edit files in /etc/sudoers.d?
Solution 1:
Changes made to files in /etc/sudoers.d
remain in place if you upgrade the system. This can prevent user lockouts when the system is upgraded. Ubuntu tends to like this behavior. Other distributions are using this layout as well.
It has been my experience that the rules on files in this directory are looser than for /etc/sudoers
. This has included:
- Mistakes in the file did not cause
sudo
to fail. However, the file was ignored. - Permission rules appear less strict. It allows the applicable group or other to read the file. I don't believe that was possible with
/etc/sudoers
. Write permissions must be restricted toroot
to maintain security. The current Ubuntu version of sudo allows read permissions for group or other. (This capability allows sudo access to be audited using without requiring root access.)
The visudo
command only defaults to /etc/sudoers
. It will edit and verify any file you specify with the -f
option. I use this capability to edit files which will be automatically installed as /etc/sudoers
or into /etc/sudoders.d
. However, definitions from other files may not be found. It is best to make the file independent.
The ability to have stand-alone files makes it simple for an application to enable sudo
capability on installation and remove them when it is un-installed. Automated configuration tools can also use this capability.
I have used this capability to isolate changes required to grant access to specific user groups on specific systems.
Solution 2:
Yes, you can use visudo
to edit those files. All that you have to do is specify the name of the file that you want to edit with the -f
option. For example:
visudo -f /etc/sudoers.d/somefilename
Or, if needed:
sudo visudo -f /etc/sudoers.d/somefilename
Documentation
From man visudo
:
-f sudoers
Specify and alternate sudoers file location. With this option visudo will edit (or check) the sudoers file of your choice, instead of the default, /etc/sudoers. The lock file used is the specified sudoers file with ".tmp" appended to it. In check-only mode only, the argument to -f may be "-", indicating that sudoers will be read from the standard input.
In summary:
Syntax: Both
visudo
andvisudo -f
perform the same syntax checking.Permissions/Ownership: As a feature added to assist the administration of large systems, files edited under
visudo -f
are not checked for ownership or permissions: this allows syntax checking of a file offline or as part of a revision control system.
Why use /etc/sudoers.d/
Typically /etc/sudoers
is under control of your distribution's package manager. If you have made changes to that file and the package manager wants to upgrade it, you will have to manually inspect the changes and approve how they are merged into the new version. By placing your local changes into a file in the /etc/sudoers.d/
directory, you avoid this manual step and upgrades can proceed automatically.
When does sudo
ignore a file in /etc/sudoers
?
If your /etc/sudoers
file contains the line:
#includedir /etc/sudoers.d
then sudo
will read files in the directory /etc/sudoers.d
.
Exceptions are:
- Files whose names end in
~
- Files whose names contain a
.
character
This is done (a) for the convenience of package managers and also (b) so that backup files from editors are ignored.
Solution 3:
why do we have /etc/sudoers.d?
Because it's easier for automated tools (such as Chef or Puppet) to drop individual files into this directory, rather than making changes to /etc/sudoers
, which might be fragile.
The files in /etc/sudoers.d
are (in effect) concatenated. You'll see several other instances of this pattern in /etc
, such as /etc/cron.d
and /etc/logrotate.d
.