adding local content in /etc/sudoers.d/ instead of directly modifying sodoers file via visudo

Can you please direct me to some examples and more detailed instruction on /etc/sudoers.d/

I'd like to give some group permission to sudo some commands, but in a proper way not to create unnecessary loopholes in the Ubuntu security model on a multi-user machine.

In ancient times I did some simple sudoers customisations, but apparently now /etc/sudoers.d/ is a more proper way and I'd like to better understand it.


Solution 1:

As this question says, /etc/sudoers is a system-wide configuration file that can be automatically changed by system upgrades and is highly fragile to improper changes. You can potentially lose access or make your system unbootable with an improper change.

$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#

(... some other content ...)

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Contrary to what you might expect, the #includedir directive is not a comment. It has the effect of causing sudo to also read and parse any files in the /etc/sudoers.d directory (that do not end in '~' or contain a '.' character).

$ ls -l /etc/sud*
-r--r----- 1 root root  755 sty 20 17:03 /etc/sudoers

/etc/sudoers.d:
total 7
-r--r----- 1 root root 958 mar 30  2016 README
$ sudo cat /etc/sudoers.d/README
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
# 
#   #includedir /etc/sudoers.d
# 
# This will cause sudo to read and parse any files in the /etc/sudoers.d 
# directory that do not end in '~' or contain a '.' character.
# 
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
# 
# Note also, that because sudoers contents can vary widely, no attempt is 
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable 
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#

Unlike /etc/sudoers, the contents of /etc/sudoers.d survive system upgrades, so it's preferrable to create a file there than to modify /etc/sudoers.

You might want to edit files in this directory with the visudo command:

$ sudo visudo -f /etc/sudoers.d/veracrypt
  GNU nano 2.5.3        File: /etc/sudoers.d/veracrypt.tmp                      

# Users in the veracryptusers group are allowed to run veracrypt as root.
%veracryptusers ALL=(root) NOPASSWD:/usr/bin/veracrypt

Please note that visudo may use a different editor instead of nano as described at https://help.ubuntu.com/community/Sudoers

Here are a few more links that I found helpful:

  • https://en.wikipedia.org/wiki/Sudo
  • http://manpages.ubuntu.com/manpages/disco/man8/visudo.8.html
  • http://manpages.ubuntu.com/manpages/disco/en/man5/sudoers.5.html
  • https://ubuntuforums.org/showthread.php?t=1132821