Sudo configuration: Difference between revisions
From wikinotes
Line 60: | Line 60: | ||
willjp ALL=BACKUP # allow willjp acess to /sbin/dump, /sbin/restore, /sbin/mt | willjp ALL=BACKUP # allow willjp acess to /sbin/dump, /sbin/restore, /sbin/mt | ||
</source> | </source> | ||
== dont require password == | |||
<blockquote> | |||
useful, for example, for a build container that needs to install libraries | |||
<syntaxhighlight lang="bash"> | |||
builduser ALL=(ALL) NOPASSWD: ALL | |||
</syntaxhighlight> | |||
</blockquote><!-- dont require password --> | |||
== timeouts/durations == | == timeouts/durations == |
Latest revision as of 17:27, 20 January 2024
Documentation
man sudoers
https://man.archlinux.org/man/core/sudo/sudoers.5.en
Locations
/etc/sudoers
configuration file (but use visudo unless certain)
/etc/sudoers
Basics
USER HOST=(USER:GROUP) ALLOWED_COMMANDS USER localhost = \ /bin/commandA, /bin/commandB # can be split on multiple linesUSER
username # username #1001 # uid %groupname # groupname %#1001 # gidHOST
192.168.1.1 # ip address myhostname # hostname hostA,10.10.10.10,hostC # list of eitherlogic
%wheel,!willjp # all members of wheel, but not willjpaliased lists
If you find you are reusing a list of commands quite a lot, you can create a list of aliases.
Cmnd_Alias BACKUP = \ /sbin/dump,\ /sbin/restore,\ /sbin/mt willjp ALL=BACKUP # allow willjp acess to /sbin/dump, /sbin/restore, /sbin/mtdont require password
useful, for example, for a build container that needs to install libraries
builduser ALL=(ALL) NOPASSWD: ALLtimeouts/durations
# /etc/sudoers Defaults passwd_timeout=30 # password timeout every 30s Defaults timestamp_timeout=60 # don't prompt for sudo again for 60min