Sudo

sudoers(5) § SUDOERS OPTIONS lists all the options that can be used with the command in the file.

See for a list of options (parsed from the version 1.8.7 source code) in a format optimized for sudoers.

See for more information, such as configuring the password timeout.

Run to print out the current sudo configuration, or sudo -lU user for a specific user.

The configuration file for sudo is . It should always be edited with the command. visudo locks the sudoers file, saves edits to a temporary file, and checks it for syntax errors before copying it to .

The default editor for visudo is vi. The sudo package is compiled with and honors the use of the SUDO_EDITOR, and variables. is not used when is set.

To establish nano as the visudo editor for the duration of the current shell session, export ; to use a different editor just once simply set the variable before calling visudo:

# EDITOR=nano visudo

Alternatively you may edit a copy of the file and check it using . This might come in handy in case you want to circumvent locking the file with visudo.

To change the editor permanently, see Environment variables#Per user. To change the editor of choice permanently system-wide only for visudo, add the following to (assuming nano is your preferred editor):

# Reset environment by default
Defaults      env_reset
# Set default EDITOR to restricted version of nano, and do not allow visudo to use EDITOR/VISUAL.
Defaults      editor=/usr/bin/rnano, !env_editor

To allow a user to gain full root privileges when they precede a command with sudo, add the following line:

USER_NAME   ALL=(ALL:ALL) ALL

To allow a user to run all commands as any user but only on the machine with hostname :

USER_NAME   HOST_NAME=(ALL:ALL) ALL

To allow members of group wheel sudo access:

%wheel      ALL=(ALL:ALL) ALL

To disable asking for a password for user USER_NAME:

Defaults:USER_NAME      !authenticate

Enable explicitly defined commands only for user USER_NAME on host :

USER_NAME HOST_NAME=/usr/bin/halt,/usr/bin/poweroff,/usr/bin/reboot,/usr/bin/pacman -Syu

Enable explicitly defined commands only for user USER_NAME on host without password:

USER_NAME HOST_NAME= NOPASSWD: /usr/bin/halt,/usr/bin/poweroff,/usr/bin/reboot,/usr/bin/pacman -Syu

A detailed sudoers example is available at /usr/share/doc/sudo/examples/sudoers. Otherwise, see the for detailed information.

The owner and group for the sudoers file must both be 0. The file permissions must be set to 0440. These permissions are set by default, but if you accidentally change them, they should be changed back immediately or sudo will fail.

# chown -c root:root /etc/sudoers
# chmod -c 0440 /etc/sudoers

A common annoyance is a long-running process that runs on a background terminal somewhere that runs with normal permissions and elevates only when needed. This leads to a sudo password prompt which goes unnoticed and times out, at which point the process dies and the work done is lost or, at best, cached. Common advice is to enable passwordless sudo, or extend the timeout of sudo remembering a password. Both of these have negative security implications. The prompt timeout can also be disabled and since that does not serve any reasonable security purpose it should be the solution here:

Defaults passwd_timeout=0

To draw attention to a sudo prompt in a background terminal, users can simply make it echo a bell character:

Defaults passprompt="^G[sudo] password for %p: "

Note the is a literal bell character. E.g. in vim, insert using the sequence , or in nano, .

If you use a lot of aliases, you might have noticed that they do not carry over to the root account when using sudo. However, there is an easy way to make them work. Simply add the following to your or :

alias sudo='sudo '

If you are annoyed by sudo's defaults that require you to enter your password every time you open a new terminal, set to :

Defaults timestamp_type=global

If you are annoyed that you have to re-enter your password every 5 minutes (default), you can change this by setting a longer value for (in minutes):

Defaults timestamp_timeout=10

If you are using a lot of sudo commands on a row, it is more logical to refresh the timeout every time you use sudo than to increase . Refreshing the timeout can be done with (whereas revokes immediately).

You might want to automate this by adding the following to your :

alias sudo='sudo -v; sudo '

It is also possible to use a bash function; for more details see stackexchange.

If you have a lot of environment variables, or you export your proxy settings via , when using sudo these variables do not get passed to the root account unless you run sudo with the -E option.

$ sudo -E pacman -Syu

The recommended way of preserving environment variables is to append them to :

Users can configure sudo to ask for the root password instead of the user password by adding (target user, defaults to root) or rootpw to the Defaults line in :

Defaults targetpw

To prevent exposing your root password to users, you can restrict this to a specific group:

Defaults:%wheel targetpw
%wheel ALL=(ALL) ALL

Users may wish to disable the root login. Without root, attackers must first guess a user name configured as a sudoer as well as the user password. See for example OpenSSH#Deny.

The account can be locked via :

# passwd -l root

A similar command unlocks root.

$ sudo passwd -u root

Alternatively, edit and replace the root's encrypted password with "!":

root:!:12345::::::

To enable root login again:

$ sudo passwd root

kdesu may be used under KDE to launch GUI applications with root privileges. It is possible that by default kdesu will try to use su even if the root account is disabled. Fortunately one can tell kdesu to use sudo instead of su. Create/edit the file :

[super-user-command]
super-user-command=sudo

or use the following command:

$ kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo

Let us say you create 3 users: admin, devel, and joe. The user "admin" is used for journalctl, systemctl, mount, kill, and iptables; "devel" is used for installing packages, and editing configuration files; and "joe" is the user you log in with. To let "joe" reboot, shutdown, and use netctl we would do the following:

Edit and /etc/pam.d/su-l. Require user be in the wheel group, but do not put anyone in it.

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so

Limit SSH login to the 'ssh' group. Only "joe" will be part of this group.

# groupadd -r ssh
# gpasswd -a joe ssh
# echo 'AllowGroups ssh' >> /etc/ssh/sshd_config

Restart .

Add users to other groups.

# for g in power network ;do ;gpasswd -a joe $g ;done
# for g in network power storage ;do ;gpasswd -a admin $g ;done

Set permissions on configs so devel can edit them.

# chown -R devel:root /etc/{http,openvpn,cups,zsh,vim,screenrc}

Cmnd_Alias  POWER       =   /usr/bin/shutdown -h now, /usr/bin/halt, /usr/bin/poweroff, /usr/bin/reboot
Cmnd_Alias  STORAGE     =   /usr/bin/mount -o nosuid\,nodev\,noexec, /usr/bin/umount
Cmnd_Alias  SYSTEMD     =   /usr/bin/journalctl, /usr/bin/systemctl
Cmnd_Alias  KILL        =   /usr/bin/kill, /usr/bin/killall
Cmnd_Alias  PKGMAN      =   /usr/bin/pacman
Cmnd_Alias  NETWORK     =   /usr/bin/netctl
Cmnd_Alias  FIREWALL    =   /usr/bin/iptables, /usr/bin/ip6tables
Cmnd_Alias  SHELL       =   /usr/bin/zsh, /usr/bin/bash
%power      ALL         =   (root)  NOPASSWD: POWER
%network    ALL         =   (root)  NETWORK
%storage    ALL         =   (root)  STORAGE
root        ALL         =   (ALL)   ALL
admin       ALL         =   (root)  SYSTEMD, KILL, FIREWALL
devel	    ALL         =   (root)  PKGMAN
joe	    ALL         =   (devel) SHELL, (admin) SHELL 

With this setup, you will almost never need to login as the root user.

"joe" can connect to his home WiFi.

$ sudo netctl start home
$ sudo poweroff

"joe" can not use netctl as any other user.

$ sudo -u admin -- netctl start home

When "joe" needs to use journalctl or kill run away process he can switch to that user.

$ sudo -i -u devel
$ sudo -i -u admin

But "joe" cannot switch to the root user.

$ sudo -i -u root

If "joe" want to start a gnu-screen session as admin he can do it like this:

$ sudo -i -u admin
[admin]$ chown admin:tty `echo $TTY`
[admin]$ screen

sudo parses files contained in the directory . This means that instead of editing , you can change settings in standalone files and drop them in that directory. This has two advantages:

• There is no need to edit a file;
• If there is a problem with a new entry, you can remove the offending file instead of editing (but see the warning below).

The format for entries in these drop-in files is the same as for itself. To edit them directly, use . See for details.

The files in directory are parsed in lexicographical order, file names containing or are skipped. To avoid sorting problems, the file names should begin with two digits, e.g. .

or  lets you edit a file as another user while still running the text editor as your user.

This is especially useful for editing files as root without elevating the privilege of your text editor, for more details read sudo(8) § e.

Note that you can set the editor to any program, so for example one can use to manage pacnew files:

$ SUDO_EDITOR=meld sudo -e /etc/file{,.pacnew}

Users can enable the insults easter egg in sudo by adding the following line in the sudoers file with .

Upon entering an incorrect password this will replace message with humorous insults.

SSH does not allocate a tty by default when running a remote command. Without an allocated tty, sudo cannot prevent the password from being displayed. You can use ssh's -t option to force it to allocate a tty.

The option only allows the user to run sudo if they have a tty.

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear text. You have to run "ssh -t hostname sudo <cmd>".
#
#Defaults    requiretty

Sudo will union the user's umask value with its own umask (which defaults to 0022). This prevents sudo from creating files with more open permissions than the user's umask allows. While this is a sane default if no custom umask is in use, this can lead to situations where a utility run by sudo may create files with different permissions than if run by root directly. If errors arise from this, sudo provides a means to fix the umask, even if the desired umask is more permissive than the umask that the user has specified. Adding this (using ) will override sudo's default behavior:

Defaults umask = 0022
Defaults umask_override

This sets sudo's umask to root's default umask (0022) and overrides the default behavior, always using the indicated umask regardless of what umask the user as set.