Tuesday, September 15, 2009

Customize your /etc/sudoers file

The sudo command allows non root users to issue administrative commands. Configuration details, including who is allowed to use sudo and for which commands, is stored in a file located at /etc/sudoers. You can also set some other behavioral details in this file. For example, a neat setting is to receive an email or text message each time a user who is not permitted to use sudo tries to use it. To set that up, first configure sSMTP like I detailed in this post for Debian/Ubuntu systems or in this post for RHEL/CentOS systems.

Before making any changes to the /etc/sudoers file, definitely make sure you back it up:
$ sudo cp /etc/sudoers /etc/sudoers.orig
The default behavior for sudo is to report attempted unauthorized uses. Just to make sure, you can add the parameter by adding this line to /etc/sudoers:
Defaults mail_no_user
And to receive emails add this line:
Defaults mailto += "user@domain.com"
The mailto variable is a list so for each "+=" you will be adding another element to that list.

Another fun variable to set is insults. This will make fun of the user if they enter the wrong password when using sudo. To enable this option, add the line:
Defaults insults
For more options, see the sudoers man page with:
man sudoers

1 comment:

  1. To edit the sudoers file you should always do it with the visudo command which does syntax checking when you exit the editor. By setting an environment variable (I'm not sure which one) you can use whatever editor you want, i.e. you're not "stuck" with vi even tho the command remains "visudo"

    ReplyDelete