Sunday, 24 October 2010

/etc/sudoers.d

The default /etc/sudoers file in Squeeze has a new directive:

#includedir /etc/sudoers.d 

that lets you make changes to sudo without editing the stock /etc/sudoers file.

There are a few gotchas about using it:

  1. Files in /etc/sudoers.d that end in ~ (that’s a tilde in case it tenders as a dash) or contain a . (period) character will be ignored.
  2. Files in /etc/sudoers.d must have 0440 permissions. So after you create your file, do a
    chmod 0440 {filename}
    on it.
  3. The directive itself in /etc/sudoers should be the last line. Otherwise it seems to get overridden by whatever follows.

At this point I don’t know in what order the files are read, but I suspect it’s in alphabetical order. So, for the moment I am using numbers (e.g., 99shutdown) to enforce the desired order.

Complete info at http://www.sudo.ws/sudo/sudoers.man.html.

  1. Arnaud

    Wednesday, December 1, 2010 - 17:20:21

    chmod and not chown :-D

  2. mithat

    Wednesday, December 1, 2010 - 18:20:15

    @Arnaud: Doh! Thanks and fixed.

  3. Pablo Vanwoerkom

    Monday, February 7, 2011 - 01:32:48

    So what is the format of the files that you put in /etc/sudoers.d. Can you give an example? Thanks!

  4. mithat

    Monday, February 7, 2011 - 19:09:28

    @Pablo AFAIK, whatever you place in an /etc/sudoers.d/{file} is just read and parsed as though it were part of the main sudoers file. So anything you might put into the /etc/sudoers:

    # mfk mod, plugdev users can power off
    %plugdev ALL=NOPASSWD: /sbin/shutdown
    

    can be placed in e.g. /etc/sudoers.d/99shutdown instead.

Add comment

Fill out the form below to add your own comments