I intend to play with the linux insults and add a few. However, i only could figure how to add a single insult but not a list or the location of the file that contains the insults.
Linux – /etc/sudoers – Insults – How to add a list of insults
linuxsudo
Related Solutions
There are at least 3 ways in which it can be dangerous:
If
/etc/sudoers
doesn't end in a newline character (whichsudo
andvisudo
allow), for instance, if it ends in a non-terminated#includedir /etc/sudoers.d
line, your command will make it:#includedir /etc/sudoers.dDefaults insults
which will break it and render
sudo
unusable.echo
may fail to write the full string, for instance if the file system is full. For instance, it may just be able to writeDefaults in
. Which again will break yoursudoers
file.- On a machine with multiple admins, if both attempt to modify
/etc/sudoers
at the same time, the data they write may be interlaced.
visudo
avoids these problems because it lets you edit a temporary file instead (/etc/sudoers.tmp
), detects if the file was modified (unfortunately not if the file was successfully modified as it doesn't seem to be checking the editor's exit status), checks the syntax, and does a rename
(an atomic operation) to move the new file in place. So it will either successfully update the file (provided your editor also leaves the file unmodified if it fails to write the new one) or fail if it can't or the syntax is invalid.
visudo
also guards against several persons editing the sudoers
files at the same time.
Now, reliably using visudo
in an automatic fashion is tricky as well. There are several problems with that:
- You can specify an editor command for
visudo
with theVISUAL
environment variable (takes precedence overEDITOR
), but only if theenv_editor
option has not been disabled. - my version of
visudo
at least, under some conditions, edits all of/etc/sudoers
and all the files it includes (runs$VISUAL
for all of them). So you have to make sure your$VISUAL
only modifies/etc/sudoers
. - as seen above, it doesn't check the exit status of the editor. So you need to make sure the file your editor saves is either successfully written or not modified at all.
- It prompts the user in case of problem.
Addressing all those is a bit tricky. Here is how you could do it:
NEW_TEXT='Defaults insults' \
CODE='
if [ "$2" = /etc/sudoers.tmp ]; then
printf >&2 "Editing %s\n" "$2"
umask 077
{
cat /etc/sudoers.tmp && printf "\n%s\n" "$NEW_TEXT"
} > /etc/sudoers.tmp.tmp &&
mv -f /etc/sudoers.tmp.tmp /etc/sudoers.tmp
else
printf >&2 "Skipping %s\n" "$2"
fi' \
VISUAL='sh -fc IFS=:;$1 sh eval:eval:"$CODE"' visudo < /dev/null
Won't work if env_editor
is unset.
On a GNU system, a better alternative would be to use sed -i
which should leave sudoers.tmp
unmodified if it fails to write the newer version:
Add insults
:
SED_CODE='
/^[[:blank:]]*Defaults.*insults/,${
/^[[:blank:]]*Default/s/!*\(insults\)/\1/g
$q
}
$a\Defaults insults' \
CODE='
if [ "$2" = /etc/sudoers.tmp ]; then
printf >&2 "Editing %s\n" "$2"
sed -i -- "$SED_CODE" "$2"
else
printf >&2 "Skipping %s\n" "$2"
fi' \
VISUAL='sh -fc IFS=:;$1 sh eval:eval:"$CODE"' visudo < /dev/null
Remove insults:
SED_CODE='
/^[[:blank:]]*Defaults.*insults/,${
/^[[:blank:]]*Defaults/s/!*\(insults\)/!\1/g
$q
}
$a\Defaults !insults' \
CODE='
if [ "$2" = /etc/sudoers.tmp ]; then
printf >&2 "Editing %s\n" "$2"
sed -i -- "$SED_CODE" "$2"
else
printf >&2 "Skipping %s\n" "$2"
fi' \
VISUAL='sh -fc IFS=:;$1 sh eval:eval:"$CODE"' visudo < /dev/null
I am, basically, in agreement with Wissam Al-Roujoulah on this.
We need to add few users to the sudoers file
Do you, really need to do this? Maybe there are other ways, using acl
or regular UNIX permissions.
As Wissam Al-Roujoulah has already pointed out, trying to "blacklist" certain commands, is in reality a really bad idea (read below from man sudoers
, emphasis mine):
Note, however, that using a ‘!’ in conjunction with the built-in ALL alias to allow a user to run “all but a few” commands rarely works as intended
Instead you can specify a "whitelist", e.g. the actual commands the users are allowed to run. Something like this:
user1 ALL=/sbin/shutdown
The above will allow user1
to shut down. You can add more commands in a comma separated list.
Read more about this here.
Best Answer
To edit the list of insults, you will need to edit the source and recompile.
The insults are stored in
plugins/sudoers/ins_*.h
(4 files). If you add a new file, you will need to add its definition toplugins/sudoers/insults.h
. That's it.