Sudoers and defaults

sudosudoedit

I need to allow to a user to run passwordless sudo without tty.

I have a file under /etc/sudoers.d/ with the special commands and settings I need, since I don't fancy editing directly the sudoers file. In that file I have the following:

# My list of commands that the user can run passwordless
myUser ALL=(ALL) NOPASSWD:SETENV: /foo/bar /foo/zaz
# My new defaults.
Defaults exempt_group = myUser
Defaults !env_reset,env_delete-=PATH
Defaults: myUser !requiretty

However when I su to the user and run sudo -l I get this in the defaults:

 Matching Defaults entries for myUseron this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, exempt_group=myUser,
    !env_reset, env_delete-=PATH, !requiretty

Where I can see it has first requiretty and in the end my !requiretty, which does not work.
I assume this is happening because it is first parsed the normal sudoers file, then my custom file under /etc/sudoers.d/.

Is there a way of making this work without editing the original /etc/sudoers?

Best Answer

The grammar for the Defaults is this (see man sudoers):

Default_Type ::= 'Defaults' |
                 'Defaults' '@' Host_List |
                 'Defaults' ':' User_List |
                 'Defaults' '!' Cmnd_List |
                 'Defaults' '>' Runas_List

User_List ::= User |
              User ',' User_List

So on line

Defaults: myUser !requiretty

remove the space between Defaults: and myUser.

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

This looks like an intentional configuration in Arch Linux. See this for discussion with links to solutions.

The best tip there seems to be adding "DISPLAY XAUTHORITY" to to the "env_keep" defaults in /etc/sudoers.

Fedora has in /etc/sudoers the following and this allows sudo somexapp to succeed.

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Sudo – Is ‘echo “Defaults insults” >> /etc/sudoers’ Safe?

There are at least 3 ways in which it can be dangerous:

If /etc/sudoers doesn't end in a newline character (which sudo and visudo allow), for instance, if it ends in a non-terminated #includedir /etc/sudoers.d line, your command will make it:
```
#includedir /etc/sudoers.dDefaults insults
```
which will break it and render sudo unusable.
echo may fail to write the full string, for instance if the file system is full. For instance, it may just be able to write Defaults in. Which again will break your sudoers file.
On a machine with multiple admins, if both attempt to modify /etc/sudoers at the same time, the data they write may be interlaced.

visudo avoids these problems because it lets you edit a temporary file instead (/etc/sudoers.tmp), detects if the file was modified (unfortunately not if the file was successfully modified as it doesn't seem to be checking the editor's exit status), checks the syntax, and does a rename (an atomic operation) to move the new file in place. So it will either successfully update the file (provided your editor also leaves the file unmodified if it fails to write the new one) or fail if it can't or the syntax is invalid.

visudo also guards against several persons editing the sudoers files at the same time.

Now, reliably using visudo in an automatic fashion is tricky as well. There are several problems with that:

You can specify an editor command for visudo with the VISUAL environment variable (takes precedence over EDITOR), but only if the env_editor option has not been disabled.
my version of visudo at least, under some conditions, edits all of /etc/sudoers and all the files it includes (runs $VISUAL for all of them). So you have to make sure your $VISUAL only modifies /etc/sudoers.
as seen above, it doesn't check the exit status of the editor. So you need to make sure the file your editor saves is either successfully written or not modified at all.
It prompts the user in case of problem.

Addressing all those is a bit tricky. Here is how you could do it:

NEW_TEXT='Defaults insults' \
  CODE='
    if [ "$2" = /etc/sudoers.tmp ]; then
      printf >&2 "Editing %s\n" "$2"
      umask 077
      {
        cat /etc/sudoers.tmp && printf "\n%s\n" "$NEW_TEXT"
      } > /etc/sudoers.tmp.tmp &&
        mv -f /etc/sudoers.tmp.tmp /etc/sudoers.tmp
    else
      printf >&2 "Skipping %s\n" "$2"
    fi' \
  VISUAL='sh -fc IFS=:;$1 sh eval:eval:"$CODE"' visudo < /dev/null

Won't work if env_editor is unset.

On a GNU system, a better alternative would be to use sed -i which should leave sudoers.tmp unmodified if it fails to write the newer version:

Add insults:

SED_CODE='
  /^[[:blank:]]*Defaults.*insults/,${
    /^[[:blank:]]*Default/s/!*\(insults\)/\1/g
    $q
  }
  $a\Defaults insults' \
CODE='
  if [ "$2" = /etc/sudoers.tmp ]; then
    printf >&2 "Editing %s\n" "$2"
    sed -i -- "$SED_CODE" "$2"
  else
    printf >&2 "Skipping %s\n" "$2"
  fi' \
VISUAL='sh -fc IFS=:;$1 sh eval:eval:"$CODE"' visudo < /dev/null

Remove insults:

SED_CODE='
  /^[[:blank:]]*Defaults.*insults/,${
    /^[[:blank:]]*Defaults/s/!*\(insults\)/!\1/g
    $q
  }
  $a\Defaults !insults' \
CODE='
  if [ "$2" = /etc/sudoers.tmp ]; then
    printf >&2 "Editing %s\n" "$2"
    sed -i -- "$SED_CODE" "$2"
  else
    printf >&2 "Skipping %s\n" "$2"
  fi' \
VISUAL='sh -fc IFS=:;$1 sh eval:eval:"$CODE"' visudo < /dev/null

Best Answer

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

Sudo – Is ‘echo “Defaults insults” >> /etc/sudoers’ Safe?

Related Question