Tweaking Sudo On Ubuntu

If you’ve used your Ubuntu machine for more than a week you’ve probably run into the sudo command a few times. Particularly if you have followed any of my previous howto's you’ve used it. Sudo allows you to run superuser commands on your machine, without needing a complete superuser account.



Now what happens when you have another user on that machine that needs certain superuser privileges but you don’t want to give them FULL access? Well sudo can be configured to give users sudo access, but limited to only certain commands. Here is a breakdown:

If you use the command:

sudo visudo

you’ll be taken into the self checking sudoers editing file. What you’ll want to look for is near the bottom and appears similar to this:

# User privilege specification
root ALL=(ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

What this is defining is who has what sudo or superuser privileges on that machine. By default, and in this case root has all power and anyone in the admin group (generally just the initial user) has this control.

Now consider you have a buddy, wife or partner that also uses that machine and needs occasional sudo access but you’d prefer not to give them complete permissions to avoid destroying the world as we know it. Well, you can list them in this file and create a limited list of sudo permissions that they will be granted. An example would be below:

# User privilege specification

root ALL=(ALL) ALL

defcon ALL=(root) /usr/bin/aptitude, /usr/bin/apt-get

Let me break this down for you. By adding this new line to the file you’ve done the following:

The first listing, mike, is the user that is being assigned the privilege. For this to apply to a group of users on the machine you would prefix the name with a % as seen in the example above (%admin).

The second listing defines the hosts that these permissions apply to. For your use this will almost always apply to your local machine only so ALL is safe. If this does not apply to you (you will know who you are) you will want to define only the hosts to grant access).

Thirdly, the (root) entry defines what user the first user is applying the command as. In this example we want to run the command as root and not any other user. You can define this to another user (or user daemon) to allow access to their specific privileges.

Lastly we’ve got a comma separated list of commands that the user will have access to. In this case I’m allowing the user defcon to add and remove programs from the machine using the apt-get and aptitude programs. Allowing users to add / remove programs from your machine as in this example can be dangerous. This is for example use and may not match your usage.

Sudo is our friend while using Ubuntu. It allows us to temporarily take on a different persona, make changes to the critical parts of the machine and quietly change back again. Allowing other users this privilege can be helpful but it can also be harmful so be sure you understand who you are applying privileges to and to what commands. Security is #1, or should be, so use this knowlege wisely.

Disable Annoying Sudo password prompts:
Although disabling the password prompts is a big security risk, if someone compromises your password or account a user could simply sudo -s or sudo "command" to be root.
I dont recommend doing this unless you are "SURE" that you will not screw something up and you are sure your computer is secure and firewalled up.

All you need to do to accomplish this is:
First open a terminal and sudo visudo

Find %admin% and replace that line with:
%admin ALL=(ALL) NOPASSWD: ALL

Then ctrl-x and press enter to save

Then add yourself to the admin usergroup by typing:
sudo adduser myusername admin

Clicky Web Analytics