Difference between revisions of "Sudo"

From ArchWiki
Jump to: navigation, search
(Ask for the root password)
Line 85: Line 85:
 
'''Note: to try if it worked right, type sudo -K to end you current session a let sudo ask for the password again'''
 
'''Note: to try if it worked right, type sudo -K to end you current session a let sudo ask for the password again'''
  
== Ask for the root password  ==
+
== Root password  ==
 
 
If you need sudo (for example for makepkg -s) but don't want a security risk,
 
you can configure sudo to ask for the root password instead of the user password.
 
  
 +
If you need sudo for example for makepkg -s, but don't want a security risk you can configure sudo to ask for the root password instead of the user password.
 
Add "rootpw" to the Defaults line:
 
Add "rootpw" to the Defaults line:
  

Revision as of 10:26, 15 July 2009

Template:I18n links start Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n links end

Installation

To install Sudo:

pacman -S sudo

Enabling sudo for Users

To add a user as a sudo user (a "sudoer"), type "visudo" as root. This will open the file /etc/sudoers in a special session of vi. If you don't know how to use vi, you can type for example the following:

EDITOR=gedit visudo

(Do not edit /etc/sudoers directly with an editor). To give the user full root privileges when he/she precedes a command with "sudo", add the following line:

USER_NAME   ALL=(ALL) ALL

where USER_NAME is the username of the individual.

Enabling Tab-Completion for sudo Users

Tab-completion, by default, will not work when a user is initially added to the sudoers file. For example, normally johndoe only has to type:

fir<TAB>

and the shell will complete out the command for him as:

firefox


If, however, johndoe is added to the sudoers file and he types:

sudo fir<TAB>

the shell will do nothing.

If you use programmable completion for bash you should comment out the following lines in /etc/bash_completion:

# user commands see only users
complete -u su usermod userdel passwd chage write chfn groups slay w
# group commands see only groups
[ -n "$bash205" ] && complete -g groupmod groupdel newgrp 2>/dev/null


Otherwise add the following to your ~/.bashrc (only if you did not modify bash_completion as it overwrites the settings for sudo):

complete -cf sudo

Password timeout

You might want to change the default timeout before the password expires. This is simply done by adding following to /etc/sudoers (visudo):

Defaults:your_username timestamp_timeout=MINUTES

This is how it may look like:

Defaults:foo timestamp_timeout=20

Where the user foo's password expires if it is unused for over 20 minutes.

Note: If you would like sudo to always ask for password, just set the timeout to zero.

Environment Variables

If you have a lot of environment variables, or you export your proxy settings via export http_proxy="..", when using sudo these variables do not get passed to the root account unless you run sudo with the -E option.

sudo -E pacman -Sy

Because of this you may wish to add an alias in ~/.bashrc

alias sudo="sudo -E"

Summary

To summarize, the following setup will satisfy most individuals, where USER_NAME is the individual's username:

1. pacman -S sudo
2. add "USER_NAME   ALL=(ALL) ALL" to /etc/sudoers
3. add "complete -cf sudo" to /home/USER_NAME/.bashrc

Some fun

There is a way of telling sudo to insult you every time you type the wrong password, instead just printing the default "wrong password" message. To enable this Easter-egg:

# sudo visudo

Find the Defaults line (approx. line 18) and append "insults" after a comma to anything that may be here. The final might look like this:

#Defaults specification
Defaults insults

Note: to try if it worked right, type sudo -K to end you current session a let sudo ask for the password again

Root password

If you need sudo for example for makepkg -s, but don't want a security risk you can configure sudo to ask for the root password instead of the user password. Add "rootpw" to the Defaults line:

 Defaults timestamp_timeout=0,rootpw

See also