Difference between revisions of "Sudo"

From ArchWiki
Jump to: navigation, search
(added link to bash programmable completion)
(Environment Variables)
Line 67: Line 67:
 
Another way of fixing this would be to add in /etc/sudoers
 
Another way of fixing this would be to add in /etc/sudoers
 
  Defaults !env_reset
 
  Defaults !env_reset
 +
 +
If you want to JUST pass your <tt>*_proxy</tt> variables add the following via visudo:
 +
Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"
  
 
== Summary ==
 
== Summary ==

Revision as of 11:56, 30 October 2009

Template:I18n links start Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n links end

Installation

To install Sudo:

pacman -S sudo

Enabling sudo for Users

To add a user as a sudo user (a "sudoer"), type "visudo" as root. This will open the file /etc/sudoers in a special session of vi. If you don't know how to use vi, you can type for example the following:

EDITOR=nano visudo

(Do not edit /etc/sudoers directly with an editor). To give the user full root privileges when he/she precedes a command with "sudo", add the following line:

USER_NAME   ALL=(ALL) ALL

where USER_NAME is the username of the individual.

Enabling Tab-Completion for sudo Users

Tab-completion, by default, will not work when a user is initially added to the sudoers file. For example, normally johndoe only has to type:

fir<TAB>

and the shell will complete out the command for him as:

firefox


If, however, johndoe is added to the sudoers file and he types:

sudo fir<TAB>

the shell will do nothing.

If you use programmable completion for bash you should comment out the following lines in /etc/bash_completion:

# user commands see only users
complete -u su usermod userdel passwd chage write chfn groups slay w
# group commands see only groups
[ -n "$bash205" ] && complete -g groupmod groupdel newgrp 2>/dev/null


Otherwise add the following to your ~/.bashrc (only if you did not modify bash_completion as it overwrites the settings for sudo):

complete -cf sudo

Password timeout

You might want to change the default timeout before the password expires. This is simply done by adding following to /etc/sudoers (visudo):

Defaults:your_username timestamp_timeout=MINUTES

This is how it may look like:

Defaults:foo timestamp_timeout=20

Where the user foo's password expires if it is unused for over 20 minutes.

Note: If you would like sudo to always ask for password, just set the timeout to zero.

Environment Variables

If you have a lot of environment variables, or you export your proxy settings via export http_proxy="..", when using sudo these variables do not get passed to the root account unless you run sudo with the -E option.

sudo -E pacman -Sy

Because of this you may wish to add an alias in ~/.bashrc

alias sudo="sudo -E"

Another way of fixing this would be to add in /etc/sudoers

Defaults !env_reset

If you want to JUST pass your *_proxy variables add the following via visudo:

Defaults env_keep += "ftp_proxy http_proxy https_proxy no_proxy"

Summary

To summarize, the following setup will satisfy most individuals, where USER_NAME is the individual's username:

1. pacman -S sudo
2. add "USER_NAME   ALL=(ALL) ALL" to /etc/sudoers
3. add "complete -cf sudo" to /home/USER_NAME/.bashrc

Some fun

There is a way of telling sudo to insult you every time you type the wrong password, instead just printing the default "wrong password" message. To enable this Easter-egg:

# sudo visudo

Find the Defaults line (approx. line 18) and append "insults" after a comma to anything that may be here. The final might look like this:

#Defaults specification
Defaults insults

Note: to try if it worked right, type sudo -K to end you current session a let sudo ask for the password again

Root password

If you need sudo for example for makepkg -s, but don't want a security risk you can configure sudo to ask for the root password instead of the user password. Add "rootpw" to the Defaults line:

 Defaults timestamp_timeout=0,rootpw

See also