# This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d h ALL=NOPASSWD: /usr/bin/brightlight -i 20 -f /sys/class/backlight/amdgpu_bl0
But doing the command still gives me a permission error.
h@pop-os:~$ brightlight -i 20 -f /sys/class/backlight/amdgpu_bl0 brightlight: could not open "brightness" file: Permission denied
h@pop-os:~$ sudo -l Matching Defaults entries for h on pop-os: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User h may run the following commands on pop-os: (ALL : ALL) ALL (root) NOPASSWD: /usr/bin/brightlight -i 20 -f /sys/class/backlight/amdgpu_bl0
Things I have tried:
- Creating a file in
/etc/sudoers.d/brightlight with last line of config above
EDIT: Fixed, you need to add
sudo, and it won’t prompt you for a password
I regularly need to drop a postres database and recreate it. It has to be done as
postgres user as following:
$ sudo -u postres dropdb my_database
I thought of adding sudoers rules for not being asked a password. Usually I proceed by creating a file in
/etc/sudoers.d/ with a rule like this one:
Cmnd_Alias DROP_DB = /bin/bash -l -c dropdb*, /usr/bin/dropdb* emilio ALL = NOPASSWD: DROP_DB
But in this use case, I need to run the command as postgres user and it doesn’t work.
What is the proper way to run a command as a different user without being asked a password?
To add an extra layer of security I’m using the
rootpw option in the
sudoers file and while it works perfectly fine from the shell, when a specific command invokes the GUI version of “elevation”, only the user password will work in that case and not the root password. Do I need to change anything in PolicyKit config?
I’d like the root password to be used everywhere, any ideas?
I want to disable a user to edit
sudoers file, so I added a line in sudoers file:
Cmnd_Alias BLOCK = !/usr/sbin/visudo, !/bin/nano /etc/sudoers
it blocks if a user tries to edit like this:
sudo nano /etc/sudoers
but when he’s enter to etc:
cd /etc sudo nano sudoers
… he can use
nano, and edit
how can i solve this? thanks
I followed these steps Fixing /etc/sudoers file but I still cant see my sudoers file – it says
Permission Denied I am trying to install MongoDB and it is installed on my machine – but as soon as I run
mongod to initiate the database, it shuts down the server – Please help!!!
Well, I’ve done a lot of reading and documentation around possible exploitation of sudoers files and SUID programs, but don’t have a deep enough knowledge to pick up the wisest possible solution for my problem.
We’re currently developping a Qt-based tool on Ubuntu for upgrade/rollback management of our main application.
So as you might have guessed, the said tool is making extensive use of
dpkg commands, that happen to be executable only with root privileges, which the tool does not have, as it is meant to be executed only within the limited-privileges user’s context.
To circumvent this limitation, the team has chosen the most straightforward solution : adding appropriate entries in the user’s sudoers file for the aforementioned commands.
BUT, as far as I know, this opens up a dangerous vulnerability in the system, as an attacker who would gain only limited access to the machine might then remove important components of the underlying linux system (
systemd for instance), thus making the system crash.
As I’m the only cybersecurity engineer in the team, I’m trying to find the safest and most recommended way to mitigate this flaw, but so far could think of only one alternative : turning the upgrade tool into a SUID program.
The thing is : SUID programs have a nefarious reputation when it comes to privilege escalation vulnerabilities they might expose on the target system (see here for a checklist of all the considerations to implement in order not to mess up everything when writing a SUID program).
The question is : is going through this painful process really worth it ?
Is there any other way we could safely use
dpkg commands without all the hassle of SUID implementation, and without making the upgrade tool run with superuser mode ?
Note: a lot of questions on stackexchange cover SUID related concerns, but none actually discusses the specific usecase we’re dealing with.
I have run this command by mistake chmode -R 777 ./*.Now not able to use sudo and can’t open folders as root. sudo: /etc/sudoers is world writable sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin
I would like to know how to block the usage of suid files (execution of setuid() for instance) to the non sudoers users. Not just one, all.
setfacl -m u:sudo:x mysetuidprogram
But it’s only for one program
Ubuntu n00b here. I am tinkering with a Docker container that I created using the following simple Dockerfile:
FROM ubuntu CMD ["tail","-f","/dev/null"]
Inside the container, as the root user, I try running
visudo and get the following response:
bash: visudo: command not found
ls /etc and it seems I don’t have a sudoers file either.
Is there something special I should have put in my Dockerfile to make these exist?