What is the difference between adding a user to /etc/sudoers and usermod -a -G sudo?
Which method should be used for granting sudo?
Asked
Active
Viewed 607 times
13
Teun Zengerink
- 199
- 5
- 13
Sonique
- 241
- 1
- 9
-
6For Ubuntu you should very strongly avoid editing the `/etc/sudoers` under any conditions. Instead add config fragments into the `/etc/sudoers.d` directory. Using the fragments folder makes upgrading easier since you modified a conffile. – Zoredache Jun 10 '14 at 20:08
-
@Zoredache - excellent point. Do you care if I add that to my answer? I don't want to take credit for it, but this tip should live in an answer somewhere in case the comment gods nuke this for some reason. – EEAA Jun 10 '14 at 20:12
-
2@EEAA, I grant you permission to use the above, and anyother comments I post to merge into actual answers. I add comments because I am too lazy/busy to add a full answer, but I don't mind at if people take my comments and integrate them into a complete good answer. – Zoredache Jun 10 '14 at 20:17
3 Answers
19
If you can avoid it, never grant sudo privileges to individual users. Always grant privilegs to a group and then add users to that group.
For ubuntu-based servers, instead of adding lines to /etc/sudoers, add config file fragments into /etc/sudoers.d. This is more flexible, easier to understand, more resilient in the face of upgrades, and works better with systems managed by configuration management systems.
NOTE: never edit /etc/sudoers directly. Instead, use visudo, which will perform syntax checking on your edits, preventing you from breaking your sudo config with invalid syntax.
EEAA
- 109,363
- 18
- 175
- 245
-
-
1
-
-
-
Good point about ``visudo``. Some people don't realize there's a reason that ``/etc/sudoers`` is marked as read-only. – SameOldNick Jun 11 '14 at 02:27
9
I just found this little tidbit out there... seems you need to be particularly careful with using the -G option in Ubuntu, in particular in combination -g option. So:
- Use
usermod -aGto add the user(s) to a group. - Then as @EEAA suggested, add the group to the /etc/sudoers file using the
$ sudovisudocommand (automatically invokes a privileged editor with syntax checking).
Here's the info about the -aG option on Ubuntu, taken from here http://ubuntuforums.org/showthread.php?t=1240477:
'I'm reading the Wiley "Linux Command Line and Scripting Bible" - and they said that usermod -G "appends" a group to whatever user account you are modifying. I found this to be false in Ubuntu, don't know if it's just different in other distro's, or a typo in the book. It removes you from EVERY other group you belong to, except your default user group (modified by the -g option). I managed to remove myself from the admin group and could no longer sudo anything. Thank goodness for recovery mode...'
The correct option is usermod -aG. Lesson learned...
Flak DiNenno
- 268
- 3
- 9
-
2can the downvoter have the courtesy to provide some constructive criticism here. tia. – Flak DiNenno Jun 10 '14 at 20:08
-
I didn't downvote you, but your 'answer', doesn't really answer the question asked. This is a pretty strict Q&A site, we generally expect answers to directly address the question asked. BTW, yes I know you somewhat address the question a bit, but your 'answer' seems most saying do what EEAA said, but be warned about this weird quirk. – Zoredache Jun 10 '14 at 20:10
-
@Zoredache thanks for taking the time. Doesn't step 1 & 2 clearly give instructions for "a preferred method for granting sudo"? Which is what the OP asked? – Flak DiNenno Jun 10 '14 at 20:11
1
You don't tell us how big your environment is, but if it's more than one machine you may also want to consider configuring sudo using LDAP s an alternative to editing sudoers locally (either through visudo or using the /etc/sudoers.d fragments method).
LDAP configuration is a well-tested way of making sure that multiple machines have the same sudo configuration, and presents a nice unified environment (with central management of an important authorization mechanism). As a bonus if you already use LDAP (or AD) for authentication/authorization in your environment you can take advantage of the existing infrastructure (and if you don't you should seriously consider it - centralization has many benefits).
Everything folks have already said in the other answers about creating authorized groups still stands - it's easier as you scale up to grant privileges to a group and manage group membership than it is to deal with managing rights for individual users.
voretaq7
- 79,879
- 17
- 130
- 214