This blog helps you to get started with configuring sudo and learn how to avoid the most common mistakes. But the title “getting started with sudo” sounds a lot less interesting :-) Based on responses to my talks, one of the most popular configuration option of sudo is insults. You should not think about anything serious here: just some funny messages when a user mistypes a password. But as some users find these messages inappropriate, these are now disabled by default, but can be enabled. In this blog I’ll show you how to configure sudo’s insults and how to enable (or disable) them for a set of users.
The configuration for sudo is located in /etc/sudoers, which is a simple text file. This is how the /etc/sudoers file looks in CentOS 7 after removing comments and empty lines:
Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL %wheel ALL=(ALL) ALL
When you look at it more carefully you will see two different kinds of settings:
- Lines starting with “Defaults” change the default behavior of sudo. The defaults here apply to all users, but as you will see later, you can limit defaults to a subset of users.
- The last two lines are rules granting permissions to a user and a group of users.
This blog focuses on how to change the defaults through the example of insults. Configuring sudo looks simple and straightforward, still, you should not edit this file directly, but should instead use the visudo command, which performs syntax checking. If you do not like vi, you can change which editor to use by pointing the
EDITOR environment variable at it.
Before you start editing the sudo configuration, make sure that you know the root password. Yes, even on Ubuntu, where root does not have a password by default, set one before going any further. While visudo checks the syntax, it is easy to create a syntactically correct configuration which locks you out of your system.
When you have a root password at hand in case of emergency, you can start editing your configuration.
You should not expect anything threatening here, just some funny messages when someone mistypes a password, for example:
czanik@linux-mewy:~> sudo ls [sudo] password for root: Hold it up to the light --- not a brain in sight! [sudo] password for root: My pet ferret can type better than you! [sudo] password for root: sudo: 3 incorrect password attempts czanik@linux-mewy:~>
Because not everyone is a fan of sysadmin humor, insults are now disabled by default. Still, I do not have enough fingers to count how many people thanked me for bringing these not so PC messages back…
When it comes to the sudoers file, there is one important thing to remember: it is read from top to bottom, and the last setting wins. What that means for you is that you should start with generic settings and place exceptions at the end. Otherwise, the generic settings will override the exceptions.
The following example shows how to disable insults by default, but enable them for your seasoned sysadmins, who are members of the wheel group:
Defaults !insults Defaults:%wheel insults
What does this mean? The exclamation mark on the first line in front of “insults” disables insults for every user. The second line enables insults for members of the
wheel group. The syntax here is a colon right next to
Defaults, followed by a percent sign and the group name.
The lines are in this order because the last setting always wins. If you put the lines the other way around, then you enable insults for a group but then you override this setting when you disable insults for everyone.
If you have an overly sensitive member in the
wheel group, like
pczanik, where would you put the following line?
The syntax here is similar to what we used for group
wheel, but you do not need the percent sign in front of the user name. And I hope that your answer is that this line will be the last insults-related setting. You can put these three lines anywhere in your sudoers file, as long as they are in the right order.
- Edit /etc/sudoers only if you know the root password
- Sudo processes the rules in /etc/sudoers from top to bottom
- The last rules takes precedence, so place exceptions under the generic settings
Changing who receives insults is just one of the many defaults you can change. For a complete list of defaults, check the manual, currently for sudo 1.8.29. If you use a different version, check the
SUDOERS_OPTIONS section in the sudoers man page on your system.
If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.