Best IT Recipes

How to edit / etc / sudoers from a script?

I need to edit /etc/sudoers from a script to add / remove material from whitelists.

Assuming I have a command that will work with a regular file, how can I apply it to /etc/sudoers ?

Can I copy and modify it and then replace the visudo original with a modified copy? By providing your own script in $EDITOR ?

Or can I just use the same locks and cp ?

The question is more about potential problems than about finding something that works.

+88
linux shell sudo
Nov 27 '08 at 14:47
source share
12 answers

Old thread, but what about:

 echo 'foobar ALL=(ALL:ALL) ALL' | sudo EDITOR='tee -a' visudo
+106
Feb 07 '15 at 13:43 on
source share
— -

Use visudo for this with a special editor. This solves all the conditions of the race and problems with hacking using Brian's solution.

 #!/bin/sh if [ -z "$1" ]; then echo "Starting up visudo with this script as first parameter" export EDITOR=$0 && sudo -E visudo else echo "Changing sudoers" echo "# Dummy change to sudoers" >> $1 fi

This script will add the line "# Dummy change to sudoers" to the end of sudoers. No hacks and race conditions.

An annotated version that explains how this works:

 if [ -z "$1" ]; then # When you run the script, you will run this block since $1 is empty. echo "Starting up visudo with this script as first parameter" # We first set this script as the EDITOR and then starts visudo. # Visudo will now start and use THIS SCRIPT as its editor export EDITOR=$0 && sudo -E visudo else # When visudo starts this script, it will provide the name of the sudoers # file as the first parameter and $1 will be non-empty. Because of that, # visudo will run this block. echo "Changing sudoers" # We change the sudoers file and then exit echo "# Dummy change to sudoers" >> $1 fi
+42
Sep 14 '10 at 7:13
source share

You must make your changes to the temporary file, then use visudo -c -f sudoers.temp to confirm that the changes are valid and then copy it on top of / etc / sudoers

 #!/bin/sh if [ -f "/etc/sudoers.tmp" ]; then exit 1 fi touch /etc/sudoers.tmp edit_sudoers /tmp/sudoers.new visudo -c -f /tmp/sudoers.new if [ "$?" -eq "0" ]; then cp /tmp/sudoers.new /etc/sudoers fi rm /etc/sudoers.tmp
+29
Nov 27 '08 at 15:15
source share

In Debian and its derivatives, you can insert a custom script into the /etc/sudoers.d/ directory with 0440 permissions - for more information see /etc/sudoers.d/README .

This can help.

+12
Jul 31 '13 at 8:54
source share

visudo should be the human interface for editing /etc/sudoers . You can achieve the same by replacing the file directly, but you must take care of parallel editing and parsing. Note the permissions r--r----- .

+8
Nov 27 '08 at 15:17
source share

Set up your own editor. Basically it will be a script that takes a file name (in this case /etc/sudoers.tmp) and modifies and saves it in place. That way you can simply write to this file. When you are done, exit the script and visudo will take care of changing the actual sudoers file for you.

 sudo EDITOR=/path/to/my_dummy_editor.sh visudo
+5
Nov 27 '08 at 15:22
source share

If your sudo allows you to add entries to /etc/sudoers.d , then you can use this answer with @ dragon788:

https://superuser.com/a/1027257/26022

Usually you use visudo to check the file before copying it to /etc/sudoers.d , so you can be sure that you are not violating sudo .

 visudo -c -q -f filename

This checks it and returns success (0) if it is valid, so you can use it with if , && and other logical operations of the script. After checking, just copy it to /etc/sudoers.d and it should work. Make sure that it belongs to the root user and is not writable by other users.

+5
Apr 22 '16 at 13:47
source share

To add an additional option to the answers above, if the race condition is not a serious problem, then you can use the following command to avoid manually copying the modified file to /etc/sudoers

 sudo EDITOR="cp /tmp/sudoers.new" visudo

This ensures that the new file is checked and installed correctly with the updated permissions.

Please note that if there is an error in the /tmp/sudoers.new file, then visudo will ask for user input, so it is recommended that you first check it with visudo -c -f /tmp/sudoers.new .

+2
May 29 '13 at 17:16
source share

I think the simplest solution is:

Create the addudoers.sh script

 #!/bin/sh while [ -n "$1" ]; do echo "$1 ALL=(ALL:ALL) ALL" >> /etc/sudoers; shift # shift all parameters; done

and call with the users you want to add as:

 root prompt> ./addsudoers.sh user1 user2

See the full explanation in this answer: Adding users to sudoers using a shell script

Respectfully!

+1
Mar 07 '14 at 0:29
source share

Try to repeat it. However, you must run it in a subshell. Example:

sudo sh -c "echo \"group ALL=(user) NOPASSWD: ALL\" >> /etc/sudoers"

0
Jun 18 '14 at 17:50
source share

Lots of answers, I worked with sudo for yonks, but still did not need to automate the installation configuration. I used a combination of some of the answers above, writing my configuration line in /etc/sudoers.d include location so that I did not need to change the main sudoers file, then checked this file for syntax, a simple example below:

Write your line in the sudoers include file:

sudo bash -c 'echo "your_user ALL = (ALL) NOPASSWD: ALL" >> / etc / sudoers.d / 99_sudo_include_file'

Make sure your include file passes visudo syntax validation

sudo visudo -cf / etc / sudoers.d / 99_sudo_include_file

0
Jan 22 '19 at 13:51
source share

It worked for me based on what others posted here. When I used other peoples script, it would open visudo for me, but would not do the editing. This made an edit that I had to allow all users, including standard users, to install java 7u17 for safari / firefox.

 #!/usr/bin/env bash rm /etc/sudoers.new cp /etc/sudoers /etc/sudoers.new echo "%everyone ALL = NOPASSWD: /usr/sbin/installer -pkg /Volumes/Java 7 Update 17/Java 7 Update 17.pkg -target /" >> /etc/sudoers.new cp /etc/sudoers.new /etc/sudoers

This added% all blah blah blah to the bottom of the sudoers file. I had to run the script as follows.

 sudo sh sudoersedit.sh

Good luck: D

-one
Mar 13 '13 at 21:41
source share


More articles:


All Articles