Hi all,

I wrote an application that for some of its commands requires root privileges.

I understand the best way to do this is by using sudo, and for that I needed to edit /etc/sudoers with visudo.

It all works fine, but here is my question:

What is the best way for an install package to edit /etc/sudoers?

And while we're at it, I have another question.
When I run sudo -l , it required a password. Why?
This is a user that I added myself, and it is in its own group. Does it have anything to do with groups?

Thanks in advance...

Whenever you run sudo, it should ask for a password, that's the whole point unless you configure it to be passwordless for that user.

And everyone tells you to edit with visudo but you can easily edit by just using vi /etc/sudoers or even piping whatever data you want into the file, I've never had problems editing by my own conventional means.

I have been looking at /etc/sudoers, trying to answer this thread:
http://www.linuxquestions.org/questi...d.php?t=508870

To edit this file:
Open a terminal
Become root:Edit the file:
Make changes
Save the changes (these will be saved to /etc/sudoers.tmp)
Exit your editor
Something will parse your /etc/sudoers.tmp file and report any errors. I find this is useful because it gives me a chance to correct bad syntax. (trickykid probably doesn't suffer from bad syntax!)
If there are no errors the .tmp file will be moved to /etc/sudoers

Nope, apparently not. Edited sudoers thousands of times, never got any type of issues with it.

Though, if you do want to include a sudoers as a template of some kind. Edit it using visudo, save the file and use that file as the template, copying out to destination hosts you want such sudoers configured with, that way you get around the bad syntax if you just don't trust yourself.

Thanks trickykid .
But I'm still stuck trying to answer that post I referred to above.
Don't wish to hijack this thread but,I have added
%tredegar myhostname = NOPASSWD: /usr/bin/adept
to my sudoers file to try and make it so that when I run adept, it doesn't ask for a password, but it still does!
What am I doing wrong? (Maybe you could help me answer that thread, or even answer it yourself?!)

Edit: syntax!

The thing is that I read the post as him asking how he can get a program to edit sudoers or gain root access. Wouldn't that be a terribly bad idea?

Good point.
Perhaps we are barking up the wrong tree.
Maybe we should be telling him to make his application executable / writable only by root.
Then he just needs to invoke it with sudo application_name?

You mean like every other application?

If an application can modify root permissions without user intervention then it can probably do anything malicious as well, me smelling virus here or am I terribly wrong?

My first thought was that he was asking for a way to install something as in Windows. But then I realised, if you run with a restricted account, it can't work in Windows either.

Basically, if it's not a virus, it's bad security - no install file should ever affect your sudo file or be able to gain root access unless you, the admin, explicitly and manually allow it.

First of all, yes, having an application that gains root privilege is a bad idea.
I didn't plan to write an application to modify /etc/sudoers, I mean for the install to do that, and you have to be root to install anyway...
Once the install adds this line to /etc/sudoers:
theuser ALL= NOPASSWD: /sbin/myapplication
theuser, and only theuser will be able to run my application.
From what I've read, this is the safest way to do this.

Second, I have used visudo to edit the file successfully, but how would the install do that? Surely we are not going to ask every user to manually edit the file. I'm sure there is a way but I don't know what it is, what is the common solution for this scenario.

Lastly, the man pages for sudo say the following about "sudo -l"
The -l (list) option will list out the allowed (and forbidden) commands for the user on the current host.

I don't believe running sudo with this switch requires root password, otherwise what is the point? And in fact, when I ran this command on a Linux server it didnt require a password, but when I ran it on the machine I am maintaining it did. What is it then?

echo "theuser ALL= NOPASSWD: /sbin/myapplication" >> /etc/sudoers

Or like I said before, create your base template sudoers file and have the installer copy that from a remote source, or include with your media if you want.

And when specifying a single user, you don't need the % in front.

Of course, a simple solution. Thanks!