stevepedwards.com/DebianAdmin linux mint IT admin tips info

Setting Sudo Users with Adduser and Visudo in Mint and Raspbian

sudo is a command that allows users with appropriate permissions to take on another users or superuser (root) ID, so their permissions.

man sudo

DESCRIPTION

sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.

man su

NAME

su - change user ID or become superuser

man visudo

NAME

visudo — edit the sudoers file

man adduser

NAME

adduser, addgroup - add a user or group to the system

At install, Mint sets up the installer's name account as a “sudoer” in the sudo group automatically, as does Raspian which uses a default account name of “pi”, as seen in each OS's /etc/group file:

cat /etc/group | grep sudo

sudo:x:27:stevee

cat /etc/group | grep sudo

sudo:x:27:pi

You can see these different user's group names, starting at 1000, also (a user has a default group of the same name unless you specify different at creation with useradd name --ingroup xxx) by looking at the /etc/group file for each OS, grepping for user accounts of 1000 and above. First Mint:

stevee@AMD ~ $ cat /etc/group | grep 100.:

stevee:x:1000:

then Raspian:

stevee@piblanc ~ $ cat /etc/group | grep 100.:

pi:x:1000:

indiecity:x:1001:root

stevee:x:1002:

For any linux OS, user/group root is always created first and has group number 0:

cat /etc/group | grep root

root:x:0:

Above, user pi is the first user account created by default at install in group 1000, but stevee was an name option during install for Mint, and that first user is added to the groups visible. Click group box for full view and see group stevee not included! Below for Mint:

Similar blanket coverage memberships are given to user pi also:

cat /etc/group | grep pi

adm:x:4:pi

dialout:x:20:pi

cdrom:x:24:pi

sudo:x:27:pi,stevee,joe,fred

audio:x:29:pi

video:x:44:pi,stevee,motion

plugdev:x:46:pi

games:x:60:pi

users:x:100:pi

pi:x:1000:

netdev:x:106:pi

input:x:999:pi

spi:x:998:pi

i2c:x:997:pi

gpio:x:996:pi

or for Raspbian and Mint resp.

id pi
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),

46(plugdev),60(games),100(users),106(netdev),999(input),998(spi),997(i2c),996(gpio)

id stevee
uid=1000(stevee) gid=1000(stevee) groups=1000(stevee),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),110(sambashare)

Both of these users have to have initial root powers via sudo to set anything up at the start – including setting a new password for the root account itself – don't forget to do it!!

sudo passwd root

For a user to be a “sudoer” the account has to be listed, or in an appropriate group, in the /etc/sudoers.tmp file accessible via:

sudo visudo

passwd...

There are subtle differences between the two OS's files at first:

For both systems, root is all powerful of course:

# User privilege specification

root ALL=(ALL:ALL) ALL

For Mint, a legacy %admin line exists – but the group name “admin” does not - replaced by sudo since Ubuntu 12.04.

There is an "adm" group allowing members to view log files. You can get an idea of group function by finding what type of files each groups owns e.g.:

sudo find / -group adm

/var/log/mysql/error.log.3.gz
/var/log/mysql/error.log.5.gz
/var/log/mysql/error.log.2.gz
find: ‘/run/user/1000/gvfs’: Permission denied

There is a sudo group instead of admin for both later Mint and Raspbian versions:

# Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

For Raspbian:

# Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

#includedir /etc/sudoers.d

pi ALL=(ALL) NOPASSWD: ALL

You see both OS's visudo files achieve the same result - the first user accounts can gain root powers – but by different means.

Mint automatically adds the installer to the sudo group requiring a password to achieve su;

Raspbian allows default user pi su powers via sudo group membership, but without needing a password due to the visudo file NOPASSWD addition.

This may have been decided by the Raspbian team to give Pi users instant update and admin ability whilst learning, not being stumped by passwords or how to change them.

So, no auth is required for user pi when he, for example does:

sudo apt-get update

Removing the NO from NOPASSWD text may be the first thing you want to change if you are in an insecure environment...If you do, now when pi tries an upgrade:

sudo apt-get upgrade

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for pi:

To view a user's permissions set in /etc/sudoers e.g:

sudo -l -U pi

[sudo] password for stevee:
Matching Defaults entries for pi on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on this host:
(ALL : ALL) ALL
(ALL) PASSWD: ALL

So, if you wish to allow new users sudo powers, you have different options available to you, for both systems.

For example, you could add a user to the sudo group in Mint, as your installer did, but that grants equivalent powers as you, (which you probably won't want in reality, system requirements depending...):

sudo adduser joe --ingroup sudo

Adding user `joe' ...

Or, if user joe already exists, add to existing group sudo by:

sudo adduser joe sudo

Adding user `joe' to group `sudo' ...

Adding user joe to group sudo

Done.

NOTICE here though, that adding user joe to the sudo group, he does not have to use passwd auth to check with Apt for mint updates, as was an option for all users at install, but WILL need to auth to install them.

sudo -l -U joe
Matching Defaults entries for joe on dellmint:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User joe may run the following commands on dellmint:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py

Or – if the account exists already – add the name to the visudo file, as user pi is.

#includedir /etc/sudoers.d

pi ALL=(ALL) PASSWD: ALL

If a user is not in the sudoer's file, and attempts sudo, a warning is issued:

[sudo] password for fred:

fred is not in the sudoers file. This incident will be reported.

Just adding his name is enough to allow him su with password auth:

fred ALL=(ALL) PASSWD: ALL

Notice that he is not added to the sudo group just by this visudo file entry! Now though, he can just add himself:

cat /etc/group | grep sudo

sudo:x:27:pi,stevee,joe

cat /etc/group | grep fred

fred:x:1004:

sudo adduser fred sudo

Adding user `fred' to group `sudo' ...

Adding user fred to group sudo

Done.

cat /etc/group | grep sudo

sudo:x:27:pi,stevee,joe,fred

The files that visudo edits are, from the man page:

FILES
/etc/sudoers List of who can run what

/etc/sudoers.tmp Lock file for visudo

sudo vi /etc/sudoers.d/README

# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.

For people familiar with Access Control Lists, you can see by reading man sudoers that /etc/sudoers is just that, as you can restrict individual users/groups to specific function only, or leave wide open as are the default sudo members.

Re the GUI above, and a user not showing in his own group list, it means that if you add a user using adduser name --ingroup xxx to another group (so is NOT the user's name) it won't be apparent what his group is in this GUI or grepped from /etc/group; only from the /etc/passwd file.

sudo adduser bill --ingroup audio
Adding user `bill' ...
Adding new user `bill' (1001) with group `audio' ...

cat /etc/group | grep 100.:
stevee:x:1000:stevee

cat /etc/passwd | grep 100.:
stevee:x:1000:1000:stevee,,,:/home/stevee:/bin/bash
bill:x:1001:29:,,,:/home/bill:/bin/bash

Comments are closed.

Post Navigation