Securely edit the sudo file over the network

visudo
If you follow my other posting regarding "vipw" and "vigr' then no explanation required.It has done the same thing as did with those two command.Open the /etc/sudoers file and attach a lock with it. Once you are done with it ,the lock gets released and the changes reflected to the original file.It will open a tmp file in vi editor to give you the chance to edit the sudoers file securely.visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the "What now?" prompt. At this point the user may enter "e" to re-edit the sudoers file, "x" to exit without saving the changes, or "Q" to quit and save changes. The "Q" option should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again until the error is fixed. If "e" is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature). PS: Although I have had experienced myself and few people shown to me that it behaves badly in some distribution ,noteably SLES.But the problem can be rectified with little caution.
Sample Output
# sudoers file.
  2 #
  3 # This file MUST be edited with the 'visudo' command as root.
  4 #
  5 # See the sudoers man page for the details on how to write a sudoers file.
  6 #
  7
  8 # Host alias specification
  9
 10 # User alias specification
 11
 12 # Cmnd alias specification
 13
 14 # Defaults specification
 15
 16 # Prevent environment variables from influencing programs in an
 17 # unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
 18 Defaults always_set_home
 19 Defaults env_reset
 20
 21 Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME     LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
 22 # Comment out the preceding line and uncomment the following one if you need
 23 # to use special input methods. This may allow users to compromise  the root
 24 # account if they are allowed to run commands without authentication.
 25 #Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAM    E LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODU    LE QT_IM_SWITCHER"
 26
 27 # In the default (unconfigured) configuration, sudo asks for the root password.
 28 # This allows use of an ordinary user account for administration of a freshly
 29 # installed system. When configuring sudo, delete the two
 30 # following lines:
 31 #Defaults targetpw   # ask for the password of the target user i.e. root
 32 #ALL ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

Once again the output is truncated for security reason

-3
2009-08-29 04:06:11

These Might Interest You

  • If you follow my previous posting regarding "vipw" then no explanation required.The same method goes behind this command also.It will open an tmp file in vi editor to give you the enlisting to edit the group file.And most importantly to attach a lock with it.Once you are done ,the lock is released and the changed reflected to the original file.So you can securely edit the group file over the network without the fear of being tampered . Show Sample Output


    -3
    vigr
    unixbhaskar · 2009-08-29 03:56:07 0
  • Now a bit of explanation required for this command.Once you type the command it opens up an vi editor with an temporary file enlisting the password file information .So if you make an change it will not reflected in the passwd file until you save the file.The reason behind using this command over other way to view the password file in network environment is that it locks the password file when you start working with it.So no one can temper with it during that period.Once you are done(means you save the tmp file) ,it will release the lock associated with it.I think it's a better mechanism to view the sensitive data like passwd file.Never ever use other tool like cat, nano or any other means. Show Sample Output


    -3
    vipw
    unixbhaskar · 2009-08-29 03:46:42 0
  • I had problems in Ubuntu while trying to edit /etc/resolv.conf, even with sudo I couldn't make any change. After a 2 minutes search on google I found this command. Hope someone finds it useful. It works like chmod, with + and - to denote which attributes are being added and which are being removed. See other attributes on man pages or on wikipedia http://en.wikipedia.org/wiki/Chattr


    1
    sudo chattr -i <file that cannot be modified>
    leovailati · 2010-03-25 03:14:34 0
  • Copies file to a temporary location, edit and set to real file's time stamp then copy back. Assumes access to /tmp and has $EDITOR, but can be replaced with better values.


    0
    edit-notime () { FILE=$1; TMP=`mktemp /tmp/file-XXXXXX`; cp -p $FILE $TMP; $EDITOR $TMP; touch -r $FILE $TMP; cp -p $TMP $FILE; rm -f $TMP; }
    jecxjoopenid · 2012-10-31 00:54:19 0

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands



Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: