[SOLVED] sudoer groups question

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Post Reply
afora
Level 3
Level 3
Posts: 164
Joined: Mon Aug 26, 2019 7:35 pm

[SOLVED] sudoer groups question

Post by afora »

I have several machines with different user names set in them. I wanted to setup a NOPASSWD sudoer directive in all of them which would run a daily script as a cron job. Obviously irrespective of their user name (i.e. I don't want to hardcode it on each machine). I add the cron job as a user crontab.

My first inclination is to use one of the existing groups where all those users would belong, in particular %sudo, so the sudoer directive will look like this:

Code: Select all

%sudo ALL = (ALL) NOPASSWD: mysript.sh
However, I note that there's already an existing directive in sudoer file which looks like that:

Code: Select all

%sudo   ALL=(ALL:ALL) ALL
My question is - if I add the former directive underneath the latter one, will I create a problem for my system? The reason I'm asking is that I read online that only the last directive will be executed. If this is not a wise solution, what would you do? Create a group with exactly the same name across all machines? Anything else?

Many thanks!
Last edited by afora on Mon Feb 03, 2020 5:37 pm, edited 1 time in total.

Kadaitcha Man
Level 4
Level 4
Posts: 453
Joined: Mon Aug 27, 2012 10:17 pm

Re: sudoer groups question

Post by Kadaitcha Man »

afora wrote:
Wed Jan 15, 2020 12:17 am
I add the cron job as a user crontab.
Why?

If you create a system cron job it will run as root anyway, so sudo is not needed at all.
It's kad-eye-cha, not kada-itcha.

afora
Level 3
Level 3
Posts: 164
Joined: Mon Aug 26, 2019 7:35 pm

Re: sudoer groups question

Post by afora »

I need to load the job as a user-owned job, and run that job passwordless prefixing with sudo. More info is here: viewtopic.php?f=90&t=309519.

afora
Level 3
Level 3
Posts: 164
Joined: Mon Aug 26, 2019 7:35 pm

Re: sudoer groups question

Post by afora »

Bumping up this question, if anyone could share their experience!

rene
Level 14
Level 14
Posts: 5117
Joined: Sun Mar 27, 2016 6:58 pm

Re: sudoer groups question

Post by rene »

afora wrote:
Wed Jan 15, 2020 12:17 am
My question is - if I add the former directive underneath the latter one, will I create a problem for my system?
No, that'll be fine. The standard-present directive allows members of group "sudo" to execute any and all executables through sudo as any and all user (normally, root) provided they authenticate, and the new specific one allows said members to additionally execute "mysript.sh" through sudo as any and all user without having to authenticate. All fine.

Post Reply

Return to “Newbie Questions”