In a nutshell: Add permissions with configuration files in /etc/sudoers.d

I have been trying to set default permissions for my own user in my machine ((K)Ubuntu 11.10), in order to setup automation scripts for i.e. mounting filesystems at logon, changing permissions, etc. After looking around, I found very useful posts like this one and this other, and I decided to put my conclusions on the following short list:

  • You need to use sudo visudo to edit the base sudoers file.
  • If you run sudo visudo you may notice there is a line that reads #includedir /etc/sudoers.d. Never mind the # character, this line is enabled, not commented out as one may unsuspectingly assume. Just don’t touch it.
  • To create a new set of permissions, follow these steps:
  1. Create a configuration file, elsewhere not in the /etc/sudoers.d directory. Don’t name it with ‘~‘ characters or periods (‘.‘). Example:
$ nano mount_conf
  1. Fill it up with the settings you will use. This thread does a nice introduction at making these settings up. Example:
# Enable me to mount/umount simply
Host_Alias HOST = your_machine_name. You can get it by running cat /etc/hostname

Cmnd_Alias MOUNT    = /bin/mount,/bin/umount
Cmnd_Alias FILEPERM = /bin/chown

  1. Save it, and now prepare it for moving it into the /etc/sudoers.d directory:
$sudo chown root:root mount_conf
$sudo chmod 0440 mount_conf
$sudo mv mount_conf /etc/sudoers.d/
  1. Check everything went fine, by running sudo -l. Example output:
$sudo -l
Matching Defaults entries for luis on this host:

User luis may run the following commands on this host:
 (root) NOPASSWD: /bin/mount, /bin/umount, (root) /bin/chown

Hopefully you’ll be able to mount and umount filesystems, and also change ownership of files, if you follow the example. You will still need to prepend sudo to the invocation of the command, but then it won’t ask for your password.


4 thoughts on “In a nutshell: Add permissions with configuration files in /etc/sudoers.d

  1. Thanks for sharing. I thought that the files in sudores.d were created using commands, not creating the file manually.

  2. For me it worked very well with the command
    sudo visudo -f /etc/sudoers.d/mount_conf

    The file is directly created with the correct access rights. Additionally and more important, the file content is checked. If an syntax error is in the file after saving it is asking, what to do:

    >>> /etc/sudoers.d/mount_conf: syntax error near line 3 <<<
    What now?
    Options are:
    (e)dit sudoers file again
    e(x)it without saving changes to sudoers file
    (Q)uit and save changes to sudoers file (DANGER!)

    I am using Ubuntu 14.04

  3. adding anything to sudoers.d is just too dangerous to be worth it. You make one typo and not notice you are SCREWED! You’ve been warned.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s