Sunday, March 9, 2008

sudoers on Mac OS X

In my last post I refer to a lot of commands that require superuser privileges without prefacing them with sudo. That is how I type the commands in.

So how do I do it? I don't login as a user with administrator privileges and I don't use su. I have a separate account with administrator privileges that I don't login to that I use as an unprivileged user in the username and password prompt to perform activities that require superuser privileges.

I used to su to the account with administrative privileges to run sudo commands. Until I educated myself a little bit by "man sudoers".

You should always use visudo to edit the /etc/sudoers file it checks the syntax of the file before committing your changes. Saving you from yourself by preventing you from thinking you have correctly made changes to the /etc/sudoers file when all you have done is locked out all your accounts with administrative privileges from performing any administrative tasks. visudo will notify you of an error and give you a chance to fix the problem or abandon your changes when you exit your editor before it commits your changes. If you decide to fix the problem visudo will relaunch your editor with the changes you made intact. It is up to you to decide whether to try repeatedly to get your syntax right or abandon your changes. I locked myself out of sudo on my Mac years ago by directly updating /etc/sudoers. I think I recovered from it by rebooting or fixing file permissions. Save yourself some time by always use visudo.

There are a couple of command line options to sudo that are very su like but stick to sudo's use your own password metaphor.

The "-s" command line option launches the user's own shell with superuser privileges. There are many options you can set that control what and whether any environment variables are carried over from the user's environment. The environment can also be cleared of certain environment variables and the forced setting of environment variables can be specified. In order to use the "-s" command line option to sudo you have to add the user's shell command to the list of executable programs. Which will usually be /bin/bash.

The "-i" command line option launches the root user's login environment. You can use an option to sudo to switch to a different user. You have to add the root user's shell to the allowed executable programs with the full path, /bin/sh.

By using either of these command line options to sudo you avoid having to repeatedly type sudo before every command. I also avoid having to add my everyday user to the administration group by adding just the commands I need for one liner's like port gem while still having a backdoor to any command through the shell command. There are a couple of installation programs that refuse to work with my setup. But they are easily fixed by logging in to my administration account to install them. The need to do that has become less over time.

No comments: