hahahahahaha “ooooooohhhhhh” I said to myself.

Well, thank you for coming back and making what wasn’t clear to me clear @dalto.

But difference being is I am still able to edit visudo on vanilla Arch and it does still work, but I wasn’t able to on EnOS.

Anyway cheers thanks for that. I’ll defo get updated on it.

Yes, extremely happy to be here! Of course I’ll mention about using Arch system.

Last point I’ll add, obviously it wasn’t just that. There were just a number of things that were going wrong and hrs passing by not being able to deal with simple things.

Of course if I had just come on here and asked all my questions they were all simple fixes. But didn’t want to especially thinking I should have known etc.

lol it just clicked again. When I was reinstalling I got annoyed thinking why is it when I’m root and open up sudoers with visudo is it read only. lol did ls -la then just changed the permissions.

wiki says:

The configuration file for sudo is /etc/sudoers. It should always be edited with the visudo(8) command. visudo locks the sudoers file, saves edits to a temporary file, and checks it for syntax errors before copying it to /etc/sudoers.

Warning:

• It is imperative that sudoers be free of syntax errors! Any error makes sudo unusable. Always edit it with visudo to prevent errors.
• visudo(8) warns that configuring visudo to honor the user environment variables for their editor of choice may be a security hole, since it allows the user with visudo privileges to run arbitrary commands as root without logging simply by setting that variable to something else.

The default editor for visudo is vi. The sudo package is compiled with --with-env-editor and honors the use of the SUDO_EDITOR, VISUAL and EDITOR variables. EDITOR is not used when VISUAL is set.

To establish nano as the visudo editor for the duration of the current shell session, export EDITOR=nano; to use a different editor just once simply set the variable before calling visudo:

EDITOR=nano visudo

Alternatively you may edit a copy of the /etc/sudoers file and check it using visudo -c /copy/of/sudoers. This might come in handy in case you want to circumvent locking the file with visudo.

So we can still use visudo @dalto

lol I’m still a bit confused really, don’t know why I needed to change the permissions for root to be able to write to sudoers lol and the permissions have changed back to read only for root on their own. But my changes i.e my user can still use sudo without password.

Can leave it at that tho, I think I need to understand what you were talking about when you mentioned

drop-ins

Well, what are you trying to achieve?
If it’s a command running in group wheel you can use
%wheel ALL=(ALL:ALL) NOPASSWD: ALL
otherwise, you have to find out what group it is and
then add your self to that group.

It isn’t a question of “can you”. It is a question of “should you”.

Using drop-ins instead of changing sudoers.conf has a bunch of advantages:

• It makes it really easy to see what you have changed and copy your changes to a new machine
• It means you don’t have to worry about getting pacnew files and manually merging changes
• It means upstream changes that aren’t in things you are customizing will automatically come in without breaking your changes

@dalto I gotta ask these two questions, bit stumped.

I’ve just reinstalled Arch again as soon as i install sudo and run ls -la /etc/sudoers output: -r--r----- root root 4243 /etc/sudoers

wiki says:

The file permissions must be set to 0440

and if needed run:

chown -c root:root /etc/sudoers

chmod -c 0440 /etc/sudoers

Q1 is 4243 okay? i tried running the chmod above but no change. still 4243.

Q2. I couldn’t find anything about drop-ins could you give a simple explanation or link?

I know I need to learn permissions properly. in the past I’ve just looked up the particular one i needed when i needed it.

I just tried and I am able to edit the sudoers file with visudo even tho permissions say read only to root.

it would be good to know if that is the correct way or wrong way to edit ie with visudo and without changing permissions and if 4241 is okay as that’s what it is now after the change i just made

lol Or maybe I should reinstall EnOS without the EnOS packages

That isn’t the issue, I know how to edit the sudoers file.

But from what I understand there’s been a change and new recommended way it should be done.

also permissions to sudoers are read only for root and no permissions for anyone else.

I don’t understand when it says on the wiki The file permissions must be set to 0440 and when you install sudo theyre set 4243 and won’t let me change it to 0440.

obviously missing something lol that’s why I asked

4243 is the file size. The permissions are -r--r----- which is 0440.

You should never have to change the permissions on the sudoers file.

You would still get the sudo change but it is trivial to change.

Drop-ins are simply files in /etc/sudoers.d/

You put a file in that directory that ends in .conf and contains only the lines you want to change.

So greatly appreciated @dalto!

I do know about the three groups first digit l symlink, d for directory - for file i think. and then owner, group and Other represented by the 3 digits.

lol I got secondary level maths when i was 39 so kinda just stayed away from the number way of doing it. I think 7 is all permission. I know it isn’t complicated. lol will do it.

Issue is I started installing Arch with basically zero IT knowledge and a few days after I learnt cd to navigate in the terminal. Got gaps in all my knowledge.

I don’t think they can end in .conf, unless the period is removed.

https://man.archlinux.org/man/sudoers.5.en

includedir /etc/sudoers.d

sudo will suspend processing of the current file and read each file in /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’ character to avoid causing problems with package manager or editor temporary/backup files.

No problem to leave off the extension altogether; the file can be named anything you wish as long as it does not have ‘~’ or ‘.’ in it.

Filling the gaps takes time!

you telling me lol. yeah man.

@BluishHumility Thank you very much for the expansion.

So if I understand it correctly I’d just create a vim file with the same syntax as the sudoers with my users name and add it to the pacman.d directory with no files extension and it’ll automatically get added to the sudoers file

Yeah yeah yeah, lol sorry just tired. didn’t bother to check and thought i’d wing it. lol very badly.

Yeah that’s all good, understood. Thank you very much everybody!

It’s just a file, you can use Vim or Nano or any editor you like. You don’t even really need an editor, you can just toss the line in there with tee or something.

echo "%wheel ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/nopassword

lol you can but I can’t. You know I counted the number of commands I know and its around 270.

hahaha tee isn’t one of them.

it will be in due time.

Hi @BluishHumility hope you’re well today,

for the last 3 hrs I’ve been trying lol my level best to create two drop-in files. One for logind and the other for sudoers. for logind I just want to be able to press the power button and put my computer to sleep (save electricity and that). As I’ve already edited the sudoers with visudo allowing my user who’s in the wheel group to use sudo without a password, I’ve been trying to comment that out but no joy lol.

I’ve done my best to read the relevant manual pages but tbh too much blatantly just well over my head.

for logind I did:

sudo mkdir logind.conf.d

whilst I was in systemd directory

Then with vim I made a file named it

powerbutton_suspend

and put this in it:

[unit]
HandlePowerKey=suspend

-rw-r–r-- 1 root root 30 Apr 29 06:28 .powerbutton_suspend.conf

rebooted etc didn’t work. read around for ages. I did find I think in the man pages that the file will be parsed but needs to be a . file. Tried that, rebooted and still didn’t work. Tried different edits E.g without the [unit] part. Tried with and without .conf ext as i think i saw in the wiki that drop-ins should have .conf ext. lol Thought of Dalto and probably why he said that.

with the sudoers there was already a sudoers.d so with vim I created a file comment_wheel and inserted:

# %wheel ALL=(ALL:ALL) ALL NOPASSWORD: ALL checked cat sudoers after reboot and ran sudo ls but no changes.

-rw-r–r-- 1 root root 43 Apr 29 07:34 comment_wheel

Honestly would really like to know what I’m missing here. lol I know it’s easy once you know, but it just isn’t easy until then.

You added a commented line, so it is being ignored.

Remove the # at the start of the line:

%wheel ALL=(ALL:ALL) ALL NOPASSWORD: ALL

Hi @Stagger_Lee hope you’re well,

This is my sudoers file atm which I had edited with visudo:

sudo cat sudoers
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##

##
## Host alias specification
##
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias	WEBSERVERS = www1, www2, www3

##
## User alias specification
##
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias	ADMINS = millert, dowdy, mikef

##
## Cmnd alias specification
##
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# 			    /usr/bin/pkill, /usr/bin/top
#
# Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
#
# Cmnd_Alias	DEBUGGERS = /usr/bin/gdb, /usr/bin/lldb, /usr/bin/strace, \
# 			    /usr/bin/truss, /usr/bin/bpftrace, \
# 			    /usr/bin/dtrace, /usr/bin/dtruss
#
# Cmnd_Alias	PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \
# 			 /usr/bin/yum, /usr/bin/dnf,  /usr/bin/zypper, \
# 			 /usr/bin/pacman

##
## Defaults specification
##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
##
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
##
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
##
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
##
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
##
## Uncomment to enable special input methods.  Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to restore the historic behavior where a command is run in
## the user's own terminal.
# Defaults !use_pty
##
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
## Sudo will create up to 2,176,782,336 I/O logs before recycling them.
## Set maxseq to a smaller number if you don't have unlimited disk space.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
# Defaults maxseq = 1000
##
## Uncomment to disable intercept and log_subcmds for debuggers and
## tracers.  Otherwise, anything that uses ptrace(2) will be unable
## to run under sudo if intercept_type is set to "trace".
# Defaults!DEBUGGERS !intercept, !log_subcmds
##
## Uncomment to disable intercept and log_subcmds for package managers.
## Some package scripts run a huge number of commands, which is made
## slower by these options and also can clutter up the logs.
# Defaults!PKGMAN !intercept, !log_subcmds

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
%wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo	ALL=(ALL:ALL) ALL

## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw  # Ask for the password of the target user
# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'

## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d

I added the commented line because I wanted to remove the privileges.

From what I’ve gathered, if it’s possible it’s best practice not to edit the config file directly especially if there’s a drop-in directory. So I must be able to give and takeaway access rights, lol right?

Just not quite sure on the how yet.

I’m assuming (as Dalto mentioned) that by adding a drop-in file to the *.d directory that means for the changed there will be no .pacsave or .pacnew files for that program.

hahaha I swear this is something I gotta learn like properly.

So you directly edited the sudoers file directly to grant these privileges, and now you want to use a drop-in file to negate the direct edits you did to sudoers?

I’m not really understanding your logic here, so I’ll just say “good luck” and now I’ll go back to bed. Good luck!

lol sleep well @Stagger_Lee zzzzz.

the discusion isn’t about rational or logical thinking. It’s about learning conceptual Linux features/tasks.

I don’t really want to remove the access rights to members of the wheel group, if I did and couldn’t work this out then I’d use visudo to get the job done. But I do want to learn how to do this so that moving forwards where possible I can create drop-ins instead of editing files directly and then dealing with the .pac files later.

in regards to the drop-in file for logind, I do really want that feature and would like to be able to get the feature by creating a drop-in file for it.