...
Allow staff Group to sudo
New Ubuntu and Debian Approach
This approach ensures that system upgrades will not overwrite your changes,
From the the sudoers man pages,
Code Block | ||
---|---|---|
| ||
#includedir /etc/sudoers.d
sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character to avoid causing
problems with package manager or editor temporary/backup files. Files are parsed in sorted lexical order. That is,
/etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second. Be aware that because the sorting is lexical, not
numeric, /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second. Using a consistent number of leading
zeroes in the file names can be used to avoid such problems.
Note that unlike files included via #include, visudo will not edit the files in a #includedir directory unless one of them
contains a syntax error. It is still possible to run visudo with the -f flag to edit the files directly. |
So rather then editing the /etc/sudoers, we create a file, 01_bonsai_disable_password_auth using the sudoers command to ensure proper permissions and locking,
Code Block | ||
---|---|---|
| ||
# Creates file, locks its and validates for syntax errors.
sudo visudo -f /etc/sudoers.d/01_bonsai_disable_password_auth |
... in process of verifying this works ...
Older Standard
Use account names associated with a user. For this example, I will be designating adminstrative users under the staff group. To see the list of groups available to you use the command, cat /etc/group.
...
Additionally, we use the GUID range 4000-4999 for clients who would send in staff to work on the servers. Since the number of users with this kind of access should not be too large we can make the group blocks match the user blocks,
Group | Users |
---|---|
4000 | RedClient1 = 4000 |
4010 | BlueClient1 = 4010 BlueClient2 = 4011 |
4020 | GreenClient1 = 4020 GreenClient2 = 4021 GreenClient3 = 4022 |
Next, we add to the Staff users the following groups,
...