sudo

Overview:

  • visudo
  • advise not changing sudoers file, in favor of config files in /etc/sudoers.d
  • files in /etc/sudoers are processed in lexical sort order
  • visudo -f /etc/sudoers.d/some-config-file
  • sudoers system seems to find first entry that “matches” selection criteria

security_path

  • default security_path doesn’t include /usr/local/bin, forcing commands to go into /usr/bin, which you may not want to do
    • modify the path
    • disable the feature

env_reset
If set, sudo will run the command in a minimal environment containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER,
USERNAME and SUDO_* variables. Any variables in the caller’s environment that match the env_keep and env_check lists
are then added, followed by any variables present in the file specified by the env_file option (if any). The default
contents of the env_keep and env_check lists are displayed when sudo is run by root with the -V option. If the
secure_path option is set, its value will be used for the PATH environment variable. This flag is on by default.

secure_path
Path used for every command run from sudo. If you don’t trust the people running sudo to have a sane PATH environment variable you may want to use this. Another use is if you want to have the “root path” be separate from the “user path”.

Users in the group specified by the exempt_group option are not affected by secure_path.
This option is not set by set default.

However, Centos 7 dist does set it by default:
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

This, in a file in /etc/sudoers.d, does not work to unset the secure_path set in /etc/sudoers:

Defaults    secure_path = /bin

So, it can only be disabled by modifying /etc/sudoers:

# Defaults    secure_path = /bin

Nope, looks like the seucre_path is hardcoded
==> use the -(i)nteractive login option, e.g. sudo -i which remote-chrome

 

sudoers documentation

visudo options

visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the “What now?” prompt.

At this point the user may enter ‘e’ to re-edit the sudoers file, ‘x’ to exit without saving the changes, or ‘Q’ to quit and save changes. The ‘Q’ option should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again until the error is fixed.

If ‘e’ is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature).

The options are as follows:

-c Enable check-only mode. The existing sudoers file will be checked for syntax errors, owner and mode. A message will be
printed to the standard output describing the status of sudoers unless the -q option was specified. If the check completes
successfully, visudo will exit with a value of 0. If an error is encountered, visudo will exit with a value of 1.

-f sudoers Specify and alternate sudoers file location. With this option visudo will edit (or check) the sudoers file of your choice,
instead of the default, /etc/sudoers. The lock file used is the specified sudoers file with “.tmp” appended to it. In
check-only mode only, the argument to -f may be ‘-’, indicating that sudoers will be read from the standard input.

-h The -h (help) option causes visudo to print a short help message to the standard output and exit.

-q Enable quiet mode. In this mode details about syntax errors are not printed. This option is only useful when combined with
the -c option.

-s Enable strict checking of the sudoers file. If an alias is used before it is defined, visudo will consider this a parse
error. Note that it is not possible to differentiate between an alias and a host name or user name that consists solely of
uppercase letters, digits, and the underscore (‘_’) character.

-V The -V (version) option causes visudo to print its version number and exit.