Linux 如何从脚本编辑 /etc/sudoers?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/323957/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I edit /etc/sudoers from a script?
提问by n-alexander
I need to edit /etc/sudoers
from a script to add/remove stuff from white lists.
我需要/etc/sudoers
从脚本中编辑以从白名单中添加/删除内容。
Assuming I have a command that would work on a normal file, how could I apply it to /etc/sudoers
?
假设我有一个可以处理普通文件的命令,我如何将它应用于/etc/sudoers
?
Can I copy and modify it, then have visudo
replace the original with the modified copy? By providing my own script in $EDITOR
?
我可以复制和修改它,然后visudo
用修改后的副本替换原件吗?通过在$EDITOR
?
Or can I just use the same locks and cp
?
或者我可以只使用相同的锁cp
吗?
The question is more about potential issues than about just finding something that works.
问题更多地是关于潜在问题,而不仅仅是找到有效的东西。
回答by Brian C. Lane
You should make your edits to a temporary file, then use visudo -c -f sudoers.temp to confirm that the changes are valid and then copy it over the top of /etc/sudoers
您应该对临时文件进行编辑,然后使用 visudo -c -f sudoers.temp 确认更改有效,然后将其复制到 /etc/sudoers 的顶部
#!/bin/sh
if [ -f "/etc/sudoers.tmp" ]; then
exit 1
fi
touch /etc/sudoers.tmp
edit_sudoers /tmp/sudoers.new
visudo -c -f /tmp/sudoers.new
if [ "$?" -eq "0" ]; then
cp /tmp/sudoers.new /etc/sudoers
fi
rm /etc/sudoers.tmp
回答by ngn
visudo is supposed to be the human interface for editing /etc/sudoers
. You can achieve the same by replacing the file directly, but you have to take care yourself about concurrent editing and syntax validation. Mind the r--r-----
permissions.
visudo 应该是用于编辑的人机界面/etc/sudoers
。您可以通过直接替换文件来实现相同的效果,但您必须注意并发编辑和语法验证。注意r--r-----
权限。
回答by Ali Afshar
Set up a custom editor. Basically it will be a script that accepts the filename (in this case /etc/sudoers.tmp), and modify and save that in place. So you could just write out to that file. When you are done, exit the script, and visudo will take care of modifying the actual sudoers file for you.
设置自定义编辑器。基本上,它将是一个接受文件名(在本例中为 /etc/sudoers.tmp)的脚本,并修改并保存到位。所以你可以写出那个文件。完成后,退出脚本,visudo 将负责为您修改实际的 sudoers 文件。
sudo EDITOR=/path/to/my_dummy_editor.sh visudo
回答by sstendal
Use visudo for this with a custom editor. This solves all the race conditions and "hack" problems with Brian's solution.
将 visudo 与自定义编辑器一起使用。这解决了布赖恩解决方案的所有竞争条件和“黑客”问题。
#!/bin/sh
if [ -z "" ]; then
echo "Starting up visudo with this script as first parameter"
export EDITOR=if [ -z "" ]; then
# When you run the script, you will run this block since is empty.
echo "Starting up visudo with this script as first parameter"
# We first set this script as the EDITOR and then starts visudo.
# Visudo will now start and use THIS SCRIPT as its editor
export EDITOR=#!/usr/bin/env bash
rm /etc/sudoers.new
cp /etc/sudoers /etc/sudoers.new
echo "%everyone ALL = NOPASSWD: /usr/sbin/installer -pkg /Volumes/Java 7 Update 17/Java 7 Update 17.pkg -target /" >> /etc/sudoers.new
cp /etc/sudoers.new /etc/sudoers
&& sudo -E visudo
else
# When visudo starts this script, it will provide the name of the sudoers
# file as the first parameter and will be non-empty. Because of that,
# visudo will run this block.
echo "Changing sudoers"
# We change the sudoers file and then exit
echo "# Dummy change to sudoers" >>
fi
&& sudo -E visudo
else
echo "Changing sudoers"
echo "# Dummy change to sudoers" >>
fi
This script will add the line "# Dummy change to sudoers" to the end of sudoers. No hacks and no race conditions.
此脚本将在 sudoers 的末尾添加“# Dummy change to sudoers”这一行。没有黑客攻击,也没有竞争条件。
Annotated version that explains how this actually works:
注释版本解释了这实际上是如何工作的:
sudo sh sudoersedit.sh
回答by Kamal
This worked for me based off what others posted here. When i used other peoples script it would open visudo for me but would not make the edit. This made the edit i needed to allow all users, including standard users, to install java 7u17 for safari/firefox.
根据其他人在这里发布的内容,这对我有用。当我使用其他人的脚本时,它会为我打开 visudo,但不会进行编辑。这进行了我需要的编辑,以允许所有用户(包括标准用户)为 safari/firefox 安装 java 7u17。
sudo EDITOR="cp /tmp/sudoers.new" visudo
This added the %everyone blah blah blah to the bottom of the sudoers file. I had to run the script like this.
这将 %everyone blah blah blah 添加到 sudoers 文件的底部。我不得不像这样运行脚本。
#!/bin/sh
while [ -n "" ]; do
echo " ALL=(ALL:ALL) ALL" >> /etc/sudoers;
shift # shift all parameters;
done
Good luck :D
祝你好运:D
回答by zelanix
Just to add a further option to the answers above, if the race condition is not a major concern, then the following command can be used to avoid manually copying a modified file to /etc/sudoers
只是为上面的答案添加一个进一步的选项,如果竞争条件不是主要问题,那么可以使用以下命令来避免手动将修改后的文件复制到 /etc/sudoers
root prompt> ./addsudoers.sh user1 user2
This will ensure that the new file is validated and installed correctly with permissions update.
这将确保通过权限更新验证并正确安装新文件。
Note that if there is an error in the /tmp/sudoers.new
file then visudo
will prompt for user input so it is advisable to check it with visudo -c -f /tmp/sudoers.new
first.
请注意,如果是在一个错误/tmp/sudoers.new
的文件,然后visudo
会提示用户输入所以它是可取的,以检查它visudo -c -f /tmp/sudoers.new
第一。
回答by pevik
On Debian and it's derivates, you can insert custom script into/etc/sudoers.d/
directory, with rights0440
– for more info see /etc/sudoers.d/README.
在 Debian 及其衍生版本上,您可以将自定义脚本插入/etc/sudoers.d/
具有权限的目录中0440
- 有关更多信息,请参阅/etc/sudoers.d/README。
It might help.
它可能会有所帮助。
回答by Albert Vonpupp
I think the most straight forward solution is to:
我认为最直接的解决方案是:
Create a script addsudoers.sh
创建脚本addsudoers.sh
echo 'foobar ALL=(ALL:ALL) ALL' | sudo EDITOR='tee -a' visudo
and call it with the users you want to add it as:
并与您要添加的用户一起调用它:
##代码##For the full explanation see this answer: Adding users to sudoers through shell script
有关完整说明,请参阅此答案:通过 shell 脚本将用户添加到 sudoers
Regards!
问候!
回答by Apollo
Try to echo it. You have to run it in a subshell, though. Example:
尝试回应它。但是,您必须在子shell 中运行它。例子:
sudo sh -c "echo \"group ALL=(user) NOPASSWD: ALL\" >> /etc/sudoers"
sudo sh -c "echo \"group ALL=(user) NOPASSWD: ALL\" >> /etc/sudoers"
回答by beckerr
Old thread, but what about:
旧线程,但是呢:
##代码##