the % always puzzled me so you are not alone.

man sudoers suggests that you must put a "%" in front of a group name, presumably to identify it as such. If the group is a numeric ID then you use "%#".

Geoff

Thank you.
Here's yet more % puzzle for you.   

Well ...
Not always so.

Quite happy with being able to get away with generating a file for the /etc/sudoers.d/ directory, I set about doing it again.
This time for a command I use very often: dmesg.

Since using it with sudo was inocuous, I followed my own instructions and wrote up a file called user_dmesg with this line:

%groucho ALL= NOPASSWD: /usr/bin/linssid

As you can clearly see, it has the necessary % sign at the beginning.
But visudo -c rejects it with the same argument it rejected the line which did not have the % sign at the beginning.

On a whim, I removed the % sign and ....
It worked!

[root@devuan groucho]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OK
/etc/sudoers.d/user_dmesg: parsed OK     
/etc/sudoers.d/user_linssid: parsed OK    
/etc/sudoers.d/user_shutdown: parsed OK
[root@devuan groucho]# 

And just why would this be so?

The only answer that I can come up with is that the use of the % sign is directly related to the path of the command to run with sudo.

ie:
/bin/dmesg               <-- this command does not need the % sign.
/usr/bin/linssid   <-- this command does need the % sign.
/sbin/shutdown       <-- this command does not need the % sign.

So maybe it's that the files in the /etc/sudoers.d/ need a line with a % sign at the beginning if the command is in the /usr path.

I have not found any documentation on this (the syntax for these files) but given the need to be able to adequately restrict the use of sudo, it would be nice to be able to do it properly.

Any further info would be appreciated.

Thanks in advance,

A.

Indeed ...
But just how was I to know what I was doing wrong?

The existing file in /etc/sudoers.d was copied exactly and properly edited with visudo.
And still ...

OK.
The solution ended up being this: ---> %

The line that makes up any file you want to add to the /etc/sudoers.d/ directory (apparently) has to be preceded by a percent (%) sign.
Otherwise it will not work.

I have not been able to find a place where the syntax for these files is explained.

This example I posted above was wrong:

The correct thing to do was to add a percent sign at the beginning of the line, like this:

%groucho ALL= NOPASSWD: /usr/bin/linssid

I found out about this by reading this post: https://askubuntu.com/questions/930768/ … sodoers-fi.
And although it makes no mention of the percentage sign thing,  I saw that a line in a /etc/sudoers.d file used it.

So I tried it and it worked.  =^º

[rant mode]
How could I have possibly known this if the existing /etc/sudoers.d/users_shutdown file reads like this:

[root@devuan groucho]# cat /etc/sudoers.d/user_shutdown
groucho ALL= NOPASSWD: /usr/sbin/pm-suspend, /usr/sbin/pm-hibernate, /sbin/halt, /sbin/reboot  <-- just [u]where[/u] is the % sign?
[root@devuan groucho]# 

And if using visudo to look at it shows me the exact same string of characters?

I mean, where is the f***ing percent sign?
[/rant mode]

Moral of the story:
Want to make a /etc/sudoers.d/file to avoid mucking up (very easy to do) the sudoers file?

1. copy an existing one.
2. edit it with visudo.

ie:

visudo -f /etc/sudoers.d/[file_name]

3. make sure that you add a % sign at the start of the line.
4. save it with the intended name eg: user_whatever so you'll know what it is for.
5. make sure the file has 440 permissions.

ie:

5. check it all with visudo -c

[root@devuan groucho]# visudo -c                            
/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OK
/etc/sudoers.d/user_whatever: parsed OK
/etc/sudoers.d/user_shutdown: parsed OK
[root@devuan groucho]# 

Of course, remember that you have to be a member of the sudoers group otherwise this is all moot.

Caveat: I'm no expert and WRT Linux I'm sort of playing by ear, so if any of the Devuan forum members with experience could take a minute to check that all this is not hogwash or has any errors, I'd be very obliged.

Cheers,

A.

Thanks ...  =-)
The timestamp feature could be overkill, even for me. LOL

Great ...
The checking feature is really nice to have.

But I've discovered sudo service which I did not know about.
Seems to be more suited to my use than a timestamp.

---------------------------------------------------------------------------------
EDIT: I have started another thread for this specific issue here https://dev1galaxy.org/viewtopic.php?id=2342

I have it ticked in Applications -> System -> Services = sudo.
But for some reason it won't start:

[root@devuan groucho]# service --status-all | grep sudo
 [ ? ]  alsa-utils
 [ ? ]  cryptdisks
 [ ? ]  cryptdisks-early
 [ ? ]  hwclock.sh
 [ ? ]  kmod
 [ ? ]  networking
 [ - ]  sudo
[root@devuan groucho]

[root@devuan groucho]# service sudo start
[root@devuan groucho]# service --status-all | grep sudo
 [ ? ]  alsa-utils
 [ ? ]  cryptdisks
 [ ? ]  cryptdisks-early
 [ ? ]  hwclock.sh
 [ ? ]  kmod
 [ ? ]  networking
 [ - ]  sudo
[root@devuan groucho]# 

Edit:
I have discovered that it's not only Applications -> System -> Services = sudo that does not start even though it I marked it.
The other services I marked (smartmontools and checkroot-bootclean.sh) also fail to start.

The services utility asks me for the admin PW and nothing else. ie: does not reject my credentials.
---------------------------------------------------------------------------------

To practise and learn about sudo, I had a look at the file in /etc/sudoers.d/user_shutdown to make one exactly like it for LinSSID and not have to muck around with editing the sudoers file which is dangerous, as I found out for myself. (many thanks to Timeshift!).

To do this I opened the file with jed and saved it as user_linssid and edited it with jed so that ...

groucho ALL= NOPASSWD: /usr/sbin/pm-suspend, /usr/sbin/pm-hibernate, /sbin/halt, /sbin/reboot

... became

groucho ALL= NOPASSWD: /usr/bin/linssid

I saved the file and gave it 0440 permissions which I have read is a must for files in sudoers.d:

[root@devuan sudoers.d]# chown 0440 user_linssid
[root@devuan sudoers.d]# 

The I ran a check with visudo -c to see if it was OK ...

[root@devuan groucho]# visudo -c
>>> /etc/sudoers.d/user_linssid: syntax error near line 1 <<<
parse error in /etc/sudoers.d/user_linssid near line 1
[root@devuan groucho]# 

... but it was not.

I do not understand the error near line 1: there's only one line and it is practically the same as the one in user_shutdown.

Am I doing something wrong or is editing with jed the problem?

Thanks in advance.

A.

For editing /etc/sudoers try EDITOR=jed visudo which should let you edit /etc/sudoers with jed and have it checked.

Chris

I was just about to post.
I managed to get things working with PMail.

The problem was that I had added myself the the sudo group but had not logged in again. :^ '
Wasn't going to get anywhere that way.

My *.desktop file for PMail is this ...

[Desktop Entry]
Type=Application
Name=PMail
Exec=wine start /unix /home/groucho/.wine/drive_c/PMAIL/Programs/winpm-32.exe
MimeType=application/x-ms-dos-executable;application/x-msi;application/x-ms-shortcut;
Icon=/home/groucho/pmail_32x32x32.png
NoDisplay=true
StartupNotify=true
GenericName=PMail32
Comment=
Terminal=false
Path=

... and it works as intended.

[root@devuan groucho]# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
[root@devuan groucho]# 

Seems it's like you say.

I have tried in the past to get around vi but I've found it very complicated to use.
I'm afraid I'm 20+ years late to that party, I learned the ropes with the early DOS 5.0 editors.

After trying three or four Linux CLI editors, I have finally settled on jed, it works for what I need to do.

groucho@devuan:~$ sudo -l
Matching Defaults entries for groucho on devuan:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User groucho may run the following commands on devuan:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/sbin/pm-suspend, /usr/sbin/pm-hibernate, /sbin/halt, /sbin/reboot
groucho@devuan:~$ 

groucho@devuan:~$ sudo -i
[sudo] password for groucho: 
[root@devuan ~]# 

It works ...  =-)

Just in case:

groucho@devuan:~$ groups
groucho adm dialout cdrom floppy tape sudo audio dip video plugdev netdev lpadmin scanner
groucho@devuan:~$ id
uid=1000(groucho) gid=1000(groucho) groups=1000(groucho),4(adm),20(dialout),24(cdrom),25(floppy),26(tape),27(sudo),29(audio),30(dip),44(video),46(plugdev),102(netdev),109(lpadmin),111(scanner)
groucho@devuan:~$ 

One thing:

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

I don't want to be able to do anything with sudo, I would like to strictly limit what I can do as a member of the sudo group.

This ALL=(ALL:ALL) ALL seems (to me) rather excessive.

How can this be effectively limited without hampering the use of the OS?

Thank you very much for your input.

Cheers,

A.

Is there a way to set up sudo on a per-application basis ...
ie: so that sudo will work with a select list of apps, like Wine and LinSSID.

Yes. If that's really all you want, putting a line like this at the end of /etc/sudoers (preferably by running # EDITOR=nano visudo) will do the trick:

groucho ALL=(root) NOPASSWD: /usr/bin/wine-stable,/usr/bin/winecfg-stable,/usr/bin/linssid

However, being able to use sudo to run any command you want as any user:group you want is much more convenient. For that, put this at the end of sudoers:

groucho ALL=(ALL:ALL) NOPASSWD: ALL

If you prefer to enter your password each time, use PASSWD instead of NOPASSWD.

P.S. If you are truly in the sudo group, the %sudo... line shown in chris2be8's response should allow you to run any command with sudo provided you enter your password. The problem you are having is either because the %sudo... line is missing from sudoers (unlikely) or, more likely, you are not actually part of the sudo group. Type id at the command line to see the groups you are part of. If you are not part of the sudo group, add yourself to it with this command: # usermod -a -G sudo groucho

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

If not run visudo as root to add it (visudo edits a copy of /etc/sudoers with vi, then syntax checks your changes and copies it back if they are OK). If you don't know how to use vi then copying the above lines into /etc/sudoers with your favourite editor should work (I'd only recommend this if you can get to root without using sudo, else you could lock yourself out).

Then try sudo -l to list what sudo will let you do. And sudo -i to get to a root shell.

If it still doesn't work post output from sudo -l (lower case L), groups and id.

Chris

I'm trying to set up Wine in my Devuan ASCII installation but I seem to have run into a problem related to permissions.

When I installed Devuan ASCII, I selected to use su and not sudo.
I see it as a sort of insurance from myself and the possibility of getting distracted and inadvertently wreaking havoc.
ie: this way I will always be reminded that whaever I am doing requires elevated privileges and will get them by entering the root PW.

But while I undertstand that this is not practical for some things, I have managed to get around the problem it brings up.
eg: to run LinSSID from a .desktop file, the command will be gksu linssid instead of the default gksudo linssid.

I don't mind having to enter a PW for an app I don't use a lot.

Now, when I run winecfg I am not able to set up the drives:

groucho@devuan:~$ winecfg
err:winecfg:open_mountmgr failed to open mount manager err 2
err:winecfg:open_mountmgr failed to open mount manager err 2
groucho@devuan:~$ 

If I run it with sudo, I get this:

groucho@devuan:~$ sudo winecfg
[sudo] password for groucho: 
Sorry, user groucho is not allowed to execute '/usr/bin/winecfg' as root on devuan.
groucho@devuan:~$ 

My user is in the sudo group.

And if I run it as root, it creates a configuration directory in /root ...

[root@devuan groucho]# winecfg
wine: created the configuration directory '/root/.wine'
---
other stuff err: follows.
[root@devuan groucho]#

... which will most probably (?) have the effect of needing to be root to run programs under Wine.

Is there a way to set up sudo on a per-application basis ...
ie: so that sudo will work with a select list of apps, like Wine and LinSSID.

...  or am I going about this the wrong way?

Thanks in advance,

A.