What is the correct way to update the sudoers
file programmatically? Specifically:
- How can I add
,timestamp_timeout=600
to the end of theDefaults env_reset
line in mysudoers
files (to increase thesudo
nag time to 10 hours), and doing this programmatically and without destroying the system (I tried this once and made my Linux system unbootable and had to reinstall). I have read thatchmod 440
might be important for this. - I understand that this is dangerous, I understand why it is protected, but these are my home systems where I have a script that runs through dozens of simple configuration changes (and I rebuild those systems fairly regularly also, so it would be useful to me to be able to automate this).
- I am most interested in how to do with this with standard Linux tools that I can put into a
bash
script, but I would be very interested to also see how this exact operation is done in Ansible so that I could roll out simple changes like this to allsudoers
files on my home network. - On this page there is a discussion on the
sudoers
file, but I don't quite understand the references tovisudo -c -f
; I think what is being suggested there is: copy thesudoers
file, then make changes to that copy, thenvisudo -c -f
to check that the new file is valid, then overwritesudoers
, thenchmod 440
on that new file, is that it? I'm not sure of the steps to implement this.
sudoers
file will not make your system unbootable. The worst thing that will happen is that you can't usesudo
any longer, but booting into single-user mode to fix that should be easy, or at least doable.man visudo
gives you detailed explanations on the use of the command and its options.-f
option does somenthing different than checking syntax (at least that's what I interpret from your comment). I almost never change the sudoers file, but if I would, I'd follow the advice on the file# Please consider adding local content in /etc/sudoers.d/ instead of directly modifying this file.
.