Allow user to use sudo command has multiple ways, which one is better?

5

0

I am a Linux Newbie, just learning it and using Debian 7.0 Wheezy. I have seen two methods to allow user to use sudo

One is to use visudo to modify /etc/sudoers and add following

username ALL=(ALL) ALL

Another is adding user to sudo group, using this

usermod -a -G sudo username

Are both method have same impact? Is there any pros and cons of each method?

SamTech

Posted 2013-07-11T14:16:57.743

Reputation: 215

Generally speaking, it is better practice to have a separate user group for admins - but not in the sudo group, such as this case. In visudo you could do %wheel ALL=(ALL) ALL and add the user to the wheel group instead (or whatever group you decide). I like the question and am curious what replies you will get. – nerdwaller – 2013-07-11T14:26:30.983

2Using a group dedicated for sudo access allows other users to easily see that this user is an administrator - you don't get that by putting the username into sudoers, which is readable only by root. – Xenopathic – 2013-07-11T22:32:57.647

Answers

4

Both of those methods a mostly similar effect. Since the default sudoers file on Debian includes the line:

%sudo   ALL=(ALL:ALL) ALL

Granting that permission to all members of the sudo group.

A couple of differences that may matter to you.

  • When the modification takes effect. If you explicitly add the user to the sudoers file that user will be able to use those permissions immediately. If you instead add the user to the sudo group he or she will need to log out and then back in before being able to use sudo.

  • Later restrictions. If you later decide that you want to restrict what can be done with sudo for all users that will be easier if you use the group method since you can then modify just the single entry in the sudoers file rather than having separate entries for each user.

qqx

Posted 2013-07-11T14:16:57.743

Reputation: 2 603

1

On a basic desktop machine with only one person who will need administrative purposes, the username method is fine. When you're dealing with systems that will have multiple users and potentially multiple people with sudo rights, then it would be simplest to use the group method (it's as simple as adding or removing people from that group).

Overall, though, I think people tend to use the group method as the best practice, since it's preferred for the multi-user system and it's no worse than the username method for a single-user system.

user235731

Posted 2013-07-11T14:16:57.743

Reputation:

Asked: 2013-07-11T14:16:57.743

Viewed: 1 321 times

Active: 2013-07-11T14:53:40.503