# Adding a user to the sudoers file for Sudo



## Deleted member 67029 (Jul 6, 2021)

So, the first thing a normal person that downloads and installs sudo is want to run it right? But the application requires a user be in the sudoers file first, so you'd think you would ask to add people during installation right? lol, well that doesn't happen. So, then ok you are going to check the manual... you'd think it will be at the start, because this is the first thing a normal person is going to need to do.. manual page doesn't even tell you how it's done! lol

Can somebody please tell me, how does one add a user to the sudoers file?!


----------



## mer (Jul 6, 2021)

as root "visudo"


----------



## Alain De Vos (Jul 6, 2021)

I can but I won't


----------



## Deleted member 67029 (Jul 6, 2021)

Awesome, thanks.


----------



## Deleted member 67029 (Jul 6, 2021)

mer, _visudo_ is broken. It doesn't let me type anything. Got any ideas?


----------



## Deleted member 67029 (Jul 6, 2021)

Forget it mate, this application is a pile of shit. I am uninstalling it.

Thanks again for your help.


----------



## SirDice (Jul 6, 2021)

Learn to use vi(1) or set your EDITOR variable to a different editor.


----------



## mer (Jul 6, 2021)

Kolusion said:


> Alain, you urgently need to find yourself a woman. Hanging out on a forum without purpose in life with your grainy photo from 1998 isn't doing you any good.


I'd like to offer a suggestion, if I may.

Responses like this, while they may be momentarily satisfying, are going to hurt you in the long run.
Respect, like pretty much everything else in life is earned, not demanded.  What you give you get back.

Ask questions if you have them, don't complain about something not working like you think it should when people are trying to help.
I'm hitting reply before you get tossed.


----------



## Geezer (Jul 6, 2021)

Kolusion said:


> Forget it mate, this application is a pile of xxxx. I am uninstalling it.
> 
> Thanks again for your help.



I don't want to read this in our forum.


----------



## SirDice (Jul 6, 2021)

I was going for a temporary ban at first but the latest insult Kolusion just directed at me got him permanently banned.


----------



## mer (Jul 6, 2021)

The visudo:
As root do the following command:
echo "username ALL=(ALL) ALL" >> /usr/local/etc/sudoers.d/users

Of course, substitute the desired username for "username" in the echo command.


----------



## hardworkingnewbie (Jul 6, 2021)

SirDice said:


> I was going for a temporary ban at first but the latest insult Kolusion just directed at me got him permanently banned.


Finally, thank you so much!


----------



## kpedersen (Jul 6, 2021)

Kolusion said:


> so you'd think you would ask to add people during installation right? lol


No. Some people have better workflows than manually entering users during an installation script.



Kolusion said:


> mer, _visudo_ is broken. It doesn't let me type anything. Got any ideas?


Learning (n)vi is admirable. However, instantly calling it broken made me chuckle.


----------



## Alain De Vos (Jul 6, 2021)

SirDice said:


> I was going for a temporary ban at first but the latest insult Kolusion just directed at me got him permanently banned.


I think you had a lot of patience. As a former teacher having had thousands of students maybe too much patience.
I also now why. Because most of the time you deal with friendly and professional people.


----------



## Alexander88207 (Jul 6, 2021)

SirDice said:


> I was going for a temporary ban at first but the latest insult Kolusion just directed at me got him permanently banned.


Another one bites the dust, thanks!


----------



## mer (Jul 6, 2021)

I'm guessing that we've thoroughly flogged this particular horse.  
I think these threads are a decent example of "how NOT to ask for help" or "don't insult the people you're asking to help you".

Time to move on and wait for the next one.


----------



## SirDice (Jul 6, 2021)

Patience is an odd characteristic for someone with ADD, it's certainly something I had to learn to deal with. He managed to get a dubious record though, I've never seen this many reports in such a short time all reporting the same person. So, everyone that hit the report button, thanks for that.


----------



## bakul (Jul 6, 2021)

SirDice said:


> I was going for a temporary ban at first but the latest insult Kolusion just directed at me got him permanently banned.


Kolusion was actually pointing out things that confuse newbies and fixing them would make the installation process (or other things) smoother/easier. But his inability to use any social filters + seeing things in black and white was bound to result in this. I have worked with a couple of people like him and have seen this movie play out the same way. So it goes.


----------



## kpedersen (Jul 6, 2021)

bakul said:


> Kolusion was actually pointing out things that confuse newbies and fixing them would make the installation process (or other things) smoother/easier.


No matter how easy you try to make FreeBSD, it will never cater for such individuals. They don't want to learn and so they blame the work of others.

The only way FreeBSD could cater for such people is if it was a colouring book and not an operating system.


----------



## Emrion (Jul 6, 2021)

I'm more inclined to think it's a troll, and a skillful one.
Ban was inevitable and, in some ways, it's the ultimate purpose for people of this sort.


----------



## Alain De Vos (Jul 6, 2021)

In this case i'm also inclined to think it was a personal choise of him. There where active indicators for it.


----------



## hardworkingnewbie (Jul 6, 2021)

Emrion said:


> I'm more inclined to think it's a troll, and a skillful one.


He was a troll, but not a skilled one. On the contrary, quite a bland, predictable and boring one.

For me I am convinced about troll because of the plethora of questions he immediately raised after SirDice closed most of his existing threads. It always followed the same scheme: asking question about a well understood topic, and pretending there's an issue or he's not understanding something. Like this copying thread.

Then waiting for the first response, and having some trolling fun. If he would have had ADD instead I would have expected him to ask the same questions again, which were not answered yet fully, but he did not that. Instead new questions in new areas and new sub forums.

That's for me a way too determined behaviour to maximise attention and get new people to answer him, which clearly indicates for me troll, and speaks against ADD.


----------



## gotnull (Jul 6, 2021)

It won't help you but coming in BSD World I switched from 'sudo' to 'doas' which is really simple to configure compared to 'sudo'.
For my needs 'doas' is well enough.


----------



## Alain De Vos (Jul 6, 2021)

I always use su, never sudo. Why ?, why not ?


----------



## SirDice (Jul 6, 2021)

Using su(1) instead of sudo(8) makes sense in certain cases. The plus point of sudo(8) is also it's Achilles' heel, you use the same password as for your 'regular' account. So if/when an account gets bruteforced (guessed, stolen, whatever) attackers will also be able to execute sudo(8) commands because they managed to grab/steal/borrow the password for the account.


----------



## ralphbsz (Jul 6, 2021)

For the typical sudo functionality (run one command as a different id, typically root), I've switched to doas. I like it, the setup and configuration is easier. But I understand SirDice's concern about the "achilles' heel", and for actually getting a root shell (what one typically does with "su", or "sudo ...sh"), I would like to be prompted for the root password. Haven't figured that one out yet.


----------



## mer (Jul 6, 2021)

ralphbsz you mean if you
doas sh

you want to be prompted for the root password?  I think that's what you're saying, I just want to make sure.  I don't have an answer, just clarification.


----------



## ralphbsz (Jul 6, 2021)

Exactly.


----------



## jmos (Jul 6, 2021)

The way sudo is known today belongs to "Ubuntus sudo configuration" and use case; Even this thread just assumed that sudo has to be configured to get a user as mighty as root with its own password. But before Ubuntu was born sudo was used to let specific users execute specific commands as another user (which can be root, but mustn't), f.e. to enable a user (or a whole group) without root privileges to perform a reboot (and that maybe without the need for a password) etc. Also it assumed that sudo is the tool for administration a unixoid system (`su -` is sometimes even unknown to younger folks); Meanwhile doas was named (which I prefer & use sometimes), but also super exists.

IMO the question of the OP cannot be answered because it's missing any hint of what's the goal of this sudo configuration.


----------



## scottro (Jul 6, 2021)

Being used to both of them by now, I find sudo and doas equally easy or difficult. Using sudo is a bit more convenient because the persist option of doas isn't, as far as I know, yet working on FreeBSD.


----------



## mer (Jul 6, 2021)

It's often muscle memory:  you type sudo and get "command not found" or "doas" and get the same message while you go smack your head on the desk.


----------



## Vull (Jul 6, 2021)

To get `sudo` privileges on Ubuntu or LM, all I had to do was add the user to the "sudo" group. I don't know if that works on FreeBSD because I don't install sudo on FreeBSD. Never liked sudo much, and consider it an unecessary security risk. Would uninstall it on Linux if I ever wanted to use Linux for anything serious, but I don't, so I haven't bothered with it.

On Linux installs, one of the first tricks I learned was `sudo passwd` so I can then change the root password to something I know, and quit using sudo in favor of using su.


----------



## SirDice (Jul 7, 2021)

Vull said:


> To get `sudo` privileges on Ubuntu or LM, all I had to do was add the user to the "sudo" group. I don't know if that works on FreeBSD because I don't install sudo on FreeBSD.


Uncomment this line in sudoers:

```
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
```


----------



## Alain De Vos (Jul 7, 2021)

An obvious comment, if you think the root password is important perform an "pkg uninstall sudo".


----------



## Geezer (Jul 7, 2021)

I have been using doas. Which is better?


----------



## SirDice (Jul 7, 2021)

Alain De Vos said:


> An obvious comment, if you think the root password is important perform an "pkg uninstall sudo".


You can actually configure sudo(8) to ask for root's password instead of the user's password. 

```
rootpw            If set, sudo will prompt for the root password instead
                       of the password of the invoking user when running a
                       command or editing a file.  This flag is off by
                       default.
```
sudoers(5)

And, this might be obvious, take care who you assign privileges to. It's tempting to just go `ALL=(ALL) ALL`, that's fine if it's your own system, not so great if you only need to allow specific users some limited access to restart a service for example.



Geezer said:


> I have been using doas. Which is better?


Never actually used doas(1) but I don't think one is better than the other. sudo(8) is more commonly used, and has been for a long time, so there's plenty of tips, tricks and pitfalls to find for it. doas(1) is more like the new kid on the block.


----------



## jmos (Jul 7, 2021)

Geezer said:


> I have been using doas. Which is better?


Both do their job. The license of doas looks exactly like I want a license to look, while the one of sudo leaves me with questions and cause me frowning:
https://github.com/slicer69/doas/blob/master/LICENSE
https://www.sudo.ws/license.html


----------



## Vull (Jul 7, 2021)

Alain De Vos said:


> An obvious comment, if you think the root password is important perform an "pkg uninstall sudo".


I've never actually tried that (yet), but it might be worth mentioning that, before doing so, we should probably use `sudo passwd` (i.e., `sudo passwd root`), to change the root password to a password we know, to avoid hamstringing ourselves.

When I first started using Mac OS X I was scared to death of sudo, not understanding it well, not knowing the root password, and being so accustomed to using the root password in conjunction with `su`.

When I want to do something "sudo-like" there is always `su -m`, i.e., `su - m root`, which gives you an id=0 without changing your SHELL or HOME directory. To that end, I usually modify .shrc (or, in Linux-land, .bashrc), to change the command prompt suffix from "$" to "#", with an `if... then... else...` statement, like the following:
	
	



```
if [ "$(id -u)" = "0" ]; then PS1="(\u@\h \w)# "; else PS1="(\u@\h \w)$ "; fi
```


----------



## Geezer (Jul 7, 2021)

jmos said:


> ... while the one of sudo leaves me with questions and cause me frowning:



I did actually look up the license:





_View: https://www.youtube.com/watch?v=G_Sy6oiJbEk_


----------



## hardworkingnewbie (Jul 7, 2021)

jmos said:


> Both do their job. The license of doas looks exactly like I want a license to look, while the one of sudo leaves me with questions and cause me frowning:
> https://github.com/slicer69/doas/blob/master/LICENSE
> https://www.sudo.ws/license.html


The sudo license is basically ICS style, which is equivalent to BSD or MIT, but with less unnecessary words in it.


----------



## Alain De Vos (Jul 7, 2021)

Not that I ever created something valuable to mankind. But if I would I would probably use ICS license.


----------



## Beastie7 (Jul 7, 2021)

Don't forget to pick up Michael W. Lucas's book on Sudo Mastery to become a Sudo black belt.


----------



## jmos (Jul 7, 2021)

Vull said:


> When I want to do something "sudo-like" there is always `su -m`, i.e., `su - m root`, which gives you an id=0 without changing your SHELL or HOME directory.


Why I always switch to root with `su -` (means: "want the complete root environment"): As long as you're working with some command line tools everything is okay, but if you're using f.e. something like Midnight Commander: If your user hasn't started it before you'll get configuration files owned by root inside the users home directory. Such things can have strange effects (f.e. a user unable to use and/or configure this program). Or if the config is present:

```
jo@freya ~>  /usr/bin/su -m tester
Password:
tester@freya ~>  whoami
tester
tester@freya ~>  echo $HOME
/home/jo
tester@freya ~>  mc
Failed to run:
Cannot create /home/jo/.local/share/mc directory
tester@freya ~>
```


----------



## Vull (Jul 7, 2021)

jmos said:


> Why I always switch to root with `su -` (means: "want the complete root environment"): As long as you're working with some command line tools everything is okay, but if you're using f.e. something like Midnight Commander: If your user hasn't started it before you'll get configuration files owned by root inside the users home directory. Such things can have strange effects (f.e. a user unable to use and/or configure this program). Or if the config is present:
> `jo@freya ~>  /usr/bin/su -m tester
> Password:
> tester@freya ~>  whoami
> ...


Good points. I don't use Midnight Commander, and in general don't use root to run anything unless it's absolutely necessary. Want to see the "#" command line suffix mainly to remind myself to type `exit` as soon as possible, and to deliberately lose the root privileges just as soon as they're no longer needed for what I'm doing. Using `su -m` mainly to preserve the present working directory; sometimes prefer to use something like `cd path; su - m root -c "tar -xzpf sometarfile.tgz"` just to save myself from having to remember to type `exit`.


----------



## jmos (Jul 7, 2021)

Vull said:


> Want to see the "#" command line suffix mainly to remind myself to type `exit` as soon as possible


I'm also working with the prompt:




For root I'm always use a red colored prompt to be warned what I'm doing and where I am.


----------



## Vull (Jul 7, 2021)

Very nice. I don't use color prompts, but ()=FreeBSD, []=Linux, {}=Mac OS X, and hostnames can also be informative:





I don't feel my ways of doing things are superior or the only ways; they're just old habits developed after decades of working with different systems. I appreciate this forum as a great place for sharing different ideas. Thanks for sharing!


----------



## Alain De Vos (Jul 7, 2021)

My regular user prompt is green, my root zsh prompt red,
/root/.zshrc

```
autoload -Uz colors && colors
autoload -Uz promptinit && promptinit # Advanced prompt support
prompt off            # disable default prompt
setopt PROMPT_SUBST   # Allow custom prompt
PROMPT='$fg[red]HOST:%n: $fg[default]%d #'
```


----------



## ralphbsz (Jul 7, 2021)

I like the trick with color-coding both the prompt and /etc/motd; since I often have dozens of terminal windows on my desktop, I can tell at a glance which machine is which. If your prompt looks relatively normal, you are working on a relatively normal machine. If it has a colored or shaded background, you're at a machine that usually doesn't do logins. And if the prompt is red, you are logged in as root.

Observe that I have converted to doas, except on some Raspberry Pi's I haven't finished that task yet (still need to use sudo to get a root shell).


----------



## Vull (Jul 7, 2021)

Another advantage of `su -m` is that it will preserve all environment variables. Maybe `sudo` and/or `doas` can do that too. I don't know, and am content to use `su -m`. Yet another advantage? Ready-to-go right out-of-the-box, without installing any additional software on FreeBSD, Linux, or Mac OS X.


----------



## Alain De Vos (Jul 7, 2021)

su -m towards zsh does not work, as security measure.


----------



## Vull (Jul 7, 2021)

Alain De Vos said:


> su -m towards zsh does not work, as security measure.


Do you have zsh as a root shell? I just run the out-of-box shells, and have never used it, but read on Wikipedia that it is now the default shell on MacOS Catalina, and on Kali Linux versions 2020.4 and up.


----------



## Alain De Vos (Jul 7, 2021)

I use zsh as root shell. Works very fine.
But behold, for recovery i use user "toor" with oksh from the openbsd project.
I copied oksh to /bin to be certain it's always! available even when i de-install every package.
Something interesting about oksh is that it has no links do dynamic libraries. So it will always work even when you blow up your libraries.


----------



## bakul (Jul 7, 2021)

Alain De Vos said:


> Something interesting about oksh is that it has no links do dynamic libraries. So it will always work even when you blow up your libraries.


You can always use statically linked /rescue/{sh,csh}. But it really doesn't matter as getty, login, su are all dynamically linked.


----------



## scottro (Jul 8, 2021)

It used to be dangerous to change root's shell from its default csh, because if you booted in single user mode to rescue a system,  I think it was the only one that would be loaded. (Not sure if sh would be loaded). I don't know if that's still true because I just leave root at csh, so I've never checked.


----------



## Alain De Vos (Jul 8, 2021)

In fact you are prompted, " Enter full pathname of shell or return for /bin/sh".
So there is no danger as one of both will always work.
​


----------



## Vull (Jul 8, 2021)

scottro said:


> It used to be dangerous to change root's shell from its default csh, because if you booted in single user mode to rescue a system,  I think it was the only one that would be loaded. (Not sure if sh would be loaded). I don't know if that's still true because I just leave root at csh, so I've never checked.


Likewise. Since I'm still "selling" `su -m`, I must add that it also has the virtue of allowing me to use my shell of choice as a root shell without actually changing the default root shell. xD


----------

