Fine-grain sudo

sudo lets a user run commands as she was a different user (usually root). The common configuration of sudo requests your password before run the command. As that is annoying, you may be tempted to write something like this in your /etc/sudoers:

john   ALL = ALL, NOPASSWD: APT

But this may be a big security issue…

Fine grain

Something more convenient is to specifically set which commands can be executed without password. Next sudo configuration makes this possible:

Defaults        env_reset, insults
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults        timestamp_timeout=15

Cmnd_Alias APT = /usr/bin/apt-get, /usr/bin/dpkg
%sudo   ALL = ALL, NOPASSWD: APT

The commands in the “alias” APT can be executed by users in the group sudo without a password. For all other commands, sudo take the usual behavior.

Also, with that configuration:

• It insults you if you type a wrong password.
• It caches the password during 15 minutes.