From 36420ce82b00e8486054f9e8fb1904421e623d10 Mon Sep 17 00:00:00 2001 From: Morgan Date: Thu, 25 Apr 2019 16:56:56 -0400 Subject: [PATCH 1/3] Recommend adding lines to end of sudoers, ensuring %admin and root exist Adding entries to the end of sudoers is an easy way to prevent issues and ensure NOPASSWD functionality works as expected. --- website/source/docs/synced-folders/nfs.html.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/website/source/docs/synced-folders/nfs.html.md b/website/source/docs/synced-folders/nfs.html.md index 7a59a575a..4935a61cc 100644 --- a/website/source/docs/synced-folders/nfs.html.md +++ b/website/source/docs/synced-folders/nfs.html.md @@ -134,10 +134,9 @@ If you do not want to type your password on every `vagrant up`, Vagrant uses thoughtfully crafted commands to make fine-grained sudoers modifications possible to avoid entering your password. -Below, we have a couple example sudoers entries. Note that you may -have to modify them _slightly_ on certain hosts because the way Vagrant -modifies `/etc/exports` changes a bit from OS to OS. If the commands below -are located in non-standard paths, modify them as appropriate. +Below are example entries to add at the end of your sudoers file. + +Note that you may have to modify them _slightly_ on certain hosts because the way Vagrant modifies `/etc/exports` changes a bit from OS to OS. If the commands below are located in non-standard paths, modify them as appropriate. For \*nix users, make sure to edit your `/etc/sudoers` file with `visudo`. It protects you against syntax errors which could leave you without the ability to gain elevated privileges. @@ -148,7 +147,7 @@ All of the snippets below require Vagrant version 1.7.3 or higher. configured, you might need to use a different group than the ones listed in the examples below. -For OS X, sudoers should have this entry: +At the end of sudoers in OS X: ``` Cmnd_Alias VAGRANT_EXPORTS_ADD = /usr/bin/tee -a /etc/exports @@ -157,7 +156,7 @@ Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /usr/bin/sed -E -e /*/ d -ibak /etc/exports %admin ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD, VAGRANT_EXPORTS_REMOVE ``` -For Ubuntu Linux , sudoers should look like this: +At the end of sudoers in Ubuntu Linux: ``` Cmnd_Alias VAGRANT_EXPORTS_CHOWN = /bin/chown 0\:0 /tmp/* @@ -168,8 +167,7 @@ Cmnd_Alias VAGRANT_NFSD_APPLY = /usr/sbin/exportfs -ar %sudo ALL=(root) NOPASSWD: VAGRANT_EXPORTS_CHOWN, VAGRANT_EXPORTS_MV, VAGRANT_NFSD_CHECK, VAGRANT_NFSD_START, VAGRANT_NFSD_APPLY ``` -For Fedora Linux, sudoers might look like this (given your user -belongs to the vagrant group): +At the end of sudoers in Fedora Linux (given your user belongs to the `vagrant` group): ``` Cmnd_Alias VAGRANT_EXPORTS_CHOWN = /bin/chown 0\:0 /tmp/* From a09ad31db47dee6478f896b4e7222a220bf2ece0 Mon Sep 17 00:00:00 2001 From: Morgan Williams Date: Thu, 9 May 2019 21:46:01 -0400 Subject: [PATCH 2/3] Revert " Recommend adding lines to end of sudoers, ensuring %admin and root exist " This reverts commit 36420ce82b00e8486054f9e8fb1904421e623d10. --- website/source/docs/synced-folders/nfs.html.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/website/source/docs/synced-folders/nfs.html.md b/website/source/docs/synced-folders/nfs.html.md index 4935a61cc..7a59a575a 100644 --- a/website/source/docs/synced-folders/nfs.html.md +++ b/website/source/docs/synced-folders/nfs.html.md @@ -134,9 +134,10 @@ If you do not want to type your password on every `vagrant up`, Vagrant uses thoughtfully crafted commands to make fine-grained sudoers modifications possible to avoid entering your password. -Below are example entries to add at the end of your sudoers file. - -Note that you may have to modify them _slightly_ on certain hosts because the way Vagrant modifies `/etc/exports` changes a bit from OS to OS. If the commands below are located in non-standard paths, modify them as appropriate. +Below, we have a couple example sudoers entries. Note that you may +have to modify them _slightly_ on certain hosts because the way Vagrant +modifies `/etc/exports` changes a bit from OS to OS. If the commands below +are located in non-standard paths, modify them as appropriate. For \*nix users, make sure to edit your `/etc/sudoers` file with `visudo`. It protects you against syntax errors which could leave you without the ability to gain elevated privileges. @@ -147,7 +148,7 @@ All of the snippets below require Vagrant version 1.7.3 or higher. configured, you might need to use a different group than the ones listed in the examples below. -At the end of sudoers in OS X: +For OS X, sudoers should have this entry: ``` Cmnd_Alias VAGRANT_EXPORTS_ADD = /usr/bin/tee -a /etc/exports @@ -156,7 +157,7 @@ Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /usr/bin/sed -E -e /*/ d -ibak /etc/exports %admin ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD, VAGRANT_EXPORTS_REMOVE ``` -At the end of sudoers in Ubuntu Linux: +For Ubuntu Linux , sudoers should look like this: ``` Cmnd_Alias VAGRANT_EXPORTS_CHOWN = /bin/chown 0\:0 /tmp/* @@ -167,7 +168,8 @@ Cmnd_Alias VAGRANT_NFSD_APPLY = /usr/sbin/exportfs -ar %sudo ALL=(root) NOPASSWD: VAGRANT_EXPORTS_CHOWN, VAGRANT_EXPORTS_MV, VAGRANT_NFSD_CHECK, VAGRANT_NFSD_START, VAGRANT_NFSD_APPLY ``` -At the end of sudoers in Fedora Linux (given your user belongs to the `vagrant` group): +For Fedora Linux, sudoers might look like this (given your user +belongs to the vagrant group): ``` Cmnd_Alias VAGRANT_EXPORTS_CHOWN = /bin/chown 0\:0 /tmp/* From d1373c9e97d01e5fc98fc8ec60d4670fdb5da56f Mon Sep 17 00:00:00 2001 From: Morgan Williams Date: Thu, 9 May 2019 21:49:58 -0400 Subject: [PATCH 3/3] Single paragraph: order matters in sudoers Single paragraph about how the suoders file format applies these rules in order of entry --- website/source/docs/synced-folders/nfs.html.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/source/docs/synced-folders/nfs.html.md b/website/source/docs/synced-folders/nfs.html.md index 7a59a575a..f497e35cf 100644 --- a/website/source/docs/synced-folders/nfs.html.md +++ b/website/source/docs/synced-folders/nfs.html.md @@ -139,6 +139,8 @@ have to modify them _slightly_ on certain hosts because the way Vagrant modifies `/etc/exports` changes a bit from OS to OS. If the commands below are located in non-standard paths, modify them as appropriate. +Also note that in the sudoer file format, entries are applied in order. If you've added the appropriate entries but still have to type in your password, make sure the entries aren't inserted too early. From the sudoers man page: "When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match)." + For \*nix users, make sure to edit your `/etc/sudoers` file with `visudo`. It protects you against syntax errors which could leave you without the ability to gain elevated privileges. All of the snippets below require Vagrant version 1.7.3 or higher.