sudo

1. Switch user
2. The /etc/sudoers.d/ directory
3. sudoedit
4. References

1. Switch user

From sudo(8) manual page

-i, --login Run the shell specified by the target user’s password database entry as a login shell. This means that login-specific resource files such as .profile, .bash_profile, or .login will be read by the shell. If a command is specified, it is passed to the shell

Omit -u alan if the desired user is root

sudo -i -u alan

2. The `/etc/sudoers.d/` directory

Use visudo(8) to create or edit sudoers(5) configuration files, the drop-in files in /etc/sudoers.d are parsed in sorted lexical order, e.g. /etc/sudoers.d/01_b will be parsed before /etc/sudoers.d/02_a.

2.1. Password timeout

For 30mins timeout (default is 15mins) add the following under /etc/sudoers.d/timeout

# /etc/sudoers.d/timeout
Defaults:alan timestamp_timeout=30

2.2. Admin privileges for specific commands

Allow user foo to change users passwords except user root password

# /etc/sudoers.d/foo
foo ALL=/usr/bin/passwd, !/usr/bin/passwd root

Allow users in group bar to run mount and umount commands only with specific arguments as admin

# /etc/sudoers.d/bar
%bar ALL=/usr/bin/mount /dev/sdb, /usr/bin/umount /dev/sdb

2.3. Allow rsync on restricted paths over ssh

Allow user alan to use rsync on specific and restricted paths over ssh without password prompts.

# /etc/sudoers.d/rsync

# Allow user to download one restricted directory on localhost over ssh
alan ALL = NOPASSWD: /usr/bin/rsync --server --sender * . /etc/foo/

# Allow user to upload files to a specific path over ssh
alan ALL = NOPASSWD: /usr/bin/rsync --server * . /srv/bar/

Example: Setup FreshRSS with HTTPS on LAN

3. sudoedit

The editor used by sudoedit(8) can be set with update-alternatives(1) on Debian based systems

4. References

https://manpages.debian.org/stable/sudo/ (remplace stable with codename for manpages index)
https://wiki.archlinux.org/title/Sudo