What is the sudoers file?
The sudoers file is a text file that you can find in the “/etc” directory (find out more about Linux directory here). Its main purpose is to control how sudo works on your machine and determine which users and groups have the ability to run with superuser permission. In addition, the sudoers file can also allow a specific user to run commands as another user in the system. For example, if you have a web server, you can configure sudoers to only allow other users to run commands as “www-data”.
When do I Need to Edit the sudoers File?
When you first install a Linux system such as Ubuntu, the installer will automatically add the first user to the sudoers file. This is so that you can immediately run administrative tasks with the sudo command after installation. However, if you create a new user account, it will not have the superuser permission by default. If you need to grant it superuser permission, you will need to edit the sudoers file and add this user account to it.
How can I edit sudoers?
Never edit the sudoers file in a normal text editor. This can lead to simultaneous editing and corrupted files, potentially denying any admin access. Sudoers must be edited by running visudo in Terminal, like so: Note that you need to use sudo to run visudo. This will open the sudoers file in the default text editor in Terminal which is Nano by default.
What can Changing The sudoers File Do?
As discussed above, the main job of the sudoers file is to define which users and groups can use sudo. However, this file also contains some options that will allow you to configure sudo’s behavior. Some of these options include the ability to change the timeout length of privilege escalation. There are also options to change the default visudo editor and basic hardening such as using the pty.
Change the sudo timeout
By default, entering your sudo password elevates your permissions until you close the shell or exit. This can be insecure, and some might prefer entering their password each time they use sudo. This will set your sudo timeout to zero seconds, so you will have sudo permissions for zero seconds after you execute the first command. If you prefer a different interval, enter that value in seconds instead. You can also set the timeout to “-1,” which gives you an infinite grace period. Don’t do that. It’s a handy way to accidentally nuke your system one day.
Limit Who Can Use Sudo and For What
If you have multiple users accessing the same system through shells, you can control their access by setting values in sudo. Creating a custom rule for users is incredibly easy. A permission rule in the sudoers file looks something like this:
The username field indicates which user in the system this rule will apply to.The hostlist tells sudo to apply this rule on a list of system hosts that are known to sudo. By default, sudo only recognizes the local machine as its host.The userlist tells sudo which user account the username field can substitute to.Lastly, the commandlist is a comma separated list that indicates which programs in the system the username can run as that user.
Knowing that, consider the following example: This line permits the ramces user to substitute itself as any user and run any command on any host. This is because ALL is a special value in the sudoers file meaning “no restrictions”. However, this also means that setting this rule for your users is dangerous. This is because it will allow a user to run any command and access any file as any user. As such, a more appropriate and safer rule can look something like this: In this, the ramces user can still run as root but it cannot substitute itself as any other user.
Restricting Root in Users and Groups
For more control, you could add a line like the following, which would only permit the “ramces” user to run apt update. Put a % in front of the user, and it will define a group. The line below would allow every user in the group “admin” to have root-level permissions. This would be the group as defined by your system’s permission groups.
Hardening sudoers with use_pty
Another usage of the sudoers file is to only use sudo in a restricted sandbox environment. This can be incredibly helpful if you are running sudo in an insecure machine that is constantly connected to the internet. Knowing that, you can use this feature by going to your “/etc/sudoers” file and entering the following line of code:
Using sudo Without a Password
Another option that you can enable in the sudoers file is the ability to run sudo without a password. This can be especially useful if you find yourself constantly running superuser commands in your machine. In order to enable it all you need to do is to add a single tag in your current user’s rule: If you notice, the main difference between this and the example above is the addition of the NOPASSWD:.
Change the visudo editor
Lastly, depending on what version of Linux you’re running, there are two primary ways to change the editor. For Ubuntu, you’ll want to run the Terminal command below: You’ll see something like the following: If you wanted to select vim as your visudo editor from the default of nano, you would press its selection number 3 then press Enter. For other flavors of Linux, you’ll want to add a new line to your “~/.bashrc” file as seen below: Then save out the file. That would set your visudo editor to vim. Congratulations! You now know how to do basic edits to your sudoers file. Not only that, you also now have a basic idea of how sudo works. As well as additional options that you can enable through the sudoers file. If all this talk made you curious about Linux. You can check this article where we talk about some of the best Linux-libre distributions that you can install today.
1. I got a “(username) is not in the sudoers file” error. Is my sudo install broken?
Not at all. This happens whenever the user that you are using does not have a rule entry in the sudoers file. This could either be that the user itself is not in sudoers or it is not in any group that is in the sudoers. Knowing that, fixing this is relatively easy. First, you need to login to your root account. You can do this by typing su and then entering the root password. From there, you can then type sudo visudo to enter the sudoers file. Once done, the last thing that you need to do is to add your username to the sudoers file. For example, this is an excerpt of the sudoers file for a new account called alice:
2. What are some issues with creating custom user rules?
One of the issues that you might encounter with creating custom rules is with wildcards. These are symbols that you can use to create a rule that can apply to multiple cases. For example, this is a rule that allows the group admin to run cat in any file in “/var” as root. The problem with this is that this wildcard character can also substitute for spaces. As such, setting it this way could also allow commands such as these: Because of that, it is good practice to avoid using any wildcards when creating rules. Instead, you can either use su for one-time tasks or set the permissions of the file so that sudo is not necessary.
3. Is it possible to prevent sudo from sending system mail whenever I run as root?
Yes! You can easily prevent sudo from sending mail by using the NOMAIL tag. For example, this is the rule entry for my user account in the sudoers file: Image credit: a hero with computer circuit by 123RF