Within your Linux system, there is a file called “sudoers”. This is a text file that controls the deepest levels of your permission system. It permits or denies users from gaining super-user access and holds some special preferences for sudo.
What is the sudoers file?
The sudoers file is a text file that you can find in the “/etc” directory (find out more about Linux directory here). Its main purpose is to control how sudo
works on your machine and determine which users and groups have the ability to run with superuser permission.
In addition, the sudoers file can also allow a specific user to run commands as another user in the system.
For example, if you have a web server, you can configure sudoers to only allow other users to run commands as “www-data”.
Also read: What Is Doas and How to Install It
When do I Need to Edit the sudoers File?
When you first install a Linux system such as Ubuntu, the installer will automatically add the first user to the sudoers file. This is so that you can immediately run administrative tasks with the sudo
command after installation.
However, if you create a new user account, it will not have the superuser permission by default. If you need to grant it superuser permission, you will need to edit the sudoers file and add this user account to it.
Also read: How to Check Sudo History in Linux
How can I edit sudoers?
Never edit the sudoers file in a normal text editor. This can lead to simultaneous editing and corrupted files, potentially denying any admin access. Sudoers must be edited by running visudo
in Terminal, like so:
sudo visudo
Note that you need to use sudo
to run visudo
. This will open the sudoers file in the default text editor in Terminal which is Nano by default.
What can Changing The sudoers File Do?
As discussed above, the main job of the sudoers file is to define which users and groups can use sudo. However, this file also contains some options that will allow you to configure sudo’s behavior.
Some of these options include the ability to change the timeout length of privilege escalation. There are also options to change the default visudo editor and basic hardening such as using the pty.
Change the sudo timeout
By default, entering your sudo password elevates your permissions until you close the shell or exit. This can be insecure, and some might prefer entering their password each time they use sudo.
- Run
sudo visudo
as mentioned above. - Press Alt + / to navigate to the end of the document. If you are using Vi or Vim, press Shift + G instead.
- Create a new line at the bottom of the document and add the following line:
Defaults timestamp_timeout=0
This will set your sudo timeout to zero seconds, so you will have sudo permissions for zero seconds after you execute the first command. If you prefer a different interval, enter that value in seconds instead.
You can also set the timeout to “-1,” which gives you an infinite grace period. Don’t do that. It’s a handy way to accidentally nuke your system one day.
- Press Ctrl + o to save and Ctrl + x to exit. On the other hand, if you are using Vi or Vim you can press ESC and then type
:wq
to exit.
Limit Who Can Use Sudo and For What
If you have multiple users accessing the same system through shells, you can control their access by setting values in sudo.
Creating a custom rule for users is incredibly easy. A permission rule in the sudoers file looks something like this:
username hostlist = (userlist) commandlist
- The
username
field indicates which user in the system this rule will apply to. - The
hostlist
tells sudo to apply this rule on a list of system hosts that are known to sudo. By default, sudo only recognizes the local machine as its host. - The
userlist
tells sudo which user account the username field can substitute to. - Lastly, the
commandlist
is a comma separated list that indicates which programs in the system the username can run as that user.
Knowing that, consider the following example:
ramces ALL=(ALL) ALL
This line permits the ramces user to substitute itself as any user and run any command on any host. This is because ALL
is a special value in the sudoers file meaning “no restrictions”.
However, this also means that setting this rule for your users is dangerous. This is because it will allow a user to run any command and access any file as any user.
As such, a more appropriate and safer rule can look something like this:
ramces ALL=(root) ALL
In this, the ramces user can still run as root but it cannot substitute itself as any other user.
Restricting Root in Users and Groups
For more control, you could add a line like the following, which would only permit the “ramces” user to run apt update
.
ramces ALL=(root) /usr/bin/apt update
Put a %
in front of the user, and it will define a group. The line below would allow every user in the group “admin” to have root-level permissions. This would be the group as defined by your system’s permission groups.
%admin ALL=(root) ALL
Hardening sudoers with use_pty
Another usage of the sudoers file is to only use sudo in a restricted sandbox environment.
This can be incredibly helpful if you are running sudo in an insecure machine that is constantly connected to the internet. Knowing that, you can use this feature by going to your “/etc/sudoers” file and entering the following line of code:
Defaults use_pty
Using sudo Without a Password
Another option that you can enable in the sudoers file is the ability to run sudo without a password. This can be especially useful if you find yourself constantly running superuser commands in your machine.
In order to enable it all you need to do is to add a single tag in your current user’s rule:
ramces ALL = (root) NOPASSWD: ALL
If you notice, the main difference between this and the example above is the addition of the NOPASSWD:
.
Change the visudo editor
Lastly, depending on what version of Linux you’re running, there are two primary ways to change the editor.
For Ubuntu, you’ll want to run the Terminal command below:
sudo update-alternatives --config editor
You’ll see something like the following:
There are 4 choices for the alternative editor (providing /usr/bin/editor). Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/ed -100 manual mode 2 /bin/nano 40 manual mode 3 /usr/bin/vim.basic 30 manual mode 4 /usr/bin/vim.tiny 10 manual mode Press enter to keep the current choice[*], or type selection number: 3
If you wanted to select vim as your visudo editor from the default of nano, you would press its selection number 3
then press Enter.
For other flavors of Linux, you’ll want to add a new line to your “~/.bashrc” file as seen below:
export EDITOR="vim"
Then save out the file. That would set your visudo editor to vim.
Congratulations! You now know how to do basic edits to your sudoers file. Not only that, you also now have a basic idea of how sudo works. As well as additional options that you can enable through the sudoers file.
If all this talk made you curious about Linux. You can check this article where we talk about some of the best Linux-libre distributions that you can install today.
Frequently Asked Questions
1. I got a “(username) is not in the sudoers file” error. Is my sudo install broken?
Not at all. This happens whenever the user that you are using does not have a rule entry in the sudoers file. This could either be that the user itself is not in sudoers or it is not in any group that is in the sudoers.
Knowing that, fixing this is relatively easy. First, you need to login to your root account. You can do this by typing su
and then entering the root password. From there, you can then type sudo visudo
to enter the sudoers file.
Once done, the last thing that you need to do is to add your username to the sudoers file. For example, this is an excerpt of the sudoers file for a new account called alice:
alice ALL=(root) ALL
2. What are some issues with creating custom user rules?
One of the issues that you might encounter with creating custom rules is with wildcards. These are symbols that you can use to create a rule that can apply to multiple cases. For example, this is a rule that allows the group admin to run cat
in any file in “/var” as root.
%admin ALL: (root) /bin/cat /var/*
The problem with this is that this wildcard character can also substitute for spaces. As such, setting it this way could also allow commands such as these:
sudo cat /var/log.1 /home/bob/secret.txt
Because of that, it is good practice to avoid using any wildcards when creating rules. Instead, you can either use su
for one-time tasks or set the permissions of the file so that sudo is not necessary.
3. Is it possible to prevent sudo from sending system mail whenever I run as root?
Yes! You can easily prevent sudo from sending mail by using the NOMAIL tag. For example, this is the rule entry for my user account in the sudoers file:
ramces ALL: (root) NOMAIL: ALL
Image credit: a hero with computer circuit by 123RF
Our latest tutorials delivered straight to your inbox