This guide provides an overview of the /etc/sudoers file in Linux, explaining how to safely edit it using visudo, understand its content, and configure user privileges and environment settings.
The /etc/sudoers file defines which users or groups have the right to use sudo to execute commands with elevated privileges.
To view all active entries in the sudoers file without comments or empty lines:
cat /etc/sudoers | grep -E -v "^(#|$)"
Editing the sudoers file directly can be risky due to potential syntax errors that could lock you out of administrative privileges. Always use the visudo command to edit this file.
visudo
Or specify your preferred editor:
EDITOR=vim visudo
visudo: Opens thesudoersfile in a safe environment, performing syntax checking upon saving.EDITOR=vim: Sets the editor tovimfor this session.
Note: visudo ensures that only one user edits the sudoers file at a time and prevents syntax errors.
The Defaults settings control various aspects of sudo's behavior.
Defaults !visiblepw: Preventssudofrom echoing asterisks (*) when typing passwords, enhancing security against shoulder surfing.
Defaults always_set_home: Sets theHOMEenvironment variable to the target user's home directory.Defaults match_group_by_gid: Matches groups by their Group ID (GID) rather than group name.Defaults always_query_group_plugin: Always queries the group plugin when determining group membership.Defaults env_reset: Resets the environment to a clean state before executing commands.
Specify environment variables to keep:
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Set a secure PATH for sudo commands:
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
This prevents users from running unauthorized executables by restricting the directories searched for commands.
Control how long sudo caches your credentials:
Defaults timestamp_timeout=5
- Sets the timeout to 5 minutes.
- After this period,
sudowill prompt for a password again.
Configure whether sudo requires a password and whose password is needed.
Defaults targetpw: Requires the password of the target user (e.g.,root).Defaults rootpw: Requires the root password.Defaults runaspw: Requires the password of the user specified by-u.
To disable these requirements:
Defaults !targetpw
Defaults !rootpw
Defaults !runaspw
Aliases allow grouping for users, hosts, runas users, and commands.
User_Alias ADMINS = alice, bob, carol
Host_Alias WEB_SERVERS = www1, www2, www3
Runas_Alias OP_USERS = operator, sysadmin
Cmnd_Alias MAINTENANCE = /usr/bin/systemctl, /usr/bin/journalctl
Define what commands users or groups can execute.
user hostlist = (runas_user : runas_group) taglist commandlist
user: User or%groupthe rule applies to.hostlist: Hostnames where the rule applies.runas_user: User to run the command as.runas_group: Group to run the command as.taglist: Optional tags likeNOPASSWD,NOEXEC.commandlist: Commands the user is allowed to run.
-
Allow
aliceto run all commands as any user:alice ALL=(ALL) ALL -
Allow members of
ADMINSto run maintenance commands without a password:%ADMINS ALL=(OP_USERS) NOPASSWD: MAINTENANCE -
Allow
bobto restart the web server asroot:bob WEB_SERVERS=(root) /usr/sbin/systemctl restart httpd
PASSWD: Require a password (default behavior).NOPASSWD: Do not require a password.NOEXEC: Prevent commands from executing further commands.EXEC: Allow commands to execute other commands.SETENV: Allow the user to set environment variables.NOSETENV: Prevent setting environment variables.
dave ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
%groupname: References a Unix group.
-
Allow all members of the
sudogroup to run any command:%sudo ALL=(ALL) ALL -
Allow
webadminsgroup to manage the web server:%webadmins ALL=(root) NOPASSWD: /usr/sbin/systemctl restart httpd
Specify the user and group to run commands as.
user hostlist = (runas_user : runas_group) commandlist
- If
runas_userorrunas_groupis omitted,rootand the invoking user's group are assumed, respectively.
-
Allow
janeto run commands asdbadminand groupdbgroup:jane ALL=(dbadmin:dbgroup) /usr/bin/psql -
Usage:
sudo -u dbadmin -g dbgroup psql
You can verify your current sudo privileges using the sudo -l command. This is useful to determine what commands you are allowed to execute with sudo.
sudo -l
This command will list the commands you are permitted to run, according to the rules specified in the /etc/sudoers file.
If your user alice runs:
sudo -l
She might see:
User alice may run the following commands on this host:
(ALL) ALL
This indicates that alice can run all commands as any user.
Alternatively, if specific commands are permitted, they will be listed accordingly.
- Usage: Set on executable files to allow users to run them with the file owner's permissions.
- Limitations:
- Less flexible—applies to individual files.
- Potential security risks if misconfigured.
- No logging or auditing.
- Usage: Grants users permission to run commands as other users per
sudoersrules. - Advantages:
- Highly configurable.
- Allows fine-grained control.
- Provides logging and auditing.
- More secure when properly configured.