In this article, we want to teach you to edit the Sudoers file in Linux. You can use your favorite Linux distribution like Centos 7, Debian, Fedora, etc, and other versions of them. It works the same as each other. Here we use Ubuntu 20.04 to show the guide steps.
Steps To Edit the Sudoers File in Linux
Before we start to edit the Sudoers file you need to complete the initial server setup for login as a non-root user. You can check this article for the Initial server setup with Ubuntu 20.04.
Then, follow the steps below to complete this guide.
Step 1 – Get Root Privileges in Linux
To get root privileges there are three basic ways that you can get the privileges.
Root Login
log in as the root user is the simplest way. you can easily type root and enter your root password for login.
Note: If you log in through SSH, you need your IP address or domain name. To do this, run the command below:
ssh root@server_domain_or_ip
If you haven’t set up SSH keys for the root user, you can enter the root password when you ask for it.
Use the su command
We recommend that to not log in as root because it isn’t secure. You can use the “su” command which stands for (substitute user) to get root privileges. You will be asked for the root user password then you will be in a root shell session. To do this, you can run the following command:
su
When you have finished type exit to get back into a normal shell:
exit
Use the sudo command
For executing commands with root privileges you can use “sudo” before each command.
Note: If a user wants to use “sudo”, the user should be in a sudo group. To add a user to a sudo group, you need to check the initial server setup that we mentioned at the beginning of the guide. Or you can visit the Orcacore website and search for other initial server setup guides.
sudo command-to-execute
You will be asked for the current user password.
Here we go to see what visudo is and modify the sudoers file.
Step 2 – What is the visudo command in Linux?
visudo edits the sudoers file, which defines the users and groups with administrator rights.
The sudo command is configured in a file located at /etc/sudoers.
Note: Never edit this file with a normal text editor! Always use the visudo command instead!
Visudo opens the /etc/sudoers file with the vi text editor. But in Ubuntu, visudo uses the nano text editor instead. To change it back to vi, run the following command:
sudo update-alternatives --config editor
In your output, you will see choices for the alternative editor. Press Enter to keep the current choice or enter the number that you want.
In Centos, you can change it by adding the following command to your ~/.bashrc:
export EDITOR=`which name_of_editor`
Source the file to apply the changes:
. ~/.bashrc
sudo visudo
Here you are in the /etc/sudoers file with your selected editor. Let’s go to modify the sudoers file.
Step 3 – Modify the Sudoers File in Linux
We have some lines in the /etc/sudoers file. In this article, we will discuss defaults, users, and group lines.
Defaults Lines
“env_reset“, removes harmful environmental variables from the sudo session.
“mail_badpass“, tells the system to mail notices of bad sudo password attempts to the configured mailto user.
“secure_path“, allocates the PATH that will be used for the sudo operation.
User Line
This line is shown as “root ALL (ALL=ALL) ALL“, which means that:
- root: displays the username that the rule will apply to.
- First ALL: displays that this rule applies to all hosts.
- (ALL=ALL): means that the root user can run commands as all users and all groups.
- Last ALL: displays these rules apply to all commands.
Group Lines
This line begins with the “%” sign. These lines mean that admin and sudo groups can execute any command as any user on any host.
Included /etc/sudoers.d Line
This line begins with the “#” sign. It doesn’t mean that it is a comment. This line displays that files into the /etc/sudoers.d directory will be sourced and applied as well.
Note: You should always edit files into the /etc/sudoers.d with visudo. To edit the files, you can run the following command:
sudo visudo -f /etc/sudoers.d/file_to_edit
Step 4 – Give sudo privileges to a user on Linux
In Ubuntu, the sudo group has full admin privileges. You can give a user the same privileges easily with the following command:
sudo usermod -aG sudo username
Or you can also use gpasswd instead:
sudo gpasswd -a username sudo
In Centos and RHEL, we have the “wheel” group instead of the sudo group. To give the sudo privileges in Centos and RHEL-based distros, run the following command:
sudo usermod -aG wheel username
Also, you can use gpasswd:
sudo gpasswd -a username wheel
Note: In Centos, If adding a user to the “wheel” group doesn’t work, you have to edit the /etc/sudoers file and uncomment the group name.
At this point, you learned to edit the sudoers file in Linux. Now you can create some new rules.
Step 5 – Create Aliases for sudoers file
The sudoers file can be organized easily by grouping things with various kinds of “aliases”.
Here we create two different groups of users with overlapping memberships:
. . .
User_Alias GROUPONE = anna, daniel, sam
User_Alias GROUPTWO = daniel, shawn, linda,
. . .
Note: Group names should start with capital letters.
Here we allow members of the GROUPONE to update the apt database with the rule below:
. . .
GROUPONE ALL = /usr/bin/apt-get update
. . .
Also, you can create “Run as” aliases and “command alias“, which can replace the part of the rule that defines the user to execute the command.
Step 6 – Lockdown rules for sudoers
You can have control over how sudo reacts. If you want to allow users to execute commands with root privileges without a password you can make a rule for it. To do this, run the following command:
. . .
GROUPONE ALL = NOPASSWD: /usr/bin/updatedb
. . .
The label NOPASSWD means that you will not ask for a password.
Another helpful label is NOEXEC, which prevents dangerous behavior in programs.
Step 7 – Various Information Of Sudo
In this part, we show you some various information about sudo.
When you are finished using root privileges commands, for its security you can clear the timer with the -k flag:
sudo -k
With the -l flag you can see what root privileges are set for your user:
sudo -l
Sometimes you forget to use sudo for executing the command, in this situation, you don’t need to retype the command just use the “!!” flag:
sudo !!
That’s it. You are done.
Conclusion
In this article, we try to teach you most of the editing of the sudoers file. You have learned how to log in to your server, what visudo is, and its configuration, you can easily give user root privileges, create your own aliases, and make new rules.
Hope you enjoy this guide.