Why and How to Edit Your Sudoers File in Linux

Linux Sudoers File Featured

Within your Linux system, there is a file called “sudoers”. This is a text file that controls the deepest levels of your permission system. It permits or denies users from gaining super-user access and holds some special preferences for sudo.

What is the sudoers file?

The sudoers file is a text file that you can find in the “/etc” directory (find out more about Linux directory here). Its main purpose is to control how sudo works on your machine and determine which users and groups have the ability to run with superuser permission.

In addition, the sudoers file can also allow a specific user to run commands as another user in the system.

Sudoers Edit Www Data Sample Edit

For example, if you have a web server, you can configure sudoers to only allow other users to run commands as “www-data”.

When do I Need to Edit the sudoers File?

When you first install a Linux system such as Ubuntu, the installer will automatically add the first user to the sudoers file. This is so that you can immediately run administrative tasks with the sudo command after installation.

Sudoers Edit First Time Sudo Use

However, if you create a new user account, it will not have the superuser permission by default. If you need to grant it superuser permission, you will need to edit the sudoers file and add this user account to it.

How can I edit sudoers?

Never edit the sudoers file in a normal text editor. This can lead to simultaneous editing and corrupted files, potentially denying any admin access. Sudoers must be edited by running visudo in Terminal, like so:

sudo visudo
Sudoers Edit Visudo

Note that you need to use sudo to run visudo. This will open the sudoers file in the default text editor in Terminal which is Nano by default.

Sudoers Edit Sample Sudoers File

What can Changing The sudoers File Do?

As discussed above, the main job of the sudoers file is to define which users and groups can use sudo. However, this file also contains some options that will allow you to configure sudo’s behavior.

Some of these options include the ability to change the timeout length of privilege escalation. There are also options to change the default visudo editor and basic hardening such as using the pty.

Change the sudo timeout

By default, entering your sudo password elevates your permissions until you close the shell or exit. This can be insecure, and some might prefer entering their password each time they use sudo.

  1. Run sudo visudo as mentioned above.
  2. Press Alt + / to navigate to the end of the document. If you are using Vi or Vim, press Shift + G instead.
Sudoers Edit Bottom Sudoers File
  1. Create a new line at the bottom of the document and add the following line:
Defaults timestamp_timeout=0
Sudoers Edit Timeout Option

This will set your sudo timeout to zero seconds, so you will have sudo permissions for zero seconds after you execute the first command. If you prefer a different interval, enter that value in seconds instead.

You can also set the timeout to “-1,” which gives you an infinite grace period. Don’t do that. It’s a handy way to accidentally nuke your system one day.

  1. Press Ctrl + o to save and Ctrl + x to exit. On the other hand, if you are using Vi or Vim you can press ESC and then type :wq to exit.

Limit Who Can Use Sudo and For What

If you have multiple users accessing the same system through shells, you can control their access by setting values in sudo.

Creating a custom rule for users is incredibly easy. A permission rule in the sudoers file looks something like this:

username hostlist = (userlist) commandlist
  • The username field indicates which user in the system this rule will apply to.
  • The hostlist tells sudo to apply this rule on a list of system hosts that are known to sudo. By default, sudo only recognizes the local machine as its host.
  • The userlist tells sudo which user account the username field can substitute to.
  • Lastly, the commandlist is a comma separated list that indicates which programs in the system the username can run as that user.

Knowing that, consider the following example:

ramces ALL=(ALL) ALL

This line permits the ramces user to substitute itself as any user and run any command on any host. This is because ALL is a special value in the sudoers file meaning “no restrictions”.

Sudoers Edit Dangerous Sudo Edit

However, this also means that setting this rule for your users is dangerous. This is because it will allow a user to run any command and access any file as any user.

As such, a more appropriate and safer rule can look something like this:

ramces ALL=(root) ALL

In this, the ramces user can still run as root but it cannot substitute itself as any other user.

Restricting Root in Users and Groups

For more control, you could add a line like the following, which would only permit the “ramces” user to run apt update.

ramces ALL=(root) /usr/bin/apt update
Sudoers Edit Restricted Sudo

Put a % in front of the user, and it will define a group. The line below would allow every user in the group “admin” to have root-level permissions. This would be the group as defined by your system’s permission groups.

%admin ALL=(root) ALL

Hardening sudoers with use_pty

Another usage of the sudoers file is to only use sudo in a restricted sandbox environment.

This can be incredibly helpful if you are running sudo in an insecure machine that is constantly connected to the internet. Knowing that, you can use this feature by going to your “/etc/sudoers” file and entering the following line of code:

Defaults use_pty
Sudoers Edit Use Pty Option

Using sudo Without a Password

Another option that you can enable in the sudoers file is the ability to run sudo without a password. This can be especially useful if you find yourself constantly running superuser commands in your machine.

In order to enable it all you need to do is to add a single tag in your current user’s rule:

ramces ALL = (root) NOPASSWD: ALL
Sudoers Edit Nopasswd Option

If you notice, the main difference between this and the example above is the addition of the NOPASSWD:.

Change the visudo editor

Lastly, depending on what version of Linux you’re running, there are two primary ways to change the editor.

For Ubuntu, you’ll want to run the Terminal command below:

sudo update-alternatives --config editor

You’ll see something like the following:

There are 4 choices for the alternative editor (providing /usr/bin/editor).
 
  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/ed             -100       manual mode
  2            /bin/nano            40        manual mode
  3            /usr/bin/vim.basic   30        manual mode
  4            /usr/bin/vim.tiny    10        manual mode
 
Press enter to keep the current choice[*], or type selection number: 3

If you wanted to select vim as your visudo editor from the default of nano, you would press its selection number 3 then press Enter.

Sudoers Edit Change Editor

For other flavors of Linux, you’ll want to add a new line to your “~/.bashrc” file as seen below:

export EDITOR="vim"

Then save out the file. That would set your visudo editor to vim.

Congratulations! You now know how to do basic edits to your sudoers file. Not only that, you also now have a basic idea of how sudo works. As well as additional options that you can enable through the sudoers file.

If all this talk made you curious about Linux. You can check this article where we talk about some of the best Linux-libre distributions that you can install today.

Frequently Asked Questions

1. I got a “(username) is not in the sudoers file” error. Is my sudo install broken?

Not at all. This happens whenever the user that you are using does not have a rule entry in the sudoers file. This could either be that the user itself is not in sudoers or it is not in any group that is in the sudoers.

Knowing that, fixing this is relatively easy. First, you need to login to your root account. You can do this by typing su and then entering the root password. From there, you can then type sudo visudo to enter the sudoers file.

Once done, the last thing that you need to do is to add your username to the sudoers file. For example, this is an excerpt of the sudoers file for a new account called alice:

alice ALL=(root) ALL

2. What are some issues with creating custom user rules?

One of the issues that you might encounter with creating custom rules is with wildcards. These are symbols that you can use to create a rule that can apply to multiple cases. For example, this is a rule that allows the group admin to run cat in any file in “/var” as root.

%admin ALL: (root) /bin/cat /var/*

The problem with this is that this wildcard character can also substitute for spaces. As such, setting it this way could also allow commands such as these:

sudo cat /var/log.1 /home/bob/secret.txt

Because of that, it is good practice to avoid using any wildcards when creating rules. Instead, you can either use su for one-time tasks or set the permissions of the file so that sudo is not necessary.

3. Is it possible to prevent sudo from sending system mail whenever I run as root?

Yes! You can easily prevent sudo from sending mail by using the NOMAIL tag. For example, this is the rule entry for my user account in the sudoers file:

ramces ALL: (root) NOMAIL: ALL

Image credit: a hero with computer circuit by 123RF

Ramces Red
Ramces Red

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox