Why and How to Edit Your Sudoers File in Linux

Within your Linux or macOS system, there’s a file called “sudoers” which controls the deepest levels of your permissions system. It permits or denies users from gaining super-user access and holds some special preferences for sudo.

The sudoers file is a text file that lives at “/etc/sudoers.” It controls how sudo works on your machine. You are probably familiar with sudo’s primary role of elevating your current account’s privileges to root, the superuser on all Unix-based systems. This permits your users to execute commands that would be otherwise prohibited.

When you first install Linux (or macOS), the first and default user will be auto-added to the sudoers file so it can run administrative tasks with the sudo command. However, if you create a new user account, it will not have the superuser permission by default. If you need to grant it superuser permission, you will need to edit the sudoers file and add this user account to it.

Never edit the sudoers file in a normal text editor. This can lead to simultaneous editing and corrupted files, potentially denying any admin access. Sudoers must be edited by running visudo in Terminal, like so:

edit-sudoers-file-change-sudo-timeout-visudo-command

Note that you need to use sudo to run visudo. This will open the sudoers file in the default text editor in Terminal (by default, nano).

edit-sudoers-file-change-sudo-timeout-sudoer-file-in-vim

The sudoers file’s main job is defining which users can use sudo for what. It also holds some simple preferences, which we can adjust first to get a feel for how visudo works.

Change the sudo timeout

By default, entering your sudo password elevates your permissions until you close the shell or exit. This can be insecure, and some might prefer entering their password each time they use sudo.

1. Run sudo visudo as mentioned above.

2. Press Alt + / to navigate to the end of the document. If you are using Vi or Vim, press Shift + G instead.

edit-sudoers-file-change-sudo-timeout-jump-to-end

3. Create a new line at the bottom of the document and add the following line:

edit-sudoers-file-change-sudo-timeout-add-default-timeout

This will set your sudo timeout to zero seconds, so you’ll have sudo permissions for zero seconds after you execute the first command. If you prefer a different interval, enter that value in seconds instead.

You can also set the timeout to “-1,” which gives you an infinite grace period. Don’t do that. It’s a handy way to accidentally nuke your system one day.

4. Press Ctrl + o to save and Ctrl + x to exit.

Limit who can use sudo and for what

The main purpose of the sudoers file is to control which users can run sudo. Without sudo, users can’t elevate their permissions. If you have multiple users accessing the same system through shells, you can control their access by setting values in sudo.

Every sudoers file will have the following line:

This permits the root user on ALL hosts using ALL users to execute ALL commands. ALL is a special value in the sudoers file meaning “no restrictions.” The syntax is as below:

If you want to add another user as root, simply copy the root line and change the user like so:

For more control, you could add a line like the following, which would only permit the “alexander” user to run apt-get update.

Put a “%” in front of the user, and it will define a group. The line below would allow every user in the group “admin” to have root-level permissions. This would be the group as defined by your OS permission groups.

Change the visudo editor

Depending on what version of Linux you’re running, there are two primary ways to change the editor.

For Ubuntu, you’ll want to run the Terminal command below:

You’ll see something like the following:

If you wanted to select vim as your visudo editor from the default of nano, you would press its selection number 3 then press Enter.

For other flavors of Linux, you’ll want to add a new line to your “~./bashrc” file as seen below:

Then save out the file. That would set your visudo editor to vim.

The sudoers file isn’t something you’ll typically need to mess with on single user systems. But system administrators will have more than enough reason to explore its inner workings.

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.