How do we add user to sudoers file? How to give user sudo access? How to give root privileges to a user in linux? how to give superuser permission in linux? What are sudo alias? What is the syntax used by sudoers file?
These are some of the common questions user have when they start working with sudoers file. In this tutorial I will give you a detailed overview on sudo privileges and share the proper way to add user to sudoers file.
Overview on sudoers privilege
- Normal users operate in limited privilege sessions to limit the scope of their influence on the entire system.
- One special user exists on Linux that we know already is root, which has super-user privileges.
- This account doesn't have any restrictions that are present to normal users.
- Sudoer is the functionality of the Linux system that can be used by an administrator to provide administrative access to a trusted regular user, without actually sharing the root user's password.
- The administrator simply needs to add the regular user in the
sudoers
list. - Once a user has been added to the
sudoers
list, they can execute any administrative command by preceding it with sudo. - Then the user would be asked to enter their own password depending upon the configuration.
- After this, the administrative command would be executed the same way as by the root user.
It is very important to update sudoers
correctly or else you may break the complete sudoers
functionality. There is a particular syntax which must be followed while adding a user or new entry to the sudoers
file.
We will discuss about those syntax later in this article. But first let me highlight you the dos and dont's which you must follow when working with sudoers file.
Recommended guidelines to edit sudoers file
- You should avoid using
echo "<content>" >> /etc/sudoers
method to add any user content to main sudoers file. The reason being, if you follow incorrect syntax then you can break the entiresudoers
functionality - Always use "
visudo
" to edit the/etc/sudoers
file. It is again not recommended to use any editor such as vim ornano
etc to directly edit the/etc/sudoers
file. This is becausevisudo
editor is part ofsudo
rpm and it will perform a syntax check before we save and exit thesudoers
file. Assuming you have provided an incorrect syntax in thesudoers
file and try to save and exit thesudoers
file, you will get this error prompt:
# visudo
>>> /etc/sudoers: syntax error near line 125 <<<
>>> /etc/sudoers: syntax error near line 126 <<<
>>> /etc/sudoers: syntax error near line 125 <<<
>>> /etc/sudoers: syntax error near line 126 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)
- So
visudo
will warn you for any incorrect syntax, but if you edit/etc/sudoers
using any normal editor then there will no syntax check performed and you may end up with incorrectsudoers
entry - Another advantage with
visudo
is that it will protect you from race condition when multiple user try to modifysudoers
file at the same time. Ifvisudo
is used in parallel when there is already avisudo
session then you will get "visudo: /etc/sudoers busy, try again later
" - It is always a good practice to leave the default
sudoers
file untouched, you should add any custom content inside/etc/sudoers.d
as which this the chances of corrupting the originalsudoers
content will be minimal. - By default
/etc/sudoers
contain below entry
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d
- So you can create multiple files based on your teams or groups under
/etc/sudoers.d/
and add respectivesudo
permissions for users or groups in your organization. This will make sure othersudo
users are not impacted by anysyntax
error
visudo
itself doesn't have any editor so it will use the system's default editor to open sudoers
file. In most of the Linux and Unix distros, vim is the default editor so visudo
will open sudoers
file using vim
. To modify this you can modify your user's .bashrc
and add "export EDITOR=/usr/bin/nano
" or any other editor of your preferenceI hope we are clear on the dos and dont's before you work on sudoers
file. Let us now understand the basic syntax of sudoers
file.
Syntax of sudoers file
The syntax usage of sudoers
can be little tricky and complicated for complex use cases. To fully explain the syntax of /etc/sudoers
, we will use a sample rule and break down each column:
deepak ALL=(root) /usr/bin/find, /bin/rm
First column
- The first column defines what user or group this
sudo
rule applies to. - In this case, it is the user
deepak
. - If the word in this column is preceded by a
%
symbol, it designates this value as a group instead of a user, since a system can have users and groups with the same name.
Second Column
- The second value
(ALL)
defines what hosts thissudo
rule applies to. - This column is most useful when you deploy a
sudo
environment across multiple systems. - For a desktop Ubuntu system, or a system where you don’t plan on deploying the
sudo
roles to multiple systems, you can feel free to leave this value set toALL
, which is a wildcard that matches all hosts. - For single server deployment this section does not has much usage and can be left to default
ALL
or provide localhost'shostname
Third Column
- The third value is set in parentheses and defines what user or users the user in the first column can execute a command as.
- This value is set to
root
, which means thatdeepak
will be allowed to execute the commands specified in the last column as the root user. - This value can also be set to the
ALL
wildcard, which would allowdeepak
to run the commands as any user on the system.
Fourth Column
- The last value (
/usr/bin/find
,/bin/rm
) is a comma-separated list of commands the user in the first column can run as the user(s) in the third column. - In this case, we’re allowing
deepak
to runfind
andrm
asroot
withsudo
privileges. - This value can also be set to the
ALL
wildcard, which would allowdeepak
to run all commands on the system as root.
So now that we know about the basic syntax of sudoers
file, let us go ahead and add some users to sudoers
file with privilege to execute few commands as root user
How to add user to sudoers
In this example we want to provide sudo
privilege to user "deepak
" from my Linux server to be able to execute chown
and chmod
as root
user
Example to understand first field of sudoers file
I will create a new file under /etc/sudoers.d/
by the name "custom
", you can use any name as per your requirement
# touch /etc/sudoers.d/custom
Add the below content in this file using visudo
# visudo --file=/etc/sudoers.d/custom deepak ALL=(ALL) /usr/bin/chown
Save and exit the file.
Next try to login as deepak
user and execute chown
as sudo
[deepak@server ~]$ sudo chown
[sudo] password for deepak:
chown: missing operand
Try 'chown --help' for more information.
So the command prompts for password and the execution is successful. You can ignore the "missing operand
" error, since I have not used proper command syntax, the command is throwing error. But we know the command was executed successfully with sudo
privilege
Now this would explain the first column
Example to understand second field of sudoers file
Let's understand the usage of second column.
Now we have 100 servers and using some remote tool we are deploying sudoers
list to all these 100 servers. Now our of these 100 servers we want user deepak
to be allowed to use chown
only on the host with hostname "server
" so we will use
deepak server=(ALL) /usr/bin/chown
Now the same sudoers
script will be deployed to 100 servers but user deepak
will be allowed use chown
with sudo
only on server. If he tries to use chown
on other servers, he will get
deepak is not allowed to run sudo on server. This incident will be reported.
While the same would work on "server
" host
But again this is of not too much use when you are working on single server deployment. You can choose to use wildcard ALL
or provide the hostname
of your host, either should be fine.
So this explains the second column.
Example to understand third field of sudoers file
Let us understand how third column is used in sudoers
file.
We have a script which should only be used by user "amit
" but due to some requirement we also want user "deepak
" to be able to execute this script.
sudo to the rescue
We will add below content to our /etc/sudoers.d/custom
# visudo --file=/etc/sudoers.d/custom deepak ALL=(amit) /tmp/amit_script.sh
If deepak
tries to call amit_script.sh
, he is asked to "Get Lost
"
[deepak@server ~]$ /tmp/amit_script.sh
This script can be called only by amit
Get Lost
Then he tries to run the same script as sudo
user, but sadly the output says he is not allowed to execute /tmp/amit_script.sh
when he knows he was given privilege for this.
[deepak@server ~]$ sudo /tmp/amit_script.sh
[sudo] password for deepak:
Sorry, user deepak is not allowed to execute '/tmp/amit_script.sh' as root on server.example.com.
The problem is, deepak
is trying to run amit's
script so he must use "sudo -u amit
" to be able to execute amit's
script as amit
user. So let's give one more try:
[deepak@server ~]$ sudo -u amit /tmp/amit_script.sh
[sudo] password for deepak:
Welcome Amit
Bingo, it worked.
So I hope the third column usage was clear.
The fourth column should be easy to understand. You must provide the list of commands, or scripts with full path separated by a command and whitespace character.
How to use alias in sudoers
There is a concept of alias in sudoers
which can keep your sudoers
file organized and clean. It is similar to a variable which we use in scripts and codes. Here in the below syntax, all the ALIAS_NAME
must be provided in UPPERCASE
letters or you will get syntax error.
You can create a user alias using
User_Alias ALIAS NAME USER1, USER2, USER3, ..
To create a command alias
Cmnd_Alias ALIAS_NAME = /path/cmd1, /path/cmd2, /path/cmd3, ..
To create host alias
Host_Alias ALIAS_NAME = server1, server2, ..
%group_name
in the first columnFor example, I have a scenario where I want to assign permission to execute same set of commands to a bunch of users. Now these users are from different system groups. So in such case I have below possible options
- Create a new system group and assign these users to that system group so I can assign all permissions to single system group
- I create separate entries for all these users and then assign permission (very lengthy task)
- Create a User Alias inside
sudoers
file and then assign permission in single line
So the third option sounds easy and neat. Hence I will create a new User_Alias
and add the usernames to this alias
# visudo --file=/etc/sudoers.d/custom User_Alias MYADMINS = deepak, rahul
Next assign the permission of commands to this alias
MYADMINS ALL=(ALL) /usr/bin/chown
So now all the users part of MYADMINS
alias group will have sudo
privilege to execute chown
as root user.
Disallow a set of commands in sudoers
We can also prevent users from executing a certain set of commands, scripts inside sudoers
. For example, I want user deepak
to be able to execute all commands inside /usr/bin
except chown
command.
So open the sudoers
file
# visudo --file=/etc/sudoers.d/custom
Add this entry
deepak ALL=(ALL) /usr/bin/*, !/usr/bin/chown
So here we have allowed all the commands under /usr/bin/*
but have added a NOT (!
) operator for /usr/bin/chown
. You can add multiple commands in the similar format to block the sudo
access for these provided commands for respective user or group
Let us verify this permission:
[root@server ~]# su - deepak Last login: Fri Jul 17 22:53:07 IST 2020 on pts/2
As expected, user deepak
is allowed to use chmod
[deepak@server ~]$ sudo chmod
[sudo] password for deepak:
chmod: missing operand
Try 'chmod --help' for more information.
But execution of chown
is denied as defined in our configuration
[deepak@server ~]$ sudo chown
Sorry, user deepak is not allowed to execute '/bin/chown' as root on server.example.com.
Remove password prompt for sudo user
By default you may have observed that, every time user tries to execute a command with sudo privilege, they are prompted for user password. This is the default behaviour of sudoers
. To overwrite this you must use NOPASSWD
in the sudoers
file while adding the user permission in the below format (from our last example)
deepak ALL=(ALL) NOPASSWD: /usr/bin/*, !/usr/bin/chown
So now user deepak
can execute all the commands with sudo
privilege without the need to enter password every time
[deepak@server ~]$ sudo chmod
chmod: missing operand
Try 'chmod --help' for more information.
These can be used with scripting solutions to automate the command execution.
Conclusion
In this tutorial I gave you a complete overview on best practices to use and modify sudoers
file. The steps to add user to sudoers
with proper syntax and different practical examples, about different alias, and executing sudo
commands without password prompt. In production environment, sudoers file are handled very cautiously. The default sudoers
file contain a lot of default entries and it may break if you do not modify the this file properly.
Lastly I hope the steps from the article to learn all about sudo privilege and sudoers
file on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
You can read more about sudo privilege: