Sunday, September 25, 2022

How to edit the Sudoers file

In this article, we want to teach you how to edit the Sudoers file. you can use your favorite Linux distribution like centos 7, Debian, fedora and etc, and other versions of them. It works the same as each other. Here we use Ubuntu 20.04.

How to edit the Sudoers file

Before we start to edit the Sudoers file you need to complete the initial server setup for login as a non-root user. check this article for the Initial server setup with Ubuntu 20.04.

Get Root Privileges

To get root privileges there are three basic ways that you can get the privileges.

Root Login

log in as the root user is the simplest way. you can easily type root and enter your root password for login.

Note: If you log in through SSH, you need your IP address or domain name. follow the below command:

ssh [email protected]server_domain_or_ip

If you haven’t set up SSH keys for the root user, you can enter the root password when you asked for it.

Use the su command

We recommend that to not log in as root because it isn’t secure. You can use the “su” command which stands for (substitute user) to get root privileges. you will be asked for the root user password then you will be in a root shell session. type:

su

When you have finished type exit to get back into a normal shell.

exit

Use the sudo command

For executing commands with root privileges you can use “sudo” before each command.

Note: If a user wants to use “sudo”, the user should be in a sudo group. to add a user in a sudo group you need to check the initial server setup that we mentioned above.

sudo command-to-execute

You will be asked for the current user password.

Here we go to see what visudo is and modify the sudoers file.

What is visudo?

visudo edits the sudoers file, which defines the users and groups with administrator rights.

The sudo command is configured in a file located at /etc/sudoers.

Note: Never edit this file with a normal text editor! Always use the visudo command instead!

Visudo opens the /etc/sudoers file with the vi text editor. But in Ubuntu visudo uses the nano text editor instead. to change it back to vi run the following command:

sudo update-alternatives --config editor

In your output, you will see choices for the alternative editor. press Enter to keep the current choice or enter the number that you want.

In Centos, you can change it by adding the following command to your ~/.bashrc.

export EDITOR=`which name_of_editor`

Source the file to implement the changes:

. ~/.bashrc

When the configuration of visudo is finished, run the command below to access the /etc/sudoers file.

sudo visudo

Here you are in the /etc/sudoers file with your selected editor. let’s go to modify the sudoers file.

Modify the Sudoers file

We have some lines in the /etc/sudoers file. In this article, we will discuss defaults, user, and group lines.

Defaults Lines

“env_reset”, removes harmful environmental variables from the sudo session.

“mail_badpass”, tells the system to mail notices of bad sudo password attempts to the configured mailto user.

“secure_path”, allocates the PATH that will be used for the sudo operation.

User Line

This line is shown as “root ALL (ALL=ALL) ALL”, which means that :

root displays the username that the rule will apply to.

First ALL displays that this rule applies to all hosts.

(ALL=ALL) means that the root user can run commands as all users and all groups.

Last ALL displays these rules apply to all commands.

Group Lines

This line begins with the “%” sign. these lines mean that admin and sudo groups can execute any command as any user on any host.

Included /etc/sudoers.d Line

This line begins with the “#” sign. it doesn’t mean that it is a comment. This line displays that files into the /etc/sudoers.d directory will be sourced and applied as well.

Note: You should always edit files into the /etc/sudoers.d with visudo. to edit the files run the following command:

sudo visudo -f /etc/sudoers.d/file_to_edit

Give sudo privileges to a user

In Ubuntu 20.04 the sudo group has full admin privileges. you can give a user the same privileges easily with the following command:

sudo usermod -aG sudo username

Or you can also use gpasswd instead:

sudo gpasswd -a username sudo

In Centos, we have the “wheel” group instead of the sudo group. run the following command:

sudo usermod -aG wheel username

Also, you can use gpasswd:

sudo gpasswd -a username wheel

Note: In Centos, If adding a user to the “wheel” group doesn’t work, you have to edit /etc/sudoers file and uncomment the group name.

At this point, you learn how to edit the sudoers file. Now you can create some new rules.

Create Aliases for sudoers

The sudoers file can be organized easily by grouping things with various kinds of “aliases”.

Here we create two different groups of users  with overlapping membership:

. . .
User_Alias GROUPONE = anna, daniel, sam
User_Alias GROUPTWO = daniel, shawn, linda,
. . .

Note: group names should start with capital letters.

Here we allow members of the GROUPONE to update the apt database with the rule below:

. . .
GROUPONE ALL = /usr/bin/apt-get update 
. . .

Also, you can create “Run as” aliases and “command alias”, which can replace the part of the rule that defines the user to execute the command.

Lockdown rules

You can have control over how sudo reacts. If you want to allow users to execute commands with root privileges without a password you can make a rule for it. run the following command:

. . .
GROUPONE ALL = NOPASSWD: /usr/bin/updatedb
. . .

The label NOPASSWD means that you will not ask for a password.

Another helpful label is NOEXEC, which prevents dangerous behavior in programs.

Various Information Of Sudo

In this part, we show you some various information about sudo.

When you are finished using root privileges commands, for its security you can clear the timer with the -k flag.

sudo -k

With the -l flag you can see what root privileges are set for your user.

sudo -l

Sometimes you forget to use sudo for executing the command, in this situation you don’t need to retype the command just use the “!!” flag.

sudo !!

Conclusion of How to edit the Sudoers file

In this article, we try to teach you most of the editing of the sudoers file. you learn how to log in to your server, what visudo is, and its configuration, you can easily give user root privileges and create your own aliases and make new rules.

Hope you enjoy this article about How to edit the Sudoers file. remember to get a look at the initial server setup with Ubuntu 20.04.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular