Classic SysAdmin: Configuring the Linux Sudoers File

This is a classic article written by Istimsak Abdulbasir from the Linux.com archives. For more great SysAdmin tips and techniques check out our Essentials of Linux System Administration course!

Preamble

Have you ever wondered why you have to type “sudo” or “su” in a Linux terminal to do any system-wide changes? Well, sudo means, “super user do”, “su” means, “super user”. This command indicates that you want to be granted a super user and gain super user/root privileges. Linux then checks a special file and sees if you are allowed to be granted root privileges, similar to a VIP CLUB. If your name is not on the list, no rights.Now you can still gain root privileges, you would have to login as root to gain it. This is not a very safe thing to do. Reason, if you are root, all the doors in your system are open to everything, which leaves your system vulnerable. What “sudo” and “su” do is grant you rights to run a particular program that you specify, savvy?.

In some distros, the maintenance user account is already setup in that special file. All you do is type:

# sudo command

and enter the password of your user account, or:

# su -l root

and enter the root password and then the command. I have realized that not every distro allows this easy transaction, and that you may have to manually add your username to the sudoers file. Well, we just snatched the VIP list from the sleeping guard and will show you how to put your name on it.

SUDOERS

The sudoers file is a file Linux and Unix administrators use to allocate system rights to system users. This allows the administrator to control who does what. Remember, Linux is built with security in mind. When you want to run a command that requires root rights, Linux checks your username against the sudoers file. This happens when you type the command “sudo”. If it determines, that your username is not on the list, you cannot run the command/program logged in as that user.

What you will have to do is login as “root” by using the command “su -l”. The “-l” means it should login normally. The default user for the su command is root. Then you will enter the password for the root account, giving you a shell prompt where you can run any command as root. Again, this not safe. Once you are logged in as root, the system is open to vulnerabilities. It is best to supply rights to the non-root user for the sole purpose to run a desired command/program. However, your username must be in the sudoers file.

You can find the sudoers file in “/etc/sudoers”. Use the “ls -l /etc/” command to get a list of everything in the directory. Using -l after ls will give you a long and detailed listing.

SUDOERS FILE

Here is a layout of the sudoers file in Ubuntu. Your sudoers file may differ depending on the type of system you are using but should be the same genetically.
# /etc/sudoers
#
# This file MUST be edited with the ‘visudo’ command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL) ALL

# Allow members of group sudo to execute any command after they have
# provided their password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges

Lets skip all the way down to the section that says. “# User privilege specification”. Under that comment, the user “root” is given system privileges. The variable ALL means all in the root. The (ALL) ALL value represents all privileges, more or less, at least that is what I determined it to be. If you want to add another user, like yourself, under the line root ALL=(ALL) ALL, type:

username ALL=(ALL) ALL

substituting username with your account name. Now your user account has sudo rights, or you are finally on that VIP list.

Look further down till you see,
%sudo ALL=(ALL) ALL

In Ubuntu, there is a group called sudo that grant users added to it system rights after they have submitted their password. This specifies rights to it. So, if you were wise enough to add your username to the sudo group, you’re good money. The same goes for the admin group. Take notice of the “%” right before the group name. This indicates that admin and sudo are system groups.

Once you have all your settings in place you can write out and exit the file by typing the ESC key followed by “:wq”, if you used visudo to edit the sudoers file, like you are supposed to.

Now you do not need to use visudo as recommended. You can use the program “nano” that allows you to view text files in a terminal and modify them. This is my preferred method. To write out and exit the sudoers file with nano, type control-X.

As I said before, the sudoers file will differ depending on the system your using. I am using Fedora 14, a sort of fragile system. There is no sudo group. In Ubuntu as this file was taken from, does have a sudo group. Either way, the steps stated here will work on any other Linux distro.

Now, enjoy the VIP club.

Ready to continue your Linux journey? Check out our Essentials of Linux System Administration course!

Classic SysAdmin: Configuring the Linux Sudoers File

The Linux Foundation | 23 April 2022

Similar Articles

Browse Categories

Stay Connected with the Linux Foundation

Search

Classic SysAdmin: Configuring the Linux Sudoers File

The Linux Foundation | 23 April 2022

Similar Articles

Browse Categories

Stay Connected with the Linux Foundation