====== Linux : Sudo and Sudoers ======

**sudo** stands for "superuser do." It is a command that allows regular (non-root) users to run commands with superuser or root privileges. It is often used for tasks that require elevated permissions, such as software installation, system configuration changes, or user management.

===== Usage =====

<code bash>
ilyasa@sandbox:~$ sudo apt update
</code>

This is equivalent to running:

<code bash>
ilyasa@sandbox:~$ su -
root@sandbox:~# apt update
</code>

===== Adding a User to Sudoers =====
The **sudoers** file determines which users are allowed to use the sudo command and what commands they can execute.

By default, sudo creates a group that is granted full root access.

  * The **sudo** group is common on Debian-based distributions.
  * The **wheel** group is common on Red Hat/Fedora-based distributions.

To add a user to the sudoers list, you can add them to one of those groups:

<code bash>
usermod -a -G sudo <user>
# Or
usermod -a -G wheel <user>
</code>

===== Sudoers File Configuration =====
The file <code>/etc/sudoers</code> is used to define permissions for users and groups to run commands as the root user or other users.

Here is the default configuration on an Ubuntu system:

<code>
# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
</code>

Explanation:
  * **ALL=** : The user can run commands on all hosts.
  * **(ALL:ALL)** : The user can run commands as all users and all groups.
  * **ALL** : The user can execute any command.
  * **%** : Indicates a group configuration.

===== Custom Configuration Example =====
<code>
%admin ALL=(ALL) NOPASSWD: /usr/bin/apt
</code>

Explanation:
  * **NOPASSWD** : The user will not be prompted for a password when running the command.
  * **/usr/bin/apt** : The user is allowed to run the apt command.

<WRAP info>
It is recommended to use **visudo** when editing the **/etc/sudoers** file or any files in **/etc/sudoers.d/**, as it performs syntax checking before saving any changes.
</WRAP>

==== Example ====

<code bash>
sudo visudo -f /etc/sudoers.d/admin
</code>

<code conf>
# Allow members of the admin group to run apt and systemctl commands without a password
%admin ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/bin/apt-cache, /bin/systemctl
</code>