This is an old revision of the document!
Linux : Sudo and Sudoers
sudo stands for “superuser do.” It is a command that allows regular (non-root) users to run commands with superuser or root privileges. It is often used for tasks that require elevated permissions, such as software installation, system configuration changes, or user management.
Usage
ilyasa@sandbox:~$ sudo apt update
This is equivalent to running:
ilyasa@sandbox:~$ su - root@sandbox:~# apt update
Adding a User to Sudoers
The sudoers file determines which users are allowed to use the sudo command and what commands they can execute.
By default, sudo creates a group that is granted full root access.
- The sudo group is common on Debian-based distributions.
- The wheel group is common on Red Hat/Fedora-based distributions.
To add a user to the sudoers list, you can add them to one of those groups:
usermod -a -G sudo <user> # Or usermod -a -G wheel <user>
Sudoers File Configuration
The file
/etc/sudoers
is used to define permissions for users and groups to run commands as the root user or other users.
Here is the default configuration on an Ubuntu system:
# User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
Explanation:
- ALL= : The user can run commands on all hosts.
- (ALL:ALL) : The user can run commands as all users and all groups.
- ALL : The user can execute any command.
- % : Indicates a group configuration.
Custom Configuration Example
%admin ALL=(ALL) NOPASSWD: /usr/bin/apt
Explanation:
- NOPASSWD : The user will not be prompted for a password when running the command.
- /usr/bin/apt : The user is allowed to run the apt command.
It is recommended to use visudo when editing the /etc/sudoers file or any files in /etc/sudoers.d/, as it performs syntax checking before saving any changes.
Example
sudo visudo -f /etc/sudoers.d/admin
# Allow members of the admin group to run apt and systemctl commands without a password %admin ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/apt-get, /usr/bin/apt-cache, /bin/systemctl