/etc/sudoers: Explanation & Insights

How normal users that can run commands as root

The /etc/sudoers file is a configuration file used by the sudo command in Linux and other Unix-like operating systems to determine which users are allowed to run certain commands with administrative privileges (i.e., as a superuser or root).

The /etc/sudoers file contains a list of rules that specify who can use sudo, what commands they can run with sudo, and under what conditions they can run those commands. The file is read by the sudo command whenever a user attempts to execute a command with elevated privileges.

The syntax of the /etc/sudoers file is quite strict, and it is recommended that you use the visudo command to edit the file, as this will perform syntax checking before saving the changes. The visudo command will open the /etc/sudoers file in a text editor, and any changes made to the file will be saved only if the syntax of the file is correct.

The /etc/sudoers file also allows for the use of variables, aliases, and command groups, which can make it easier to manage complex systems with many users and commands.

Here are some examples of the configuration that can be found in the /etc/sudoers file:

Allowing a user to execute any command as the superuser:

username ALL=(ALL) ALL

This line allows the user username to execute any command as the superuser. The ALL=(ALL) part specifies that the user can execute any command as any user, and the final ALL specifies that the user can execute any command on any host.

Allowing a user to execute specific commands as the superuser:

username ALL=(ALL) /usr/bin/apt-get, /usr/bin/aptitude

This line allows the user username to execute the apt-get and aptitude commands as the superuser. The ALL=(ALL) part specifies that the user can execute the commands as any user, and the path to the commands is specified after the equal sign.

Allowing a user to execute commands as another user:

username ALL=(otheruser) /bin/ls

This line allows the user username to execute the ls command as the user otheruser. The ALL=(otheruser) part specifies that the user can execute the command as otheruser, and the path to the command is specified after that.

Allowing a group of users to execute commands as the superuser:

%admin ALL=(ALL) ALL

This line allows any user in the admin group to execute any command as the superuser. The %admin part specifies that the rule applies to the admin group, and the rest of the line is similar to the first example.

It is important to note that improper configuration of the /etc/sudoers file can compromise the security of the system, so it is recommended that you carefully review any changes to the file before saving them.

Except where otherwise noted, content on this site is licensed under a CC BY-SA 4.0 license CC BY SA