The sudo command allows non root users to run commands that would normally require super user privileges, while the sudoers file instructs the system how to handle the sudo command. In this tutorial, we’ll show you all the sudo command basics and how to edit the sudoers file.
By default, the root user does not need to use the sudo prefix. They already have all the possible privileges. Meanwhile, if a non-root user wants to add another user, they would need to add the sudo prefix to the useradd command, like this:
sudo useradd edward
If the user doesn’t use the sudo prefix, they will receive a Permission denied output.
The Sudoers File
The sudo command is configured through a file located in /etc/ called sudoers.
Through the sudo command you provide administrative level privileges to regular users. Normally the first user you create while installing Ubuntu has sudo rights. In a VPS environment that is the default root user. You can configure other users to also be able to run the sudo command. That can be done by editing sudoers.
Important: Be careful! Editing the sudoers file, with errors or bad syntax may result in locking out all users on your distribution.
Sudoers File Syntax
You can open the file with your preferred text editor. We’ll use vi:
Our VPS’ file looks like this:
Let’s look at some of the formats and rules to follow when editing sudoers:
- All lines starting with # are comments
- root ALL=(ALL:ALL) ALL – this line means that the root user has unlimited privileges and can run any command on the system
- %admin ALL=(ALL) ALL – the % sign specifies a group. Anyone in the admin group has the same privileges as of root user
- %sudo ALL=(ALL:ALL) ALL – all users in the sudo group have the privileges to run any command
Another line of interest is #includedir /etc/sudoers.d, this means we can add configurations to the file sudoers.d and link it here.
Editing the Sudoers File
To edit /etc/sudoers file, use following command:
sudo visudo -f /etc/sudoers
It is recommended to use visudo to edit the sudoers file. Visudo makes sure that sudoers is edited by one user at a time and provides necessary syntax checks.
To see which users are in the sudo group we can use a grep command:
grep ‘sudo’ /etc/group
This will output a list of user names.
To add a user called bill to the sudo group, we use the adduser command in the command line, like so:
adduser bill sudo
If we use the grep command to check who is in the group, we’ll see the username bill.
If you want to give anyone root privileges just add them to sudo.
To remove a user from sudo:
deluser bill sudo
The deluser command will remove bill from the sudo group.
Now the user bill can no longer perform actions that require sudo privileges.
Use the Sudoers File to Grant Specific Privileges
What if we want bill to be able to run only specific kinds of commands with sudo privileges, like networking?
To do so we create a configuration file in /etc/sudoers.d/ called networking.
Use the following command to create the file:
sudo visudo -f /etc/sudoers.d/networking
Add following text in the file:
Cmnd_Alias CAPTURE = /usr/sbin/tcdump Cmnd_Alias SERVERS = /usr/sbin apache2ctl, /usr/bin/htpasswd Cmnd_Alias NETALL = CAPTURE, SERVERS %netadmin ALL=NETALL
What we have done in the above file is create a netadmin group. Users in the netadmin group can run commands specified in NETALL. NETALL in turn include all commands under CAPTURE and SERVERS aliases. The command tcpdump is under CAPTURE alias i.e. /usr/sbin/tcpdump.
Next we add user bill to the netadmin group:
sudo adduser bill netadmin
Now the user bill will be able to run the tcpdump command along with other networking related commands.
If you’re working with multiple users, understanding the sudo command and the sudoers file is an absolute must. In this tutorial, you learned all the basics to take control of your system’s privileges!