HTTP Expert

Sudoers file explained

Seven overlapping vector terminal windows on a white background; three are red; simplified code lines and small heart/smile icons.

Written by

Madalin

in

Overview

  • The sudoers file controls which users may run which commands as which target users on which hosts, and it also configures sudo behaviour.
  • Location: /etc/sudoers (do not edit directly). Use visudo to edit (visudo locks the file and checks syntax).
  • You can drop additional configuration files into /etc/sudoers.d and include them with the built-in #includedir or #include directives.

Basic file structure and syntax tokens

  • Lines beginning with # are comments.
  • Blank lines are ignored.
  • Fields are generally space- or tab-separated.
  • Keywords and identifiers are case-sensitive.
  • Common keywords: User_Alias, Runas_Alias, Host_Alias, Cmnd_Alias, Defaults, and user specifications.

Aliases

  • Define groups for reuse.
  • Types:
    • User_Alias NAME = user1, user2, %group, +netgroup
    • Runas_Alias NAME = user1, user2, :group
    • Host_Alias NAME = host1, host2, 192.0.2.0/24
    • Cmnd_Alias NAME = /path/to/command, /path/to/cmd arg1, /bin/sh -c
  • Examples:
    • User_Alias ADMINS = alice, bob, %wheel
    • Cmnd_Alias SYSTEMCTL = /bin/systemctl, /usr/bin/systemctl

User specifications (the most important lines)

  • General form: who where = (runas) [tag_list:] command_list
    • who: username, User_Alias, %group (groups prefixed with %), +netgroup
    • where: Host_Alias, hostname, IP, or ALL
    • runas: user or Runas_Alias in parentheses, e.g. (root), (www-data)
    • tag_list: optional command tags (NOPASSWD:, PASSWD:, NOEXEC:, SETENV:, etc.)
    • command_list: comma-separated commands or Cmnd_Alias entries
  • Common examples:
    • root ALL=(ALL) ALL
      • root may run any command as any user on any host (typical default)
    • %wheel ALL=(ALL) ALL
      • members of group wheel may run any command as any user
    • alice webservers = (root) NOPASSWD: /usr/sbin/service httpd restart
      • on host(s) in alias webservers, alice may run the listed service command as root without a password
    • bob ALL = (www-data) /usr/bin/tee /var/www/html/index.html
      • bob may run tee as user www-data for that file

Command tags

  • NOPASSWD: run the command without prompting for the user’s password
  • PASSWD: force password prompt even if NOPASSWD would apply
  • NOEXEC: prevent the command from using exec(3) to spawn new processes (not foolproof)
  • SETENV: allow setting environment variables via sudo -E / sudo -s? (controls env handling)
  • Examples:
    • alice ALL = NOPASSWD: /bin/systemctl reload nginx
    • %ops ALL = (root) NOEXEC: /usr/bin/less /var/log/*

Negation

  • You can prefix a command with ! to explicitly disallow it:
    • %staff ALL=(ALL) ALL, !/usr/bin/passwd
  • An explicit negation in a command list prevents that command even if a more general entry would allow it.

Wildcards and command arguments

  • Commands must be specified with absolute paths.
  • Wildcards/glob characters are allowed in Cmnd_Alias entries (e.g. /usr/bin/apt-get *) but be cautious—globs can expand permissions widely.
  • If you allow a program that permits shell escapes or arbitrary arguments (e.g., editors, shells, tee, find), it is effectively root access.

Defaults (configuration options)

  • Defaults lines configure sudo’s behavior (environment, logging, timeouts, secure_path, env_keep, etc.).
  • Basic form:
    • Defaults option
    • Per-user: Defaults:username option
    • Per-host: Defaults@hostname option
    • Per-runas: Defaults>runas option
    • Per-command: Defaults!command option
  • Examples:
    • Defaults timestamp_timeout=15
    • Defaults env_reset
    • Defaults:alice !authenticate
    • Defaults@laptop secure_path=“/usr/local/bin:/usr/bin:/bin”
  • Many options exist: env_reset, env_keep, secure_path, timestamp_timeout, lecture, log_output, requiretty (deprecated on some systems), etc. See man sudoers.

Include directives

  • #include /path/to/file — include a single file
  • #includedir /path/to/dir — include all files in a directory (lexicographic order)
  • Use these for packaged or per-package drop-ins such as /etc/sudoers.d/*

Precedence and security notes

  • More specific Defaults override general Defaults.
  • Order of user specifications matters when you create complex overlapping rules—explicit negations take precedence for the same matching line.
  • Be careful with NOPASSWD and commands that allow shell escapes—these can give a full root shell.
  • Always edit with visudo. You can run visudo -c to check syntax without editing.
  • Keep sudoers and files in /etc/sudoers.d with strict permissions (typically 0440).

Practical examples

  • Allow members of wheel to run any command:
    • %wheel ALL=(ALL) ALL
  • Allow a service admin to restart nginx without password:
    • alice ALL=(root) NOPASSWD: /bin/systemctl restart nginx, /bin/systemctl reload nginx
  • Allow a user to run a command as another unprivileged user:
    • bob ALL=(www-data) /usr/bin/tee /var/www/html/index.html

Where to learn more

  • man sudoers — definitive reference with full syntax, tags and examples
  • man visudo — how to safely edit the file

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More posts