visudo: control who can use sudo and how
The command ‘visudo’ allows you to edit ‘/etc/sudoers’ file in a safe way and decide which users can run commands as root or any other user.
visudo launches vi by default for editing /etc/sudoers. If you don’t have vi installed or you want to use another editor, you can export the variable EDITOR with the name of your editor:
export EDITOR=nano
You can add this command to ~/.bashrc so it runs with every user login.
Then, you can run visudo (with a root user or using sudo) and edit the file. When you have finished editing, you can save and close the editor. visudo will check for syntax errors before changing the /etc/sudoers/ file.
/etc/sudoers is composed of aliases (variables you can define) and user specifications (where you define permissions).
Table of Contents
Aliases
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Each alias definition is of the form:
Alias_Type NAME = item1, item2,...
You can add several aliases of the same type on one line by using colons (:). There are predefined aliases like ALL which match everything where they are used (for example, if it’s used in place of a user list, it matches all users).
Some examples of an alias definitions are the following (pay attention to the use of % to refer to groups names, # to refer to UIDs and %# to refer to GIDs:
# This alias refers to all users inside 'admin' group
User_Alias ADMINS = %admin
# To refer to specific users
User_Alias USERS = john, rick, tom
# To refer to the user with UID 1000
Runas_Alias MAIN_USER = #1000
# To refer to a local IP
Host_Alias SERVER = 192.168.1.5
User specifications
The basic structure of a user specification is:
who where = (as_whom) what
First field (who)
Define the user or group a command may be run as. You can use an User_Alias. Remember to use % to refer to a group, # for UIDs and %# for GIDs. These two examples are equivalent:
User_Alias ADMINS = %admin
ADMINS ALL=(ALL) ALL
%admin ALL=(ALL) ALL
Second field (where)
Define the host or hosts where this permission applies. You can use a Host_Alias.
Third field (as whom)
Define which users or groups the user (or group) can run commands as (using sudo -u username). You can use a Runas_Alias.
Fourth field (what)
Define a list of commands the user or group can run. Use the full path of the commands. You can use a Cmnd_Alias. Between the third and fourth field you can add some options for the command. You need to add a colon (:) after the option.
# Allows 'sudo' group to run all commands as any user without needing to authenticate themselves
%sudo ALL=(ALL) NOPASSWD: ALL
# Allows user 'ricardo' to run 'apk update' and 'apk upgrade' without typing his password
ricardo ALL=(ALL) NOPASSWD: /sbin/apk update,/sbin/apk upgrade
More options
Defaults timestamp_timeout=<number>: number of minutes before sudo will ask for the password again.timestamp_timeout=0makes sudo to always prompt for a password.Defaults targetpw: this makes sudo to ask for the password of the user specified insudo -u(or the root password if no user is defined) and not for the password of the user that invokes sudo.
Featured content:
-
Useful dpkg-reconfigure commands
In Debian/Ubuntu systems, you can use
dpkg-reconfigureto reconfigure an installed package using intuitive dialogs. I will show you how to use this command to change some system settings. -
Add an OCR layer to a PDF with Tesseract and ocrmypdf
If you have a scanned PDF and you want to be able to search and copy text from it, in this tutorial I will show you how to do it.
-
X11 forwarding with Docker containers
If you want to do X11 forwarding from your container to your host, you can type these simple commands.
-
Command-line web browsers
If you don’t have a Graphical User Interface (GUI) on your Linux device, or you need a simple text-based web browser, I will show you a couple of great programs.
-
List of Linux websites
A comprehensive list of Linux-related websites sorted by categories.