visudo: control who can use sudo and how

The command ‘visudo’ allows you to edit ‘/etc/sudoers’ file in a safe way and decide which users can run commands as root or any other user.

visudo launches vi by default for editing /etc/sudoers. If you don’t have vi installed or you want to use another editor, you can export the variable EDITOR with the name of your editor:

export EDITOR=nano

You can add this command to ~/.bashrc so it runs with every user login.

Then, you can run visudo (with a root user or using sudo) and edit the file. When you have finished editing, you can save and close the editor. visudo will check for syntax errors before changing the /etc/sudoers/ file.

/etc/sudoers is composed of aliases (variables you can define) and user specifications (where you define permissions).

Table of Contents

• Aliases
• User specifications
  • First field (who)
  • Second field (where)
  • Third field (as whom)
  • Fourth field (what)
• More options

Aliases

There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Each alias definition is of the form:

Alias_Type NAME = item1, item2,...

You can add several aliases of the same type on one line by using colons (:). There are predefined aliases like ALL which match everything where they are used (for example, if it’s used in place of a user list, it matches all users).

Some examples of an alias definitions are the following (pay attention to the use of % to refer to groups names, # to refer to UIDs and %# to refer to GIDs:

# This alias refers to all users inside 'admin' group
User_Alias ADMINS = %admin

# To refer to specific users
User_Alias USERS = john, rick, tom

# To refer to the user with UID 1000
Runas_Alias MAIN_USER = #1000

# To refer to a local IP
Host_Alias SERVER = 192.168.1.5

# To refer to a command
Cmnd_Alias INSTALL = /usr/bin/apt

User specifications

The basic structure of a user specification is:

who where = (as_whom) what

First field (who)

Define the user or group a command may be run as. You can use an User_Alias. Remember to use % to refer to a group, # for UIDs and %# for GIDs. These two examples are equivalent:

User_Alias ADMINS = %admin
ADMINS ALL=(ALL) ALL

%admin ALL=(ALL) ALL

Second field (where)

Define the host or hosts where this permission applies. You can use a Host_Alias.

Third field (as whom)

Define which users or groups the user (or group) can run commands as (using sudo -u username). You can use a Runas_Alias.

Fourth field (what)

Define a list of commands the user or group can run. Use the full path of the commands. It admits wildcards, as *. You can use a Cmnd_Alias. Between the third and fourth field you can add some options for the command. You need to add a colon (:) after the option.

# Allows 'sudo' group to run all commands as any user without needing to authenticate themselves
%sudo ALL=(ALL) NOPASSWD: ALL

# Allows user 'ricardo' to run 'apk update' and 'apk upgrade' without typing his password
ricardo ALL=(ALL) NOPASSWD: /sbin/apk update,/sbin/apk upgrade

# Allows to install programs
ricardo ALL=(ALL) /usr/bin/apt install *

More options

• Defaults timestamp_timeout=<number>: number of minutes before sudo will ask for the password again. timestamp_timeout=0 makes sudo to always prompt for a password.
• Defaults targetpw: this makes sudo to ask for the password of the user specified in sudo -u (or the root password if no user is defined) and not for the password of the user that invokes sudo.