visudo: control who can use sudo and how
The command ‘visudo’ allows you to edit ‘/etc/sudoers’ file in a safe way and decide which users can run commands as root or any other user.
visudo
launches vi
by default for editing /etc/sudoers
. If you don’t have vi
installed or you want to use another editor, you can export the variable EDITOR with the name of your editor:
export EDITOR=nano
You can add this command to ~/.bashrc
so it runs with every user login.
Then, you can run visudo
(with a root user or using sudo) and edit the file. When you have finished editing, you can save and close the editor. visudo
will check for syntax errors before changing the /etc/sudoers/
file.
/etc/sudoers
is composed of aliases (variables you can define) and user specifications (where you define permissions).
Table of Contents
Aliases
There are four kinds of aliases: User_Alias
, Runas_Alias
, Host_Alias
and Cmnd_Alias
. Each alias definition is of the form:
Alias_Type NAME = item1, item2,...
You can add several aliases of the same type on one line by using colons (:
). There are predefined aliases like ALL
which match everything where they are used (for example, if it’s used in place of a user list, it matches all users).
Some examples of an alias definitions are the following (pay attention to the use of %
to refer to groups names, #
to refer to UIDs and %#
to refer to GIDs:
# This alias refers to all users inside 'admin' group
User_Alias ADMINS = %admin
# To refer to specific users
User_Alias USERS = john, rick, tom
# To refer to the user with UID 1000
Runas_Alias MAIN_USER = #1000
# To refer to a local IP
Host_Alias SERVER = 192.168.1.5
# To refer to a command
Cmnd_Alias INSTALL = /usr/bin/apt
User specifications
The basic structure of a user specification is:
who where = (as_whom) what
First field (who)
Define the user or group a command may be run as. You can use an User_Alias
. Remember to use %
to refer to a group, #
for UIDs and %#
for GIDs. These two examples are equivalent:
User_Alias ADMINS = %admin
ADMINS ALL=(ALL) ALL
%admin ALL=(ALL) ALL
Second field (where)
Define the host or hosts where this permission applies. You can use a Host_Alias
.
Third field (as whom)
Define which users or groups the user (or group) can run commands as (using sudo -u username
). You can use a Runas_Alias
.
Fourth field (what)
Define a list of commands the user or group can run. Use the full path of the commands. It admits wildcards, as *
. You can use a Cmnd_Alias
. Between the third and fourth field you can add some options for the command. You need to add a colon (:
) after the option.
# Allows 'sudo' group to run all commands as any user without needing to authenticate themselves
%sudo ALL=(ALL) NOPASSWD: ALL
# Allows user 'ricardo' to run 'apk update' and 'apk upgrade' without typing his password
ricardo ALL=(ALL) NOPASSWD: /sbin/apk update,/sbin/apk upgrade
# Allows to install programs
ricardo ALL=(ALL) /usr/bin/apt install *
More options
Defaults timestamp_timeout=<number>
: number of minutes before sudo will ask for the password again.timestamp_timeout=0
makes sudo to always prompt for a password.Defaults targetpw
: this makes sudo to ask for the password of the user specified insudo -u
(or the root password if no user is defined) and not for the password of the user that invokes sudo.
Featured content: