visudo: control who can use sudo and how
The command ‘visudo’ allows you to edit ‘/etc/sudoers’ file in a safe way and decide which users can run commands as root or any other user.
vi by default for editing
/etc/sudoers. If you don’t have
vi installed or you want to use another editor, you can export the variable EDITOR with the name of your editor:
You can add this command to
~/.bashrc so it runs with every user login.
Then, you can run
visudo (with a root user or using sudo) and edit the file. When you have finished editing, you can save and close the editor.
visudo will check for syntax errors before changing the
/etc/sudoers is composed of aliases (variables you can define) and user specifications (where you define permissions).
Table of Contents
- User specifications
- More options
There are four kinds of aliases:
Cmnd_Alias. Each alias definition is of the form:
Alias_Type NAME = item1, item2,...
You can add several aliases of the same type on one line by using colons (
:). There are predefined aliases like
ALL which match everything where they are used (for example, if it’s used in place of a user list, it matches all users).
Some examples of an alias definitions are the following (pay attention to the use of
% to refer to groups names,
# to refer to UIDs and
%# to refer to GIDs:
# This alias refers to all users inside 'admin' group User_Alias ADMINS = %admin
# To refer to specific users User_Alias USERS = john, rick, tom
# To refer to the user with UID 1000 Runas_Alias MAIN_USER = #1000
# To refer to a local IP Host_Alias SERVER = 192.168.1.5
The basic structure of a user specification is:
who where = (as_whom) what
First field (who)
Define the user or group a command may be run as. You can use an
User_Alias. Remember to use
% to refer to a group,
# for UIDs and
%# for GIDs. These two examples are equivalent:
User_Alias ADMINS = %admin ADMINS ALL=(ALL) ALL
%admin ALL=(ALL) ALL
Second field (where)
Define the host or hosts where this permission applies. You can use a
Third field (as whom)
Define which users or groups the user (or group) can run commands as (using
sudo -u username). You can use a
Fourth field (what)
Define a list of commands the user or group can run. Use the full path of the commands. You can use a
Cmnd_Alias. Between the third and fourth field you can add some options for the command. You need to add a colon (
:) after the option.
# Allows 'sudo' group to run all commands as any user without needing to authenticate themselves %sudo ALL=(ALL) NOPASSWD: ALL
# Allows user 'ricardo' to run 'apk update' and 'apk upgrade' without typing his password ricardo ALL=(ALL) NOPASSWD: /sbin/apk update,/sbin/apk upgrade
Defaults timestamp_timeout=<number>: number of minutes before sudo will ask for the password again.
timestamp_timeout=0makes sudo to always prompt for a password.
Defaults targetpw: this makes sudo to ask for the password of the user specified in
sudo -u(or the root password if no user is defined) and not for the password of the user that invokes sudo.
In Debian/Ubuntu systems, you can use
dpkg-reconfigureto reconfigure an installed package using intuitive dialogs. I will show you how to use this command to change some system settings.
If you have a scanned PDF and you want to be able to search and copy text from it, in this tutorial I will show you how to do it.
If you want to do X11 forwarding from your container to your host, you can type these simple commands.
If you don’t have a Graphical User Interface (GUI) on your Linux device, or you need a simple text-based web browser, I will show you a couple of great programs.
A comprehensive list of Linux-related websites sorted by categories.