visudo: control who can use sudo and how

The command ‘visudo’ allows you to edit ‘/etc/sudoers’ file in a safe way and decide which users can run commands as root or any other user.

visudo launches vi by default for editing /etc/sudoers. If you don’t have vi installed or you want to use another editor, you can export the variable EDITOR with the name of your editor:

export EDITOR=nano

You can add this command to ~/.bashrc so it runs with every user login.

Then, you can run visudo (with a root user or using sudo) and edit the file. When you have finished editing, you can save and close the editor. visudo will check for syntax errors before changing the /etc/sudoers file.

/etc/sudoers is composed of aliases (variables you can define) and user specifications (where you define permissions).

Table of Contents

• Aliases
• User specifications
  • First field (who)
  • Second field (where)
  • Third field (as whom)
  • Fourth field (what)
• More options

Aliases

There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. Each alias definition is of the form:

Alias_Type NAME = item1, item2,...

You can add several aliases of the same type on one line by using colons (:). There are predefined aliases like ALL which match everything where they are used (for example, if it’s used in place of a user list, it matches all users).

Some examples of an alias definitions are the following (pay attention to the use of % to refer to groups names, # to refer to UIDs and %# to refer to GIDs:

# This alias refers to all users inside 'admin' group
User_Alias ADMINS = %admin

# To refer to specific users
User_Alias USERS = john, rick, tom

# To refer to the user with UID 1000
Runas_Alias MAIN_USER = #1000

# To refer to a local IP
Host_Alias SERVER = 192.168.1.5

# To refer to a command
Cmnd_Alias INSTALL = /usr/bin/apt

User specifications

The basic structure of a user specification is:

who where = (as_whom) what

First field (who)

Define the user or group a command may be run as. You can use an User_Alias. Remember to use % to refer to a group, # for UIDs and %# for GIDs. These two examples are equivalent:

User_Alias ADMINS = %admin
ADMINS ALL=(ALL) ALL

%admin ALL=(ALL) ALL

Second field (where)

Define the host or hosts where this permission applies. You can use a Host_Alias.

Third field (as whom)

Define which users or groups the user (or group) can run commands as (using sudo -u username). You can use a Runas_Alias.

Fourth field (what)

Define a list of commands the user or group can run. Use the full path of the commands. It admits wildcards, as *. You can use a Cmnd_Alias. Between the third and fourth field you can add some options for the command. You need to add a colon (:) after the option.

# Allows 'sudo' group to run all commands as any user without needing to authenticate themselves
%sudo ALL=(ALL) NOPASSWD: ALL

# Allows user 'ricardo' to run 'apk update' and 'apk upgrade' without typing his password
ricardo ALL=(ALL) NOPASSWD: /sbin/apk update,/sbin/apk upgrade

# Allows to install programs
ricardo ALL=(ALL) /usr/bin/apt install *

More options

• Defaults timestamp_timeout=<number>: number of minutes before sudo will ask for the password again. timestamp_timeout=0 makes sudo to always prompt for a password.
• Defaults targetpw: this makes sudo to ask for the password of the user specified in sudo -u (or the root password if no user is defined) and not for the password of the user that invokes sudo.

If you have any suggestion, feel free to contact me via social media or email.