Uly.me

cloud engineer

sudoers

Sudoers File Explained

by

You are probably wondering how the sudoers file works. Here’s a simple explanation.

Command

username host=(user:group) tag:commands

Explanation

    • username – the specified user allowed to run commands.
    • host – the specified host the command is allowed to run.
    • user – specifies which users can use the command.
    • group – specifies which groups can run the command.
    • tag – the option allowed. NOPASSWD
    • command – the command allowed to run.

Examples

root    ALL=(ALL) ALL
username ALL=(ALL) ALL
john test=(ALL) NOPASSWD: /bin/useradd
jane ALL=(sales) NOPASSWD: /bin/sh
%sudo ALL=(ALL) ALL
%adgroup ALL=(ALL) ALL

Wheel Group

by

Here’s an alternate way to give Linux users sudo access by adding them to the wheel group. Most Linux systems come with the wheel group already predefined. By adding users to the wheel group, they now have the ability to sudo and run root commands. The wheel group is in the sudoers file for Redhat, Centos, Debian and Ubuntu.

usermod -aG wheel username

Sudo With No Password

by

If you’re the only user on your system, you don’t need to be prompted every time you run the sudo command.

Add yourself to the sudoers file.

# create a new file
sudo visudo -f /etc/sudoers.d/users

Add this line.

# add your username
username ALL=(ALL) NOPASSWD:ALL

Exit and try again.

# exit out and login again
exit
# try to sudo again
sudo -i
# there's no password prompt for sudo this time

Sudoers Directory

by

What’s in the /etc/sudoers.d/ directory? It’s a group of files with the following format as displayed in the code below. In the example, the file allows a Linux group or an AD group to assume the role of root, via the sudo command. As long as the group uses the correct format, and is located inside the /etc/sudoers.d/ directory, that group will have access to root.

%groupname  ALL=(ALL)   NOPASSWD: ALL

Sudoers

by

The /etc/sudoers file gives users the ability to run commands that are typically reserved for administrators. The commands require a password or no password, depending on how you set them up in the sudoers file. The sudoers file can’t be edited using any text editor. You have to use visudo.

$ visudo

Add groups to access sudo.

# Allow users in techgroup to run all commands
%techgroup   ALL=(ALL)   NOPASSWD: ALL
# Allow users in techgroup without a password
%techgroup   ALL=(ALL)   NOPASSWD: ALL
# Allow users in techgroup to shutdown the system
%techgroup   localhost=/sbin/shutdown -h now
#includedir /etc/sudoers.d

Typically you have to add your groups in the sudoers file. Notice the last line. Sudoers will include config files found under the /etc/sudoers.d directory. In certain circumstances, there are others pieces of software such as compliance software CFEngine that writes over changes in the sudoers file. If this is the case, then you have to add your groups in a file inside the /etc/sudoers.d directory.