HB Computer Security | Aide Memoire
  • Introduction
  • Core Technical Skills
    • Core Skills
      • Linux
        • Getting to Know Linux
          • Using the Shell
            • Shells, Terminals, and Virtual Consoles
            • Choose your Shell
            • Shell Commands
              • Non-PATH Commands
              • Command History
                • Command Line Editing
                  • Keystrokes for Navigating Command Lines
                  • Keystrokes for Editing Command Lines
                  • Keystrokes for Cutting and Pasting Text from within Command Lines
                • Command Line Recall
                  • Keystrokes for Command Line Recall
              • Connecting and Expanding Commands
                • Piping Between Commands
                • Sequential Commands
                • Expanding Commands
            • Shell Variables
              • Common Shell Variables
            • Aliases
            • Create your Own Shell Environment
              • Modification Ideas
          • Navigating the Linux File System (LFS)
            • Filesystem Commands
            • Listing Files and Directories
            • File Permissions and Ownership
              • Modifying Permissions with chmod
              • Modifying Default Permissions with umask
              • Change File Ownership with chown
            • Copying, Moving, and Removing Files
            • Finding Files
              • locate
              • find
              • grep
            • Downloading Files
              • axel
              • wget
              • curl
                • User-Agent: Googlebot
          • Working with Text Files
            • Using vim and vi to Edit Text Files
              • Starting with vi
              • Adding Text
              • Moving Around in the Text
            • Text Manipulation
        • System Administration
          • Installing Linux
            • Installing from Live Media
            • Installing in the Enterprise
            • Partitioning Hard Disks
              • Tips for Creating Partitions
          • Account Administration
            • The root Account
              • Becoming root with su
              • sudo
                • The /etc/sudoers File
                • Granting sudo privileges
                  • visudo Guidance
                • Useful sudo Hints
            • Other Administrative Accounts
            • Standard User Accounts
              • Risks of userdel: Orphaned Files
          • Graphical Remote Administration
            • Cockpit
              • Installation Guide
            • Remote Desktop Protocol with xrdp
              • Installation and Configuration
            • Remote Desktop with vnc
              • Installation and Configuration
              • Running VNC as a System Service
          • Managing Running Processes
            • Listing Processes
              • ps
              • top
              • htop
            • Backgrounding and Foregrounding
              • Starting a Background Process
              • Using Foreground and Background Commands
            • Killing and Recining Processes
              • kill and killall
          • Managing Software
            • Managing Software from the Desktop
            • Going Beyond the Limitations of Software Center
              • Debian Packages
                • Advanced Package Tool (apt)
                • Repositories
                • dpkg
        • Shell Scripting
          • Variables
            • Command Substitution
            • Arguments
          • Reading User Input
          • if, else, and elif
          • BOOLEAN Logic
          • Loops
            • for Loops
            • while Loops
          • Functions
          • Local Vs Global Variables
          • Summary
        • Securing Linux
      • Windows
        • Security Hardening
Powered by GitBook
On this page
  • usermod
  • visudo
  • visudo Command Options

Was this helpful?

  1. Core Technical Skills
  2. Core Skills
  3. Linux
  4. System Administration
  5. Account Administration
  6. The root Account
  7. sudo

Granting sudo privileges

So, now we know what sudo is, it's time to configure some privileges. We can do this several ways, but by far the most common is to add a user to the already existent sudo group. We can achieve this with the usermod command. Alternatively, we can edit the /etc/sudoers file with visudo. In this section, we will explore both methods.

usermod

Granting a new user complete sudo rights is a routine task. While you could fine-tune this within the visudo utility, using usermod is a simpler alternative. This approach does hinge on the existence of a group that's already configured with the required permissions. For this instance, we'll add a user to the default sudo group that's present on the majority of up-to-date systems.

To add a user to the sudo group, enter the following:

sudo usermod -aG sudo USERNAME

Breaking down the command options options:

  • -aG: This option is actually two options used together.

    • -a or --append: This option tells usermod to add the user to the specified group without removing them from their current groups. Without this option, the user might be removed from any groups not listed in the command

    • -G: This specifies a list of supplementary groups which the user is also a member of. Here, it is followed by sudo, which is the group we're adding the user to

Debian-like operating systems, such as Ubuntu, create the sudo group with purpose similar to that of another group known as wheel . The wheel group is a special user group used on some Unix systems, mostly BSD systems, to control access to the su or sudo command.

visudo

The visudo command is essentially a safety tool for editing the /etc/sudoers file, which sets the rules for when the sudo command can be used for escalating privileges. When you run visudo, it opens the /etc/sudoers file in a text editor, but also performs checks to ensure that any changes made won't break the system's ability to use sudo.

Editing /etc/sudoers directly can be risky; a single syntax error could prevent sudo from functioning correctly. Therefore, visudo is the recommended method because it confirms the file's syntax is correct before saving any modifications. It also prevents the scenario where two people (or the same person in two different sessions) are editing the file at the same time, which could cause conflicts or errors.

visudo typically uses the vi editor by default, but it can be configured to use another text editor like nano, which I much prefer for its simplicity. Changes to the sudoers file are usually small and precise, making a user-friendly editor like nano an appealing option for many Linux distributions.

visudo Command Options

Option

Description

-c

Enable check-only mode. The existing /etc/sudoers file will be checked for syntax errors, owner and mode. A message will be printed to the standard output describing the status of /etc/sudoers unless the -q option was specified. If the check completes successfully, visudo will exit with a value of 0. If an error is encountered, visudo will exit with a value of 1

-f sudoers

Specify an alternate /etc/sudoers file location. With this option, visudo will edit (or check) thesudoers file of your choice, instead of the default, /etc/sudoers. The lock file used is the specified sudoers file with ".tmp" appended to it. In check-only mode only, the argument to -f may be -, indicating that sudoers will be read from the standard input

-h

The -h (help) option causes visudo to print a short help message to the standard output and exit

-q

Enable quiet mode. In this mode details about syntax errors are not printed. This option is only useful when combined with the -c option

-s

Enable strict checking of the sudoers file. If an alias is used before it is defined, visudo will consider this a parse error. Note that it is not possible to differentiate between an alias and a hostname or username that consists solely of uppercase letters, digits, and the underscore (_) character

-V

The -V (version) option causes visudo to print its version number and exit

PreviousThe /etc/sudoers FileNextvisudo Guidance

Last updated 1 year ago

Was this helpful?