The /etc/sudoers File
Last updated
Last updated
The easiest thing to do is to look at the /etc/sudoers file to see what is happening. For this example, we will look at a default installation of Ubuntu:
Let's take a look at the various sections in closer details...
Defaults env_reset resets the terminal environment to remove any user variables. This is a safety measure used to clear potentially harmful environmental variables from the sudo session
Defaults mail_badpass tells the system to mail notices of bad sudo password attempts to the configured mailto user. By default, this is the root account
Defaults secure_path= specifies the PATH (the places in the filesystem the operating system will look for applications) that will be used for sudo operations. This prevents using user paths which may be harmful
The fourth line, which dictates the root user’s sudo privileges, is different from the preceding lines. Let’s take a look at what the different fields mean:
chris ALL=(ALL:ALL) ALL
The first field indicates the username that the rule will apply to (root)
chrisALL=(ALL:ALL) ALL
The first “ALL” indicates that this rule applies to all hosts
chris ALL=(ALL:ALL) ALL
This “ALL” indicates that the root user can run commands as all users
chris ALL=(ALL:ALL) ALL
This “ALL” indicates that the root user can run commands as all groups
chris ALL=(ALL:ALL) ALL
The last “ALL” indicates these rules apply to all commands.
This means that thechris user can run any command using sudo, as long as they provide their password.
The next two lines are similar to the user privilege lines, but they specify sudo rules for groups. Names beginning with a % indicate group names.
In the screenshot, we see the admin group can execute any command as any user on any host. Similarly, the sudo group has the same privileges, but can execute as any group as well. Therefore, to have any user inherit these permissions, you can simply add users to this group. In this way, we can create roles.
The last line might look like a comment at first glance:
However, this line actually indicates that files within the /etc/sudoers.d directory will be sourced and applied as well.
Files within that directory follow the same rules as the /etc/sudoers file itself. Any file that does not end in ~ and that does not have a . in it will be read and appended to the sudo configuration
This is mainly meant for applications to alter sudo privileges upon installation. Putting all of the associated rules within a single file in the /etc/sudoers.d directory can make it easy to see which privileges are associated with which accounts, and to reverse credentials easily without having to try to manipulate the /etc/sudoers file directly.
