HB Computer Security | Aide Memoire
  • Introduction
  • Core Technical Skills
    • Core Skills
      • Linux
        • Getting to Know Linux
          • Using the Shell
            • Shells, Terminals, and Virtual Consoles
            • Choose your Shell
            • Shell Commands
              • Non-PATH Commands
              • Command History
                • Command Line Editing
                  • Keystrokes for Navigating Command Lines
                  • Keystrokes for Editing Command Lines
                  • Keystrokes for Cutting and Pasting Text from within Command Lines
                • Command Line Recall
                  • Keystrokes for Command Line Recall
              • Connecting and Expanding Commands
                • Piping Between Commands
                • Sequential Commands
                • Expanding Commands
            • Shell Variables
              • Common Shell Variables
            • Aliases
            • Create your Own Shell Environment
              • Modification Ideas
          • Navigating the Linux File System (LFS)
            • Filesystem Commands
            • Listing Files and Directories
            • File Permissions and Ownership
              • Modifying Permissions with chmod
              • Modifying Default Permissions with umask
              • Change File Ownership with chown
            • Copying, Moving, and Removing Files
            • Finding Files
              • locate
              • find
              • grep
            • Downloading Files
              • axel
              • wget
              • curl
                • User-Agent: Googlebot
          • Working with Text Files
            • Using vim and vi to Edit Text Files
              • Starting with vi
              • Adding Text
              • Moving Around in the Text
            • Text Manipulation
        • System Administration
          • Installing Linux
            • Installing from Live Media
            • Installing in the Enterprise
            • Partitioning Hard Disks
              • Tips for Creating Partitions
          • Account Administration
            • The root Account
              • Becoming root with su
              • sudo
                • The /etc/sudoers File
                • Granting sudo privileges
                  • visudo Guidance
                • Useful sudo Hints
            • Other Administrative Accounts
            • Standard User Accounts
              • Risks of userdel: Orphaned Files
          • Graphical Remote Administration
            • Cockpit
              • Installation Guide
            • Remote Desktop Protocol with xrdp
              • Installation and Configuration
            • Remote Desktop with vnc
              • Installation and Configuration
              • Running VNC as a System Service
          • Managing Running Processes
            • Listing Processes
              • ps
              • top
              • htop
            • Backgrounding and Foregrounding
              • Starting a Background Process
              • Using Foreground and Background Commands
            • Killing and Recining Processes
              • kill and killall
          • Managing Software
            • Managing Software from the Desktop
            • Going Beyond the Limitations of Software Center
              • Debian Packages
                • Advanced Package Tool (apt)
                • Repositories
                • dpkg
        • Shell Scripting
          • Variables
            • Command Substitution
            • Arguments
          • Reading User Input
          • if, else, and elif
          • BOOLEAN Logic
          • Loops
            • for Loops
            • while Loops
          • Functions
          • Local Vs Global Variables
          • Summary
        • Securing Linux
      • Windows
        • Security Hardening
Powered by GitBook
On this page
  • Default Lines
  • USER Privilege Lines
  • Group Privilege Lines
  • Included /etc/sudoers.d Line

Was this helpful?

  1. Core Technical Skills
  2. Core Skills
  3. Linux
  4. System Administration
  5. Account Administration
  6. The root Account
  7. sudo

The /etc/sudoers File

PrevioussudoNextGranting sudo privileges

Last updated 1 year ago

Was this helpful?

The easiest thing to do is to look at the /etc/sudoers file to see what is happening. For this example, we will look at a default installation of Ubuntu:

sudo nano /etc/sudoers

Let's take a look at the various sections in closer details...

Default Lines

  • Defaults env_reset resets the terminal environment to remove any user variables. This is a safety measure used to clear potentially harmful environmental variables from the sudo session

  • Defaults mail_badpass tells the system to mail notices of bad sudo password attempts to the configured mailto user. By default, this is the root account

  • Defaults secure_path= specifies the PATH (the places in the filesystem the operating system will look for applications) that will be used for sudo operations. This prevents using user paths which may be harmful

USER Privilege Lines

The fourth line, which dictates the root user’s sudo privileges, is different from the preceding lines. Let’s take a look at what the different fields mean:

  • chris ALL=(ALL:ALL) ALL The first field indicates the username that the rule will apply to (root)

  • chrisALL=(ALL:ALL) ALL The first “ALL” indicates that this rule applies to all hosts

  • chris ALL=(ALL:ALL) ALL This “ALL” indicates that the root user can run commands as all users

  • chris ALL=(ALL:ALL) ALL This “ALL” indicates that the root user can run commands as all groups

  • chris ALL=(ALL:ALL) ALL The last “ALL” indicates these rules apply to all commands.

This means that thechris user can run any command using sudo, as long as they provide their password.

Group Privilege Lines

The next two lines are similar to the user privilege lines, but they specify sudo rules for groups. Names beginning with a % indicate group names.

In the screenshot, we see the admin group can execute any command as any user on any host. Similarly, the sudo group has the same privileges, but can execute as any group as well. Therefore, to have any user inherit these permissions, you can simply add users to this group. In this way, we can create roles.

Included /etc/sudoers.d Line

The last line might look like a comment at first glance:

However, this line actually indicates that files within the /etc/sudoers.d directory will be sourced and applied as well.

Files within that directory follow the same rules as the /etc/sudoers file itself. Any file that does not end in ~ and that does not have a . in it will be read and appended to the sudo configuration

This is mainly meant for applications to alter sudo privileges upon installation. Putting all of the associated rules within a single file in the /etc/sudoers.d directory can make it easy to see which privileges are associated with which accounts, and to reverse credentials easily without having to try to manipulate the /etc/sudoers file directly.

A default /etc/sudoers file in Ubuntu
Excerpt from the /etc/sudoers file regarding includes