visudo

Understanding /etc/sudoers

Before diving into visudo, let’s briefly understand the structure of /etc/sudoers. It uses a specific syntax, defining user permissions with lines like:

user_name ALL=(ALL:ALL) ALL

Let’s break down this example:

• user_name: The username granted sudo privileges. Replace this with the actual username.
• ALL: Specifies that the user can run commands on all hosts.
• (ALL:ALL): Specifies that the user can run commands as any user and group.
• ALL: Indicates that the user can execute any command.

Using visudo for User Management

The simplest way to use visudo is to just execute the command:

sudo visudo

This will open the /etc/sudoers file in your default text editor (usually vi or nano). Once open, you can make changes to grant or revoke sudo privileges.

Example 1: Granting sudo privileges to a new user

Let’s say you want to grant john sudo access. After running sudo visudo, you would add the following line to the file (ensure no other lines conflict):

john ALL=(ALL:ALL) ALL

Then save the file (the exact method depends on your editor – in nano, it’s Ctrl+X, Y, Enter).

Example 2: Granting sudo privileges with specific commands

Instead of giving full sudo access, you can restrict it to specific commands. For example, to allow jane to only run apt update and apt upgrade:

jane ALL=(ALL:ALL) /usr/bin/apt update, /usr/bin/apt upgrade

This line grants jane the ability to run only those two commands with root privileges.

Example 3: Specifying hosts

You can limit the sudo privileges to specific hosts. For instance, to allow david sudo access only from the local machine:

david localhost=(ALL:ALL) ALL

This restricts david’s sudo access to only the local machine.

Example 4: Removing sudo privileges

To revoke john’s sudo access, simply remove or comment out the line related to john in the /etc/sudoers file. Commenting out the line is done by adding a # at the beginning of the line:

#john ALL=(ALL:ALL) ALL

Important Note: Always ensure the syntax is correct. Even a small typo can render your /etc/sudoers file unusable, leading to a system lockout. If you encounter an error after modifying and saving the file, you might need to manually fix it.

Using visudo with different editors

While the default editor might vary, you can usually specify the editor using the EDITOR environment variable. For instance, to use nano:

EDITOR=nano sudo visudo

This ensures that nano is used regardless of your system’s default editor.

This guide provides a foundational understanding of visudo and its usage. Remember to exercise caution when modifying the /etc/sudoers file, as incorrect configurations can severely impact your system’s functionality. Always back up the file before making any changes, if possible.