Linux

How to use the sudoers file to grant superuser privileges in Linux

In a Linux system there are tasks that need to be performed using administrative privileges (also known as superuser permissions) as they either impact the system as a whole (for example, managing packages or restarting services) or other users (adding or modifying user accounts, changing passwords or other users). Another example of a task requiring superuser privileges consists of changing the ownership or permissions of files and directories.

To perform this kind of work, a system administrator needs to gain temporary access to the root account or use the sudo command with his / her regular user account, provided that such account has been previously given the appropriate permissions in the /etc/sudoers file. In this article we will discuss how to edit this file in order to give certain user accounts the necessary privileges to perform administrative tasks in our system.

Configuring visudo to use your preferred text editor

Using /etc/sudoers, a system administrator can control the commands a user can run impersonating other users. This file is well-commented and is basically composed of variables (known as aliases) and other user specifications.

Although /etc/sudoers is a plain text file, it is strongly recommended that it is not edited by invoking a regular text editor such as nano or vim. In other words, DO NOT DO THIS:

vim /etc/sudoers

or

nano /etc/sudoers

The problem with the above approach is that it does not prevent two separate persons from editing the file. If, inadvertently, two or more people open the file for edition one of them may overwrite the changes made by other. Thus, the recommended way of editing /etc/sudoers consists of invoking the visudo command, which will open the file using the default text editor, which often is vi if the EDITOR environment variable has not been set. If you prefer to use nano instead, do:

EDITOR=/bin/nano
export $EDITOR

Please note that this will make nano your default editor only during the current session. To set it permanently, add the two lines above to your .bash_profile and source it to apply changes immediately:

echo "EDITOR=/bin/nano" >> ~/.bash_profile
echo "export EDITOR" >> ~/.bash_profile
. ~/.bash_profile # Note there is a dot before path to the file!

That said, you will now be able to use either vi or nano to edit /etc/sudoers when you invoke visudo in the command line. When someone is using visudo to edit this file, other people will NOT be able to do the same, and will get the following error if he or she attempts to do it, as we can see in Fig. 1:

Figure 1: Visudo prevents other users from accessing /etc/sudoers for edition at the same time
Figure 1: Visudo prevents other users from accessing /etc/sudoers for edition at the same time

That said, let’s dive into /etc/sudoers with visudo.

Using visudo to edit /etc/sudoers and introducing aliases

After invoking visudo from the command line, the file will be opened using the text editor you chose previously. Let’s begin by taking a look at aliases, which allow us to set more convenient names for groups of hosts, users, and commands. Thus, you can use an alias to define a group and use the alias name to refer to it afterwards instead of naming each host, user, or command separately.

Host aliases are used to specify groups of hosts. The following line in /etc/sudoers indicates that when we use FILESERVERS we are actually referring to hosts fs1 AND fs2.

Host_Alias     FILESERVERS = fs1, fs2

The following user alias specify that gacanepa AND scg can be referred to as ADMINS in the file.

User_Alias ADMINS = gacanepa, scg

If instead we want to allow ALL users to be part of ADMINS except for the ones mentioned above, we would do

User_Alias ADMINS = ALL, !gacanepa, !scg

The exclamation sign, when used as a prefix for an object in an alias, explicitly eliminates it from the specified group.

Another method of grouping users to grant superuser permissions is utilizing Linux groups. You can either use this approach or User_Alias depending on the number of persons you want to give root privileges to. We will explain later how to use Linux groups for this as well.

Finally, you can create as many command aliases as you need to reference related group of commands.

Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/parted

The first line above (SOFTWARE) indicates that we can refer to rpm and yum as SOFTWARE, whereas the second specifies that STORAGE is a placeholder for fdisk and parted.

Granting permissions through user specifications

With the above aliases in place we are ready to add or edit user specifications. Particularly, we will use SOFTWARE and STORAGE in order to give users gacanepa and scg permissions to run the commands specified in those variables. To do that, let’s add the following line to /etc/sudoers:

ADMINS ALL=(root) SOFTWARE, STORAGE

The above line specifies that members of the ADMINS User_Alias (who) can run, on ALL hosts (where) as root (as who), the commands listed in the indicated Cmnd_Alias(es).

In other words, we can infer that the basic syntax of a user specification in /etc/sudoers is:

WHO WHERE=(AS WHO) WHAT

To indicate the WHO using regular Linux groups, we need to use a % sign followed by the group name. Other than that, the syntax is identical to the previous example. To illustrate, let’s give members of group developers permissions to run updatedb as root. By using the NOPASSWD tag, we will allow them to run that command without entering their password (note that it is not necessary to specify the AS WHO here as no password will be required)::

%developers ALL=NOPASSWD:/usr/bin/updatedb

Once you have finished editing /etc/sudoers, save changes and run visudo -c to check the configuration file for errors. If no errors are found, you will get the message shown in the left of Fig. 2, whereas if something is wrong, you will be prompted to make the necessary corrections in the indicated line (as shown in the middle and right of Fig. 2).

Figure 2: Checking the syntax of /etc/sudoers and correcting errors where found
Figure 2: Checking the syntax of /etc/sudoers and correcting errors where found

After you have fixed the errors found, members of the developers group will be able to execute updatedb without password. Additionally, if a particular member of the developers group is logged on while you are making these changes, he or she will need to log out and log back in to see the changes.

Summary

In this article we have explained how to properly edit the /etc/sudoers file in order to grant superuser privileges to users and groups. This will allow them to run commands and perform tasks that require root permissions without giving them access to the root account.

 

Gabriel Canepa

Gabriel Canepa is a Linux Foundation Certified System Administrator (LFCS-1500-0576-0100) and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work. When he's not typing commands or writing code or articles, he enjoys telling bedtime stories with his wife to his two little daughters and playing with them, the great pleasure of his life.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Back to top button