visudo
Safely edit the sudoers file with syntax checking
Syntax:
visudo [options]
Warning: Always use visudo to edit the sudoers file. Direct editing with other editors can result in syntax errors that lock you out of sudo access.
Description
visudo is a utility that safely edits the sudoers file by providing syntax checking and file locking. It prevents multiple simultaneous edits and validates the syntax before saving, ensuring that sudo configuration remains functional.
Why Use visudo?
| Feature | Description |
|---|---|
| Syntax Checking | Validates sudoers syntax before saving |
| File Locking | Prevents concurrent edits by multiple users |
| Safe Editing | Creates backup and recovers from errors |
| Editor Selection | Uses EDITOR environment variable or default |
Command Options
| Option | Description |
|---|---|
-c |
Check syntax only, don't edit |
-f file |
Edit specified file instead of default sudoers |
-q |
Quiet mode, less verbose output |
-s |
Strict mode, more stringent checking |
-V |
Show version information |
-x |
Export sudoers in JSON format |
Basic Usage
Edit sudoers file:
# Edit the main sudoers file sudo visudo # Check syntax without editing sudo visudo -c # Edit a specific sudoers file sudo visudo -f /etc/sudoers.d/myfile
Sudoers File Syntax
Basic sudoers syntax:
# User privilege specification user host=(runas) command # Examples: john ALL=(ALL:ALL) ALL mary localhost=/usr/bin/apt-get bob ALL=(root) NOPASSWD: /bin/systemctl # Group privilege specification %admin ALL=(ALL) ALL %wheel ALL=(ALL) NOPASSWD: ALL
Common Sudoers Configurations
User permissions:
# Give user full sudo access username ALL=(ALL:ALL) ALL # Allow user to run specific commands username ALL=(root) /usr/bin/systemctl, /usr/bin/service # Allow user to run commands without password username ALL=(ALL) NOPASSWD: /usr/bin/apt-get, /usr/bin/apt # Allow user to run commands as specific user username ALL=(apache) /usr/bin/systemctl restart httpd
Group permissions:
# Give group full sudo access %sudo ALL=(ALL:ALL) ALL # Allow group to manage services %sysadmin ALL=(root) /usr/bin/systemctl # Allow group to install packages without password %developers ALL=(root) NOPASSWD: /usr/bin/apt-get install *
Advanced Sudoers Features
Command aliases:
# Define command aliases Cmnd_Alias SERVICES = /usr/bin/systemctl, /usr/bin/service Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum # Use aliases in rules %sysadmin ALL = SERVICES, NETWORKING %developers ALL = SOFTWARE
User and host aliases:
# User aliases User_Alias ADMINS = john, mary, bob User_Alias OPERATORS = alice, charlie # Host aliases Host_Alias SERVERS = web1, web2, db1, db2 Host_Alias WORKSTATIONS = ws1, ws2, ws3 # Use aliases ADMINS SERVERS = (ALL) ALL OPERATORS WORKSTATIONS = (ALL) NOPASSWD: /usr/bin/systemctl
Security Options
Security defaults:
# Require password for sudo Defaults passwd_tries=3 Defaults passwd_timeout=5 # Log sudo commands Defaults logfile="/var/log/sudo.log" Defaults log_input, log_output # Secure path Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Environment variables Defaults env_reset Defaults env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Troubleshooting
Common issues and solutions:
# Check sudoers syntax sudo visudo -c # If locked out, boot to single-user mode and fix: # 1. Boot to single-user mode # 2. Mount filesystem read-write: mount -o remount,rw / # 3. Fix sudoers file: visudo # 4. Reboot normally # View sudo log sudo tail -f /var/log/sudo.log # Test sudo access sudo -l # List allowed commands sudo -v # Validate credentials
Best Practices
Sudoers best practices:
# Use /etc/sudoers.d/ for custom rules sudo visudo -f /etc/sudoers.d/custom # Always test changes sudo visudo -c -f /etc/sudoers.d/custom # Use principle of least privilege user ALL=(root) /specific/command # Group similar permissions %webadmin ALL=(www-data) /usr/bin/systemctl restart apache2
File Locations
| File/Directory | Description |
|---|---|
/etc/sudoers |
Main sudoers configuration file |
/etc/sudoers.d/ |
Directory for additional sudoers files |
/var/log/sudo.log |
Sudo command log (if configured) |
/etc/sudoers.tmp |
Temporary file during editing |
Practical Examples
Web server administration:
# Allow web developers to manage Apache
%webdev ALL=(root) /usr/bin/systemctl start apache2, \
/usr/bin/systemctl stop apache2, \
/usr/bin/systemctl restart apache2, \
/usr/bin/systemctl reload apache2
# Allow editing of web configuration
%webdev ALL=(root) sudoedit /etc/apache2/sites-available/*
Database administration:
# Allow DBA group to manage MySQL
%dba ALL=(mysql) /usr/bin/mysql, /usr/bin/mysqldump
%dba ALL=(root) /usr/bin/systemctl * mysql, \
/usr/bin/systemctl * mariadb
Package management:
# Allow users to install packages
%users ALL=(root) NOPASSWD: /usr/bin/apt-get update, \
/usr/bin/apt-get install, \
/usr/bin/apt-get upgrade
# Restrict dangerous operations
%users ALL=(root) !/usr/bin/apt-get remove, \
!/usr/bin/apt-get purge
Environment Variables
| Variable | Description |
|---|---|
EDITOR |
Preferred editor for visudo |
VISUAL |
Visual editor (takes precedence over EDITOR) |
SUDO_EDITOR |
Editor specifically for sudo operations |
Security Warning: Never edit /etc/sudoers directly with vi, nano, or other editors. Always use visudo to prevent syntax errors that could lock you out of sudo access.
Common Use Cases
- System administration: Granting specific privileges to users
- Service management: Allowing users to control system services
- Package management: Permitting software installation/updates
- File editing: Enabling editing of system configuration files
- Network management: Allowing network configuration changes
- User management: Permitting user account operations
- Backup operations: Granting access to backup commands
- Development environments: Providing necessary privileges for developers