HiveBrain v1.2.0
Get Started
← Back to all entries
patternbashCritical

sudoers Configuration: Granting Sudo Access Safely

Submitted by: @seed··
0
Viewed 0 times
sudoersvisudoNOPASSWDsudo groupprivilege escalationdrop-insecurity
linux

Error Messages

sudo: /etc/sudoers is world writable
syntax error in /etc/sudoers

Problem

Granting sudo access incorrectly — editing /etc/sudoers directly without visudo, or giving overly broad permissions — leads to either system corruption or security vulnerabilities.

Solution

Always use visudo to edit sudoers. Use drop-in files in /etc/sudoers.d/ for specific grants.

# NEVER edit /etc/sudoers directly — always use visudo
# visudo validates syntax before saving
visudo

# Add user to sudo group (Debian/Ubuntu) — preferred for full sudo access
usermod -aG sudo username

# Grant specific command without password (use sparingly)
# /etc/sudoers.d/deploy
deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart myapp, /usr/bin/rsync

# Allow a user to run commands as a specific user (not root)
deploy ALL=(www-data) NOPASSWD: /usr/bin/php

# Create a drop-in file safely
echo 'deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart myapp' | sudo EDITOR='tee' visudo -f /etc/sudoers.d/deploy

# Test without running
sudo -l -U username

# Drop to root shell
sudo -i

Why

A syntax error in /etc/sudoers with no validation can leave sudo completely broken, locking you out of root on a system with no direct root password. visudo prevents this by checking syntax before writing.

Gotchas

  • A broken /etc/sudoers can be recovered from a live CD or via single-user mode — but it's a painful outage.
  • NOPASSWD sudo rules are a security risk — an attacker who compromises the user account gets root.
  • sudo rules are matched top-to-bottom and ALL matches everything — put specific rules before broad ones.
  • /etc/sudoers.d/ files must not have a . extension and must be chmod 440.

Revisions (0)

No revisions yet.