patternbashCritical
sudoers Configuration: Granting Sudo Access Safely
Viewed 0 times
sudoersvisudoNOPASSWDsudo groupprivilege escalationdrop-insecurity
linux
Error Messages
Problem
Granting sudo access incorrectly — editing /etc/sudoers directly without visudo, or giving overly broad permissions — leads to either system corruption or security vulnerabilities.
Solution
Always use visudo to edit sudoers. Use drop-in files in /etc/sudoers.d/ for specific grants.
# NEVER edit /etc/sudoers directly — always use visudo
# visudo validates syntax before saving
visudo
# Add user to sudo group (Debian/Ubuntu) — preferred for full sudo access
usermod -aG sudo username
# Grant specific command without password (use sparingly)
# /etc/sudoers.d/deploy
deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart myapp, /usr/bin/rsync
# Allow a user to run commands as a specific user (not root)
deploy ALL=(www-data) NOPASSWD: /usr/bin/php
# Create a drop-in file safely
echo 'deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart myapp' | sudo EDITOR='tee' visudo -f /etc/sudoers.d/deploy
# Test without running
sudo -l -U username
# Drop to root shell
sudo -iWhy
A syntax error in /etc/sudoers with no validation can leave sudo completely broken, locking you out of root on a system with no direct root password. visudo prevents this by checking syntax before writing.
Gotchas
- A broken /etc/sudoers can be recovered from a live CD or via single-user mode — but it's a painful outage.
- NOPASSWD sudo rules are a security risk — an attacker who compromises the user account gets root.
- sudo rules are matched top-to-bottom and ALL matches everything — put specific rules before broad ones.
- /etc/sudoers.d/ files must not have a
.extension and must be chmod 440.
Revisions (0)
No revisions yet.