Linux Tip: Use visudo to Edit the sudoers File to Avoid Costly Mistakes
This article will show you how to use visudo to edit the sudoers file to grant root access to users – and protect against making mistakes that could lock you out of your Linux system forever.
What is the sudoers File?
The sudoers file defines which users have access to the sudo command on Linux systems.
The file is located at:
/etc/sudoers
…and it looks like this:
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
The sudo Command
The sudo command allows authorized users to run commands as another user. By default, and it’s primary purpose, it runs commands as root – allowing users to perform administrative tasks without logging in directly as the root user.
Why Use sudo Instead of Logging in as root?
Security. By using sudo to execute a command, only that command is run with root privileges – you are explicitly allowing it those privileges. If you are logged in as root, any command you run is run with elevated privileges, making it easy for scripts to access things they aren’t supposed to, or simple mistakes like typos to damage the system.
visudo – A Program for Safely Editing the Sudoers File
Whether or not a user can use the sudo command is dictated by the sudoers file – so it’s important to be careful when editing this file. If it is incorrectly configured, or a typo or mistake is made, it could lock all users out of the sudo command altogether – denying you root access and effectively locking you out of your own system.
visudo is a program which allows you to safely edit the sudoers file, checking it for errors before saving it to help to prevent silly mistakes from locking you out of the sudo command.
Using visudo to Edit the sudoers File
To safely edit the sudoers file with visudo, simply call it with elevated privileges:
sudo visudo
visudo will open the sudoers file with the default text editor.
The Syntax of the sudoers File
The syntax of the sudoers file is thoroughly covered in the official documentation.
visudo and sudoers Safety Tips
visudo doesn’t prevent all errors, you still have to be careful. It can validate that there are no syntax errors in the file, but it can’t tell incorrect information.
That is – it’ll pick up on poorly formatted configuration, but won’t notice if you misspell a username.
These tips will help mitigate the kinds of mistakes visudo won’t detect.
Create Your Own sudoers File
Avoid modification of the default sudoers configuration file by creating your own configuration file to supplement it.
First, use visudo to edit the default /etc/sudoers file and uncomment the following line:
#includedir /etc/sudoers.d
Now, the system will load additional configuration from the path /etc/sudoers.d/, allowing you to make changes to the configuration there and leave the default configuration file alone.
Create and edit a new configuration file using the following:
sudo visudo -f /etc/sudoers.d/mysudoersconfig
Keep a Separate Terminal Window or Remote Session Open and Logged In
If you are changing the sudo privileges, leave a terminal session logged in as a user with sudo privileges.
You can then test your changes, and if you’ve broken something, revert them from that session which will retain the sudo privileges – even if you’ve made a mistake.
Back up your system
Keeping regular backups is vital. It may not be you that breaks your system – a bad update, a power surge, burglars – anything can happen. Back up your system and make changes as you see fit, safely knowing that if something breaks, it doesn’t stay broken.