Linux and Unix systems implement security paradigms through restricted user access. The restriction is based on the privilege the user has, depending on the group in which they are on a system. When you install your system, the admin account is created by default. The admin has root privileges, allowing them to execute any command, unlike a regular user whose permission on what command they can execute is limited. Limiting the user privileges is achieved by editing the sudoers file.
As the system administrator, you must know how to work with the sudoers file to enhance security. Reading this post will give you crucial insights regarding the sudoers file and how to edit it.
Understanding What the Sudoers File is
As mentioned earlier, the administrator account is the first user on a Linux or Unix-like system. The admin is granted sudo privileges by default and can execute any command using the sudo privileges. The privileges of any users or groups on the system are stored in the sudoers file.
When a new user is created, they only have regular privileges. For instance, a regular user can’t run administrative commands such as updating the system or any command that requires sudo.
However, their privileges can be edited in the sudoers file to give them admin privileges or add them to a different group with specific privileges.
There is also the root user, who has the power to run all commands with unrestricted access to the system. As root, you don’t need to prefix sudo when running any command. However, running commands as root is risky as wrong commands can quickly mess up your system, which is why the admin user is the default user in a new system.
Understanding the root Privileges
We’ve discussed what the sudoers file is and why it’s essential. The next task is to learn how to edit it. Before that, how can you gain root privileges on Linux or Unix-like systems?
There are two main ways to achieve this.
1. Using the su Keyword
When logged into your system, you can quickly switch to root by executing the su command. Once you do, you won’t need to add sudo when executing commands, as you now have unrestricted access to the system.
The below example starts by checking the currently logged-in user and then switches to the root user.
Run the exit command to switch back to the admin or regular user.
2. Using sudo
Even without switching to root, you can execute commands with root privileges by adding sudo before them. However, you must authenticate using your password and have super-user privileges to enjoy this privilege.
For instance, you can run the update command without sudo privileges.
How to Edit the Sudoers File
The sudoers file is the /etc/sudoers, but editing it requires using the visudo command to ensure you don’t break your system using improper syntax. Even with visudo, you can specify which text editor to use with the following command.
We’ve selected the nano text editor, the currently selected choice.
Source the file, then proceed to open it using the commands below.
The file will open, and we will focus on the section below.
The root ALL=(ALL:ALL) ALL shows that the root user can execute any command on the system as they have unrestricted access.
The %admin ALL=(ALL) ALL shows that anyone in this group has root privileges.
The %sudo ALL=(ALL:ALL) ALL shows that any member of the sudo group can execute any command.
The last line implies that any files inside the /etc/sudoers.d follow the same rules as the sudoers file. Therefore, the files are linked, and when you want to modify the sudoers, you can open any file inside the directory. When editing the files, ensure you use the visudo command.
Here’s the syntax to use.
From the sudoers file, we see that users have privileges depending on their group. Using the command below, users can be given sudo privileges by adding them to the sudo group.
If using CentOS, use the following command.
After running the command, you can verify that the user has been added to that group, as in the example below.
The above output shows that user ‘linuxmeta’ is in the ‘linuxme’a and sudo’ groups. Suppose you want specific users to have specific privileges. A better approach is to create a sudoers file for a given group, specify the privileges, and then add the users to that group.
Let’s create an ‘update’ sudoers file using the below command.
Inside it, specify the commands that users can run and the new group.
The sudoers file specifies the two update commands that any user in the group1 can execute.
Lastly, create the group and then add the user to it.
That’s how you edit the sudoers file to give users different privileges. There are other ways to give users different privileges, and what we’ve discussed here is one way to achieve this.
Conclusion
The sudoers file helps specify what privileges a user should have on a system. This post introduced the sudoers file and how to open it using the visudo command. We also discussed how to give root privileges and how to add users to a group. Lastly, we’ve seen how to create a sudoers file and add users to it.