#sudo #usermod #group #groups #etc
### **Understanding the `/etc/sudoers` File in Linux**
The file **`/etc/sudoers`** (pronounced **"etsy"**) contains the configuration for users who are allowed to use `sudo`. This file requires **root permissions** or membership in the root group to be modified.
🔹 **⚠️ This file should ONLY be edited using `visudo`** to prevent syntax errors that could break `sudo` access.
---
## **1️⃣ Understanding the `/etc/sudoers` Syntax**
Inside `/etc/sudoers`, you will find a rule similar to:
`root ALL=(ALL:ALL) ALL`
This rule can be broken down as follows:
- **`root`** → WHO can execute commands? (The specified user or group)
- **`ALL`** → WHERE can they execute commands? (Applies to ALL machines, IP addresses, or hostnames)
- **`(ALL:ALL)`** → AS which **user** and **group** should the commands be executed? (AsUser:AsGroup)
- **`ALL`** → WHAT commands are they allowed to run? (Comma-separated list; `ALL` means everything)
---
## **2️⃣ Granting Sudo Access to a User**
You can add a user to the **`sudo`** group using:
`sudo usermod -aG sudo jan`
This command adds **user `jan`** to the **sudo** group, allowing them to use `sudo`.
📌 Inside `/etc/sudoers`, you'll see:
`%sudo ALL=(ALL:ALL) ALL`
The **`%sudo`** means **the entire `sudo` group** has sudo permissions.
---
## **3️⃣ Using the `/etc/sudoers.d/` Directory**
At the bottom of `/etc/sudoers`, you'll find:
`@includedir /etc/sudoers.d`
This means that **all configuration files inside `/etc/sudoers.d/`** will be loaded.
🔹 **Advantages of Using `/etc/sudoers.d/`:**
✅ **Modular management** → Organize sudo rules into separate files.
✅ **Safe updates** → System updates can modify sudo rules without touching the main `/etc/sudoers` file.
✅ **Less risk** → Mistakes in individual files won't break the entire sudo configuration.
📌 **Always use `visudo` to edit these files** to avoid syntax errors:
`sudo visudo -f /etc/sudoers.d/customrules`
🛑 **IMPORTANT:**
The **last** applicable rule in `/etc/sudoers` is the one that takes effect.
Since `@includedir /etc/sudoers.d` is at the end, rules inside this directory **override earlier rules**.
---
## **4️⃣ Checking Sudo Permissions**
🔹 **Check which groups you belong to:**
`groups`
🔹 **Check what sudo commands you are allowed to run:**
`sudo -l`
📌 **Example output:**
```
Matching Defaults entries for jan on PC018:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
use_pty
User jan may run the following commands on PC018:
(ALL : ALL) ALL
```
This means `jan` can execute **ANY command as ANY user** using `sudo`.
---
## **5️⃣ Adding Sudo Rules Without a Password Prompt**
If you want a user to run sudo **without entering a password**, add `NOPASSWD` before the last `ALL`.
🔹 **Example:**
`jan ALL=(ALL) NOPASSWD:ALL`
Now, `jan` can run `sudo` **without a password**.
🛑 **Always use `visudo` to modify sudo rules safely:**
`sudo EDITOR=vi visudo -f /etc/sudoers.d/newrules`
---
## **6️⃣ Fixing Read-Only File System Issues**
If you see **"read-only file system"** errors (e.g., on **Ubuntu Touch (#ubports)**), remount the filesystem as writable first:
`mount -o remount,rw /`
---
## **🔹 Summary**
✔ **Use `visudo`** to safely edit `/etc/sudoers`.
✔ **Grant sudo rights by adding a user to the `sudo` group**:
`sudo usermod -aG sudo jan`
✔ **Use `/etc/sudoers.d/` for modular sudo rules.**
✔ **Check sudo permissions with**:
`sudo -l`
✔ **Allow passwordless sudo by adding `NOPASSWD` to the rules.**
✔ **Fix read-only file system errors with**:
`mount -o remount,rw /`
This ensures a **safe and flexible** sudo configuration on your Linux system! 🚀
[[Sudo without Password]]
[[SUDOERS in AIX]]
[[SUDO Bypass]]
[[Enable Sudo]]