SUDO in debian ubuntu - janvanderwijk.tech

#sudo #usermod #group #groups #etc ### **Understanding the `/etc/sudoers` File in Linux** The file **`/etc/sudoers`** (pronounced **"etsy"**) contains the configuration for users who are allowed to use `sudo`. This file requires **root permissions** or membership in the root group to be modified. 🔹 **⚠️ This file should ONLY be edited using `visudo`** to prevent syntax errors that could break `sudo` access. --- ## **1️⃣ Understanding the `/etc/sudoers` Syntax** Inside `/etc/sudoers`, you will find a rule similar to: `root ALL=(ALL:ALL) ALL` This rule can be broken down as follows: - **`root`** → WHO can execute commands? (The specified user or group) - **`ALL`** → WHERE can they execute commands? (Applies to ALL machines, IP addresses, or hostnames) - **`(ALL:ALL)`** → AS which **user** and **group** should the commands be executed? (AsUser:AsGroup) - **`ALL`** → WHAT commands are they allowed to run? (Comma-separated list; `ALL` means everything) --- ## **2️⃣ Granting Sudo Access to a User** You can add a user to the **`sudo`** group using: `sudo usermod -aG sudo jan` This command adds **user `jan`** to the **sudo** group, allowing them to use `sudo`. 📌 Inside `/etc/sudoers`, you'll see: `%sudo ALL=(ALL:ALL) ALL` The **`%sudo`** means **the entire `sudo` group** has sudo permissions. --- ## **3️⃣ Using the `/etc/sudoers.d/` Directory** At the bottom of `/etc/sudoers`, you'll find: `@includedir /etc/sudoers.d` This means that **all configuration files inside `/etc/sudoers.d/`** will be loaded. 🔹 **Advantages of Using `/etc/sudoers.d/`:** ✅ **Modular management** → Organize sudo rules into separate files. ✅ **Safe updates** → System updates can modify sudo rules without touching the main `/etc/sudoers` file. ✅ **Less risk** → Mistakes in individual files won't break the entire sudo configuration. 📌 **Always use `visudo` to edit these files** to avoid syntax errors: `sudo visudo -f /etc/sudoers.d/customrules` 🛑 **IMPORTANT:** The **last** applicable rule in `/etc/sudoers` is the one that takes effect. Since `@includedir /etc/sudoers.d` is at the end, rules inside this directory **override earlier rules**. --- ## **4️⃣ Checking Sudo Permissions** 🔹 **Check which groups you belong to:** `groups` 🔹 **Check what sudo commands you are allowed to run:** `sudo -l` 📌 **Example output:** ``` Matching Defaults entries for jan on PC018: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty User jan may run the following commands on PC018: (ALL : ALL) ALL ``` This means `jan` can execute **ANY command as ANY user** using `sudo`. --- ## **5️⃣ Adding Sudo Rules Without a Password Prompt** If you want a user to run sudo **without entering a password**, add `NOPASSWD` before the last `ALL`. 🔹 **Example:** `jan ALL=(ALL) NOPASSWD:ALL` Now, `jan` can run `sudo` **without a password**. 🛑 **Always use `visudo` to modify sudo rules safely:** `sudo EDITOR=vi visudo -f /etc/sudoers.d/newrules` --- ## **6️⃣ Fixing Read-Only File System Issues** If you see **"read-only file system"** errors (e.g., on **Ubuntu Touch (#ubports)**), remount the filesystem as writable first: `mount -o remount,rw /` --- ## **🔹 Summary** ✔ **Use `visudo`** to safely edit `/etc/sudoers`. ✔ **Grant sudo rights by adding a user to the `sudo` group**: `sudo usermod -aG sudo jan` ✔ **Use `/etc/sudoers.d/` for modular sudo rules.** ✔ **Check sudo permissions with**: `sudo -l` ✔ **Allow passwordless sudo by adding `NOPASSWD` to the rules.** ✔ **Fix read-only file system errors with**: `mount -o remount,rw /` This ensures a **safe and flexible** sudo configuration on your Linux system! 🚀 [[Sudo without Password]] [[SUDOERS in AIX]] [[SUDO Bypass]] [[Enable Sudo]]