How-to

How to Setup Sudoers on Linux

What is sudo?

Sudo is a system utility that provides limited root/superuser privileges to specific users.

It allows a sysadmin to control users on the Linux system, which users can run commands with superuser privileges, set up the password timeout for users, or even log every sudo command.

sudo is a very configurable utility, controlled with the configuration file ‘/etc/sudoers’ and must be edited with the ‘visudo’ command that provides syntax-check for sudoers configuration.

In this tutorial, we will set up a sudoers on the Linux system, including the Ubuntu and CentOS system. We will add a user to the sudoers list, setup password timeout, setup tries limit, run specific sudo command without password, and set up a sudo log for every event.

1. Add User to Sudoer List

In this section, we will add the user to the sudoers list. In efect, your user will be able to execute the sudo command to obtain the root superuser privileges.

By default, the Ubuntu system comes with default the group called ‘sudo‘, as well as a CentOS system with the ‘wheel‘ group. Both groups allow every member to run the sudo command.

Simply, to allows your users to run the sudo command, add your users to the ‘sudo‘ or ‘wheel‘ group using the usermod command as below.

For Ubuntu users, add the user to the ‘sudo‘ group.

usermod -a -G sudo dream

And for CentOS user, add the user to the ‘wheel‘ group.

usermod -a -G wheel dream

As a result, your user can execute commands using ‘sudo‘ with the superuser privileges.

Add User to Sudoers

2. Set Up Sudo Passwordless for Specific User

The sudo passwordless allows your user to execute the sudo command without asking for the password.

This is useful if you have a specific case, such as application deployment using the Ansible, etc.

In this section, we will set up the sudo passwordless for a specific user using the ‘/etc/sudoers‘ configuration.

First, we will set up the default system ‘EDITOR‘ using the nano. We will add a new system variable ‘EDITOR‘ with the value ‘nano’ using the export command below.

export EDITOR=nano
echo $EDITOR

Next, edit the ‘/etc/sudoers’ configuration file using the command below.

visudo

To add the sudo passwordless for the specific user, add the configuration below.

dream ALL=(ALL) NOPASSWD:ALL

Save and close.

As a result, the user can execute the sudo command to obtain the superuser privileges without prompting for the password.

3. Set Up Sudo Password Timeout

By default, sudo will remember your password for 5 minutes.

You can use the ‘timestamp_timeout‘ configuration to increase or decrease the sudo password timeout as you want.

Add the ‘timestamp_timeout‘ configuration below to decrease the password timeout to 2 minutes.

Defaults timestamp_timeout=2

Save and close.

As a result, the sudo will remember your password for 2 minutes.

4. Increase or Decrease Password Limit​

When you’re entering the wrong password for your user, you’re limited to tries the password 3 times.

In order to increase the limit, you can use the ‘passwd_tries‘ configuration below.

Defaults passwd_tries=5

As a result, the password tries will increase to 5 times.

Setup Limit Password Tries Sudoers

5. Allow Specific User to Run Specific Command

In this section, we will set up the sudoers to allow a specific user to run specific commands.

This is very useful, especially when you want to give limit access for specific commands to your user.

Below are sample configurations for allowing the user to execute the ‘apt‘ and ‘shutdown‘ command and denied other commands.

siyeon ALL=/usr/bin/apt,/sbin/shutdown

As a result, the user can only execute the ‘apt’ and ‘shutdown’ and other commands that require root privilege will be denied.

Allow Specific User to Run Specific Command

6. Sudo Log to Specific File

By default, the sudo will log every sudo command to the syslog. In this section, we will set up a sudo to log to the specific log ‘/var/log/sudo.log‘. In effect, all sudo command logs will go under that log file.

Add the following configuration to the ‘/etc/sudoers’ file.

Defaults log_host, log_year, logfile="/var/log/sudo.log"

As a result, the log of sudo command ‘/var/log/sudo.log‘ will be shown as below.

Set up Sudoers Log

Write A Comment