Sudo Configuration

The /etc/sudoers file controls exactly who can run what commands as which users. A misconfigured sudoers file can lock you out of root access or create security vulnerabilities. Knowing how to edit it correctly — and what the syntax means — is essential for any Ubuntu administrator.

/etc/sudoers file structure

# View the current sudoers configuration (read-only)
sudo cat /etc/sudoers

Key sections of /etc/sudoers

# Defaults: global sudo behavior settings
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:..."
Defaults    timestamp_timeout=15    # minutes before re-prompting

# User privilege specification
# Format: WHO  WHERE=(AS_WHO) WHAT
root        ALL=(ALL:ALL) ALL

# Group rules (% prefix means group)
%admin      ALL=(ALL) ALL
%sudo       ALL=(ALL:ALL) ALL

# Includes — drop-in files go here
@includedir /etc/sudoers.d

The rule format is: user host=(run_as_user:run_as_group) commands

Using visudo safely

⚠️ WARNING: NEVER edit /etc/sudoers directly with a text editor. If you introduce a syntax error, sudo will stop working and you may lose root access entirely. Always use visudo, which validates syntax before saving.

# The only safe way to edit sudoers
sudo visudo

# Edit a file in /etc/sudoers.d/ (preferred for additions)
sudo visudo -f /etc/sudoers.d/irfan

# Check a sudoers file for syntax errors without applying it
sudo visudo -c -f /etc/sudoers.d/irfan

# Set your preferred editor for visudo
EDITOR=nano sudo visudo

Granting sudo access

# Method 1 (recommended): Add user to sudo group
sudo usermod -aG sudo irfan
# Effective after next login

# Method 2: Create a drop-in file in /etc/sudoers.d/
# This is cleaner than editing /etc/sudoers directly
sudo visudo -f /etc/sudoers.d/irfan

/etc/sudoers.d/irfan content — full sudo access

irfan ALL=(ALL:ALL) ALL

# Files in /etc/sudoers.d/ must have correct permissions
sudo chmod 0440 /etc/sudoers.d/irfan

# Verify the configuration is valid
sudo visudo -c

Limiting sudo to specific commands

A restricted sudoers entry is useful for service accounts or operators who need to restart services but should not have full root access.

# Allow a user to run only specific commands as root
# Create: /etc/sudoers.d/deploy
deploy ALL=(root) NOPASSWD: /bin/systemctl restart myapp, /bin/systemctl status myapp

# Allow a DBA to run MySQL-specific commands
dba ALL=(root) /usr/bin/mysql, /usr/bin/mysqldump, /bin/systemctl restart mysql

# Use command aliases to group related commands
# In /etc/sudoers.d/webops:
Cmnd_Alias  NGINX_CMDS = /bin/systemctl reload nginx, /bin/systemctl restart nginx, /usr/sbin/nginx -t
webops ALL=(root) NOPASSWD: NGINX_CMDS

Passwordless sudo

# NOPASSWD: allows running without entering a password
# Useful for automation and CI/CD pipelines — but reduces security

# Passwordless sudo for a specific user (full access — use sparingly)
irfan ALL=(ALL) NOPASSWD: ALL

# Passwordless sudo for specific commands only (safer)
deploy ALL=(root) NOPASSWD: /bin/systemctl restart myapp

# Passwordless sudo for a group
%automation ALL=(ALL) NOPASSWD: /usr/bin/apt-get update

⚠️ WARNING: NOPASSWD: ALL is only appropriate for automation service accounts where the account is never used interactively. For human administrators, always require a password — it provides a second checkpoint before an accidental destructive command runs as root.

Logging and auditing sudo

# All sudo activity is logged to /var/log/auth.log
grep "sudo" /var/log/auth.log | tail -20

# More detailed: see exactly what was run
grep "COMMAND" /var/log/auth.log | tail -20

Example auth.log entry

Jun 01 14:22:31 myserver sudo:    irfan : TTY=pts/0 ; PWD=/home/irfan ;
    USER=root ; COMMAND=/usr/bin/apt upgrade

# Enable more verbose sudo logging via /etc/sudoers
# Add these Defaults lines with visudo:
# Defaults  log_output              # Log full command output
# Defaults  iolog_dir=/var/log/sudo-io  # Where to store I/O logs

# View the sudo I/O log replay (if log_output is enabled)
sudoreplay -l    # List recorded sessions
sudoreplay session-id

Conclusion

Always edit /etc/sudoers using visudo and place new rules in /etc/sudoers.d/ rather than modifying the main file. Limit NOPASSWD: to specific commands for automation accounts, never apply it as NOPASSWD: ALL for human administrators. Check /var/log/auth.log to audit all sudo usage. If you ever accidentally break sudoers, boot into recovery mode to fix it.

FAQ

Is Sudo Configuration important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support