Skip to content

The Sudoers File#

Let's add superman to the "sudoers file" mentioned in the error above. We're going to grant them full access like our original user (michael in my case.)

I'm going to edit a file called /etc/sudoers: sudo visudo

I get these contents, by default, on my systems:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

We won't go into too much detail on this file - because that'll be a project for you - but we can see two important lines: 20 and 26.

Line 20 lets the root use the sudo command to do anything. The complex terminology ALL=(ALL:ALL) ALL is left for you to research, but essentially it means, "Let the user do anything." In the case of root, it's simply here as an example entry because the root user doesn't need to use sudo to do anything.

Line 26 is interesting, because it's saying that a group (%) called sudo (%sudo) can also do anything they want via the sudo command. We'll come back to this later.

Under line 20, add another, identical "user privilege specification" line:

1
superman    ALL=(ALL:ALL) ALL

Then save (Ctrl+O) the file and exit (Ctrl+X) the editor. Now let's try logging in as the superman user and try to add spiderman again:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
superman@develop:~$ sudo adduser spiderman -gecos "Spiderman,,,,"
[sudo] password for superman:
Adding user `spiderman' ...
Adding new group `spiderman' (1002) ...
Adding new user `spiderman' (1002) with group `spiderman' ...
Creating home directory `/home/spiderman' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully

I was able to create our new superhero, spiderman, as a user on our system. I can even delete him:

1
2
3
4
superman@develop:~$ sudo deluser spiderman
Removing user `spiderman' ...
Warning: group `spiderman' has no more members.
Done.

So we added superman to the sudoers file, allowing them to use sudo to execute privileged commands. There is an easier way of achieving the same goal, though. Let's use superman's new privileges to remove ourselves from the sudoers file: sudo visudo.

Remove the line we added previously, save and exit the file (Ctrl+O, Ctrl+X). Now try to do sudo visudo again.

1
2
superman@develop:~$ sudo visudo
superman is not in the sudoers file.  This incident will be reported.

So, we've stripped our own privileges. That was silly. Let's get our original super user to add them again, but a bit differently this time.