Chapter 12. Managing sudo access
System administrators can grant
sudo access to allow non-root users to execute administrative commands that are normally reserved for the
root user. As a result, non-root users can enter such commands without logging in to the
root user account.
12.1. User authorizations in sudoers
/etc/sudoers file specifies which users can run which commands using the
sudo command. The rules can apply to individual users and user groups. You can also use aliases to simplify defining rules for groups of hosts, commands, and even users. Default aliases are defined in the first part of the
When a user tries to use
sudo privileges to run a command that is not allowed in the
/etc/sudoers file, the system records a message containing
username : user NOT in sudoers to the journal log.
/etc/sudoers file provides information and examples of authorizations. You can activate a specific example rule by removing the
# comment character from the beginning of the line. The authorizations section relevant for user is marked with the following introduction:
## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems).
You can use the following format to create new
sudoers authorizations and to modify existing authorizations:
username is the name of the user or group, for example,
- hostname is the name of the host on which the rule applies.
- path/to/command is the complete absolute path to the command. You can also limit the user to only performing a command with specific options and arguments by adding those options after the command path. If you do not specify any options, the user can use the command with all options.
You can replace any of these variables with
ALL to apply the rule to all users, hosts, or commands.
With overly permissive rules, such as
ALL ALL=(ALL) ALL, all users are able to run all commands as all users on all hosts. This can lead to security risks.
You can specify the arguments negatively using the
! operator. For example, use
!root to specify all users except the
root user. Note that using the allowlists to allow specific users, groups, and commands, is more secure than using the blocklists to disallowing specific users, groups, and commands. By using the allowlists you also block new unauthorized users or groups.
Avoid using negative rules for commands because users can overcome such rules by renaming commands using the
The system reads the
/etc/sudoers file from beginning to end. Therefore, if the file contains multiple entries for a user, the entries are applied in order. In case of conflicting values, the system uses the last match, even if it is not the most specific match.
The preferred way of adding new rules to
sudoers is by creating new files in the
/etc/sudoers.d/ directory instead of entering rules directly to the
/etc/sudoers file. This is because the contents of this directory are preserved during system updates. In addition, it is easier to fix any errors in the separate files than in the
/etc/sudoers file. The system reads the files in the
/etc/sudoers.d directory when it reaches the following line in the
Note that the number sign
# at the beginning of this line is part of the syntax and does not mean the line is a comment. The names of files in that directory must not contain a period
. and must not end with a tilde
12.2. Granting sudo access to a user
System administrators can grant
sudo access to allow non-root users to execute administrative commands. The
sudo command provides users with administrative access without using the password of the
When users need to perform an administrative command, they can precede that command with
sudo. The command is then executed as if they were the
Be aware of the following limitations:
Only users listed in the
/etc/sudoersconfiguration file can use the
The command is executed in the shell of the user, not in the
As root, open the
/etc/sudoersfile defines the policies applied by the
/etc/sudoersfile, find the lines that grant
sudoaccess to users in the administrative
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL
Make sure the line that starts with
%wheeldoes not have the
#comment character before it.
- Save any changes, and exit the editor.
Add users you want to grant
sudoaccess to into the administrative
# usermod --append -G wheel <username>
Replace <username> with the name of the user.
Verify that the user is added to the administrative
# id <username> uid=5000(<username>) gid=5000(<username>) groups=5000(<username>),10(wheel)
12.3. Enabling unprivileged users to run certain commands
As an administrator, you can allow unprivileged users to enter certain commands on specific workstations by configuring a policy in the
For example, you can enable the user <example.user> to install programs on the
host.example.com workstation using the
dnf command with
You must have
rootaccess to the system.
root, create a new
# mkdir -p /etc/sudoers.d/
Create a new file in the
# visudo -f /etc/sudoers.d/<example.user>
The file opens automatically.
Add the following line to the
<example.user> <host.example.com> = /usr/bin/dnf
To allow two and more commands on the same host on one line, you can list them separated by a
,comma followed by a space.
Optional: To receive email notifications every time the user <example.user> attempts to use
sudoprivileges, add the following lines to the file:
Defaults mail_always Defaults mailto="<firstname.lastname@example.org>"
- Save the changes, and exit the editor.
To verify if the user <example.user> can run the
sudoprivileges, switch the account:
# su <example.user> -
$ sudo dnf [sudo] password for <example.user>:
sudopassword for the user <example.user>.
The system displays the list of
dnfcommands and options:
... usage: dnf [options] COMMAND ...
If the system returns the
<example.user> is not in the sudoers file. This incident will be reportederror message, you have not created the file for <example.user> in
If you receive the
<example.user> is not allowed to run sudo on <host.example.com>error message, you have not completed the configuration correctly. Ensure that you are logged in as
rootand that you followed the steps thoroughly.