The /etc/sudoers file is where you set the users as well as the programs they are allowed to run using sudo. It must only be edited using visudo(8) and ideally with the -s flag, which does strict syntax checking (sudo will not run if the /etc/sudoers contains errors) and also locks the file against multiple access. visudo does not require vi. An alternate editor can be set using the $EDITOR or the $VISUAL environment variable. The syntax of the sudoers file is extensively documented in the sudoers(5) man page, but it is quite confusing in the beginning.

The important thing to remember is that the sudoers file contains two types of statements.

Alias can be of four types

Let's create a sample /etc/sudoers file using visudo -s

We've setup the following simple aliases

# User alias specification

User_Alias TRUSTED = cnb, mayank, sacs

# Cmnd alias specification

Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/halt

Cmnd_Alias KILL = /bin/kill, /usr/bin/killall

Now we put in the User Specification entries.

# User privilege specification

root ALL=(ALL) ALL

ALL ALL=/usr/bin/wvdial

TRUSTED ALL=SHUTDOWN, KILL

Note: ALL in the above entries is a reserved sudo word which causes all matches to succeed.

Let us dissect the first entry

root ALL=(ALL) ALL

This entry is in the form of

User_Spec Host_Spec=(Runas_Spec) Cmnd_Spec

The first word root is the user who will run the command. The first ALL allows the user to run the command on any host. The next (ALL) allows any user to run the command. And finally, the last ALL allows the user to run any command.

Thus it implies let root run on any host, as any user, any command.

The Runas_Spec can be dropped when the required privileges are those of root, as the Runas_Spec defaults to root. Thus in the second line we see,