Skip to content

Click on each book below to review & buy on Amazon.

As an Amazon Associate, I earn from qualifying purchases.

RHCSA - Manage Users & Groups: Configure Superuser Access

Understanding /etc/sudoers and /etc/sudoers.d/

The /etc/sudoers file controls who can use the sudo command and specifies the level of access they have. It is a plain text file that should be edited with visudo. Modifying the /etc/sudoers file should be done with caution, as any mistakes can potentially lead to system vulnerabilities or lockouts.

The /etc/sudoers.d/ directory is where individual sudo configuration files can be placed and are typically named with the user or group for which the configuration file relates to.

The sudo files consists of user specifications and command specifications. User specifications define which users or groups are allowed to execute commands with elevated privileges. Command specifications define which commands users are allowed to run with elevated privileges and any additional restrictions or options.

To edit the /etc/sudoers file it is recommended to run visudo as this tool will perform some syntax checks to help mitigate the risk of breaking the file. For drop in files under /etc/sudoers.d/ you have to specify the file with the -f option, for example: visduo -f /etc/sudoers.d/user1

Below are just some of the configuration options available to fine-tune the sudo command behavior:

  • User Specification: The user specification allows you to define who can use the sudo command. It follows the format:

    username   host=(runasuser:runasgroup) command

    Here's an explanation of each field:

    • username: This field specifies the username or user alias to which the user specification applies. You can use the actual username or predefined aliases such as %admin for a group.
    • host: The host field specifies the hosts on which the user is allowed to run the specified command. You can use the wildcard character (ALL) to allow the user to run the command on any host.
    • runasuser: This field defines the user the command will be run as. It can be a username or user alias. If omitted, it defaults to root. You can use the wildcard character (ALL) to allow the user to run the command as any user.
    • runasgroup: The runasgroup field specifies the group the command will be run as. If omitted, it defaults to the primary group of runasuser. You can use the wildcard character (ALL) to allow the user to run the command as any group.
    • command: The command field specifies the command or command alias that the user is allowed to run with sudo. It can include the full path to the command or use command aliases defined in the file.
  • Run as Another User: To allow a user to execute commands as another user, use the Runas_Spec option. It follows the format:

    username   ALL=(targetuser) ALL

    Replace username with the actual username of the user who should have access, and targetuser with the username of the user they should be able to execute commands as.

  • Command Aliases: Command aliases allow you to define groups of commands for easier management. You can specify a command alias using the Cmnd_Alias option:

    Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/reboot

    This allows users to run the /sbin/poweroff and /sbin/reboot commands.

  • Restricting Command Arguments: You can restrict users to specific command arguments using the NOPASSWD option:

    username   ALL=(ALL) NOPASSWD: /usr/bin/apt-get update

    This allows the user to run apt-get update without entering their password.

  • Limiting Run Time: The timestamp_timeout option sets the time in minutes before the user needs to enter their password again when running sudo:

    Defaults timestamp_timeout=30

    This sets the timeout to 30 minutes.

  • Logging: The logfile option allows you to specify a custom log file for sudo commands:

    Defaults logfile=/var/log/sudo.log

    This logs sudo commands to /var/log/sudo.log.

sudo Command

The sudo command allows users to execute commands as another user, typically the root user, with elevated privileges. It provides a way to delegate specific administrative tasks to authorized users without giving them full superuser access.

The below table shows some common options that are used with the sudo command:

Option Description
-u, --user <username> Specifies the username of the user under which you want to execute the command.
-s, --shell Executes the command within a shell, using the target user's permissions and environment.
-E, --preserve-env Ensures that the user's environment variables are retained when running the command, maintaining their context.
-i, --login Initiates a login shell as the target user, emulating a direct user login with associated environment settings.


Update the default timeout option to extend the period for when a sudo password is required again:

Open the /etc/sudoers file:

sudo visudo

Edit or add the timestamp_timeout option to the file, setting the timeout to 30 minutes:

Defaults timestamp_timeout=30

The default timeout is 5 minutes so you will soon notice having to enter your password a lot less.

Login as the root user:

Using sudo to login as root is useful in environments where you do not want to share the password for the root account and helps audit logins:

sudo -i

Logout of the root account.


Allow the web admin user to manage the httpd service:

Create the web admin user:

sudo useradd web_admin

Install httpd if required:

sudo yum install -y httpd

Create drop in file /etc/sudoers.d/web_admin with the required configuration:

sudo visudo -f /etc/sudoers.d/web_admin

Add contents:

web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl start httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart httpd

Switch to the web_admin user:

sudo su - web_admin

Start and stop the httpd service to prove sudo access is working:

sudo systemctl start httpd && echo started
sudo systemctl stop httpd && echo stopped

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.