Back to blog

Creating and Managing sudo Configuration: Complete /etc/sudoers Guide for LFCS

Master /etc/sudoers configuration for LFCS certification. Learn visudo, sudoers syntax, granting specific commands, restricting dangerous operations, command aliases, timeout settings, and security best practices.

21 min read

Welcome to Part 5 of the LFCS Certification - Phase 1 series! In the previous post, you mastered basic sudo usage. Now it's time to dive deep into sudo configuration - learning how to create custom privilege policies through the /etc/sudoers file.

๐Ÿ’ก

๐ŸŽฏ What You'll Learn: In this guide, you'll master:

  • Understanding the /etc/sudoers file structure
  • Why you must NEVER edit sudoers directly
  • Using visudo safely with syntax validation
  • Basic sudoers syntax and rules
  • Granting specific commands to users
  • The critical importance of restricting dangerous commands
  • The passwd root security vulnerability and how to prevent it
  • Creating command aliases for easier management
  • Configuring sudo defaults (timeout, logging)
  • User specifications vs host specifications
  • The ! (negation) operator for restrictions
  • 20+ comprehensive practice labs

Series: LFCS Certification Preparation - Phase 1 (Post 5 of 52) Previous: Part 4 - Mastering sudo Next: Part 6 - Linux Command Basics (Case Sensitivity and Options)

Understanding /etc/sudoers

The /etc/sudoers file is the configuration file that controls who can run what commands with sudo.

File Location and Permissions

ls -l /etc/sudoers

Output:

-r--r-----. 1 root root 4328 Jul 20 15:35 /etc/sudoers

Key observations:

  • Permissions: 0440 (read-only, even for root)
  • Owner: root:root
  • Purpose: Prevents accidental modification
  • Special status: Protected system file

Viewing /etc/sudoers Safely

sudo cat /etc/sudoers

Example output (RedHat/CentOS):

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
โš ๏ธ

โš ๏ธ NEVER EDIT /etc/sudoers DIRECTLY! Always use visudo command. Editing directly can lock you out of sudo access if you make a syntax error!

Why You Must Use visudo

visudo is a specialized editor for the sudoers file.

Why visudo is Critical

FeaturevisudoDirect Editing (vi /etc/sudoers)
Syntax Checkingโœ… Yes - validates before savingโŒ No - can save broken file
File Lockingโœ… Yes - prevents concurrent editsโŒ No - race conditions possible
Error Recoveryโœ… Options to fix or revertโŒ May lose sudo access entirely
Safetyโœ… Can't save invalid fileโŒ Can break sudo completely

Using visudo

Basic usage:

sudo visudo

What happens:

  1. Opens /etc/sudoers in editor (vi by default)
  2. You make changes
  3. Save and exit (:wq)
  4. visudo validates syntax
  5. If valid: Changes saved
  6. If invalid: Error shown, options given

Example of syntax validation:

[centos9@centos ~]$ sudo visudo
# Make syntax error...
# Try to save...

>>> /etc/sudoers: syntax error near line 23 <<<
What now?
Options are:
  (e)dit sudoers file again
  e(x)it without saving changes to sudoers file
  (Q)uit and save changes to sudoers file (DANGER!)

What now?
โœ…

โœ… Always choose (e)dit if there's an error! Never choose (Q)uit - that would save the broken file and lock you out of sudo!

Setting Your Preferred Editor

By default, visudo uses vi. To change:

# Set editor for current session
export EDITOR=nano
sudo visudo

# Or use VISUAL variable
export VISUAL=nano
sudo visudo

# Set permanently in ~/.bashrc
echo 'export EDITOR=nano' >> ~/.bashrc

Basic sudoers Syntax

Let's understand the sudoers file syntax.

The Basic Rule Format

user    host=(runas)    commands

Example:

john    ALL=(ALL)       ALL

Breaking it down:

FieldValueMeaning
UserjohnWho is allowed (username)
HostALLOn which hosts (ALL = any host)
Run As(ALL)As which users (ALL = any user)
CommandsALLWhich commands (ALL = any command)

Translation: User john can run any command as any user on any host.

Group Syntax

Groups use the % prefix:

%wheel  ALL=(ALL)       ALL

Meaning: Any user in the wheel group can run any command as any user on any host.

Common Sudoers Patterns

1. Root has full access:

root    ALL=(ALL)       ALL

2. Wheel group has full access:

%wheel  ALL=(ALL)       ALL

3. User can run specific commands:

john    ALL=/usr/bin/systemctl, /usr/bin/dnf

4. Group can run commands without password:

%admins ALL=(ALL)       NOPASSWD: ALL

5. User can run commands on specific host:

john    webserver=(ALL)       /usr/bin/systemctl restart httpd

Granting Specific Commands to Users

Let's learn how to give users limited sudo access to specific commands.

Example: User Can Manage Users

Requirement: User linda should be able to add users, modify users, and change passwords.

Step 1: Find command paths

which useradd
# Output: /usr/sbin/useradd

which usermod
# Output: /usr/sbin/usermod

which passwd
# Output: /usr/bin/passwd

Step 2: Add rule to sudoers

sudo visudo

Add this line:

linda   ALL=/usr/bin/passwd, /usr/sbin/useradd, /usr/sbin/usermod

Step 3: Test as linda

su - linda
sudo useradd bob
# Works!

sudo passwd bob
# Works!

sudo usermod -aG wheel bob
# Works!

sudo systemctl restart sshd
# Fails! Not in allowed commands
๐Ÿ’ก

๐Ÿ’ก Important: Always use absolute paths for commands in sudoers. Use which command to find the full path.

The localhost vs ALL Confusion

Common mistake:

linda   localhost=/usr/bin/passwd, /usr/sbin/useradd

This means linda can only use sudo on a host named "localhost". But your actual hostname might be different!

Check your hostname:

hostname
# Output might be: centos, vm1, server01, etc.

Solution: Use ALL

linda   ALL=/usr/bin/passwd, /usr/sbin/useradd

Now works on any host regardless of hostname.

The passwd root Security Vulnerability

Here's a critical security lesson for the LFCS exam.

The Problem

Let's say we give a user permission to change passwords:

sudo visudo

Add:

labuser    ALL=/usr/bin/passwd

Test as labuser:

su - labuser
sudo passwd bob
# Works! Can change bob's password

sudo passwd root
# DANGER! Can change root's password!

Why this is dangerous:

  • User can change root password
  • Then they can su - to root directly
  • Bypasses all sudo restrictions
  • Full root access achieved!

The Solution: Negation Operator

Use ! to explicitly deny a command:

sudo visudo

Change to:

labuser    ALL=/usr/bin/passwd, !/usr/bin/passwd root

Now test:

su - labuser
sudo passwd bob
Changing password for user bob.
# Works!

sudo passwd root
Sorry, user labuser is not allowed to execute '/bin/passwd root' as root on vm1.
# Denied! Security maintained.
โš ๏ธ

โš ๏ธ LFCS Critical Concept: Always restrict passwd root when granting passwd privileges. This is a common exam scenario!

Complete Example with Restrictions

Safe user management permissions:

labuser    ALL=/usr/bin/passwd, !/usr/bin/passwd root, /usr/sbin/useradd, /usr/sbin/usermod

What this allows:

  • โœ… Change passwords for regular users
  • โœ… Create new users
  • โœ… Modify user properties
  • โŒ Change root password (blocked!)

Advanced sudoers Syntax

Multiple Commands

Separate with commas:

john    ALL=/usr/bin/systemctl, /usr/bin/dnf, /usr/bin/cat

Command Arguments

Specific command with specific arguments:

john    ALL=/usr/bin/systemctl restart httpd

Now john can only run sudo systemctl restart httpd, nothing else.

With wildcards:

john    ALL=/usr/bin/systemctl restart *

Now john can restart any service.

Multiple Users on One Line

john, jane, bob    ALL=/usr/bin/systemctl

All three users get the same permissions.

NOPASSWD Option

Allow commands without password:

john    ALL=NOPASSWD: /usr/bin/systemctl status *

john can check service status without entering password.

Mixed permissions:

john    ALL=/usr/bin/dnf, NOPASSWD: /usr/bin/systemctl status *
  • Requires password for dnf
  • No password for systemctl status

Sudo as Different User

Allow running commands as specific user:

webadmin    ALL=(apache) /usr/bin/touch /var/www/html/*

webadmin can create files in /var/www/html as the apache user.

Usage:

sudo -u apache touch /var/www/html/newfile.html

Command Aliases

Command aliases make sudoers files more maintainable.

Creating Command Aliases

Define alias in sudoers:

sudo visudo

Add these lines near the top:

# Command Aliases
Cmnd_Alias NETWORKING = /usr/sbin/route, /usr/sbin/ifconfig, /usr/bin/ping, /usr/sbin/ip
Cmnd_Alias SOFTWARE = /usr/bin/dnf, /usr/bin/rpm, /usr/bin/yum
Cmnd_Alias SERVICES = /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl restart, /usr/bin/systemctl status
Cmnd_Alias STORAGE = /usr/sbin/fdisk, /usr/sbin/parted, /usr/sbin/mount, /usr/sbin/umount

Use in rules:

# Network administrators
%netadmins    ALL=NETWORKING

# Software managers
%developers   ALL=SOFTWARE

# Service managers
john, jane    ALL=SERVICES

User Aliases

Group users together:

User_Alias ADMINS = john, jane, bob
User_Alias WEBTEAM = alice, charlie

ADMINS      ALL=(ALL) ALL
WEBTEAM     ALL=SERVICES, SOFTWARE

Host Aliases

For multi-host environments:

Host_Alias WEBSERVERS = web01, web02, web03
Host_Alias DBSERVERS = db01, db02

john    WEBSERVERS=/usr/bin/systemctl restart httpd
jane    DBSERVERS=/usr/bin/systemctl restart postgresql

Complete Example with Aliases

# User Aliases
User_Alias ADMINS = john, jane
User_Alias DEVELOPERS = alice, bob, charlie
User_Alias OPERATORS = dave, eve

# Command Aliases
Cmnd_Alias NETWORKING = /usr/sbin/ip, /usr/bin/ping
Cmnd_Alias SOFTWARE = /usr/bin/dnf, /usr/bin/rpm
Cmnd_Alias SERVICES = /usr/bin/systemctl

# Rules
ADMINS          ALL=(ALL) ALL
DEVELOPERS      ALL=SOFTWARE, SERVICES
OPERATORS       ALL=SERVICES, NOPASSWD: /usr/bin/systemctl status *

Configuring sudo Defaults

The Defaults keyword sets global sudo options.

Common Defaults Options

Timeout settings:

Defaults    timestamp_timeout=240

Changes password cache from 15 minutes (default) to 240 minutes (4 hours).

Set to 0 for always prompt:

Defaults    timestamp_timeout=0

Global timestamp (shared across terminals):

Defaults    timestamp_type=global

Default is per-terminal. Global means entering password once works in all terminals.

Logging and Security Defaults

Require TTY (no cron jobs):

Defaults    requiretty

Log input/output:

Defaults    log_input, log_output
Defaults    iolog_dir=/var/log/sudo-io

Custom password prompt:

Defaults    passprompt="[sudo] Password for %u on %h: "

Environment variables:

Defaults    env_keep += "COLORS DISPLAY HOSTNAME"

Per-User Defaults

Apply defaults to specific user:

Defaults:john    timestamp_timeout=0

john must always enter password (no caching).

Per-command defaults:

Defaults!/usr/bin/passwd    timestamp_timeout=0

passwd command always requires password.

Complete Example

# Global defaults
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

# Timeout settings
Defaults    timestamp_timeout=15
Defaults    timestamp_type=global

# User-specific defaults
Defaults:john    timestamp_timeout=0
Defaults:webadmin    !requiretty

# Logging
Defaults    logfile=/var/log/sudo.log

Complete sudoers Example

Here's a comprehensive sudoers configuration:

##
## Sudoers configuration file
##

# Default settings
Defaults    env_reset
Defaults    timestamp_timeout=15
Defaults    logfile=/var/log/sudo.log

# User Aliases
User_Alias ADMINS = john, jane
User_Alias DEVELOPERS = alice, bob
User_Alias WEBOPS = charlie, dave

# Command Aliases
Cmnd_Alias NETWORKING = /usr/sbin/ip, /usr/bin/ping, /usr/sbin/route
Cmnd_Alias SOFTWARE = /usr/bin/dnf, /usr/bin/rpm
Cmnd_Alias SERVICES = /usr/bin/systemctl start, /usr/bin/systemctl stop, \
                      /usr/bin/systemctl restart, /usr/bin/systemctl status
Cmnd_Alias USER_MGT = /usr/sbin/useradd, /usr/sbin/usermod, \
                      /usr/bin/passwd, !/usr/bin/passwd root

# Root and wheel group
root        ALL=(ALL)       ALL
%wheel      ALL=(ALL)       ALL

# Administrators - full access
ADMINS      ALL=(ALL)       ALL

# Developers - software and services
DEVELOPERS  ALL=SOFTWARE, SERVICES

# Web operations team
WEBOPS      ALL=SERVICES, NETWORKING

# HR department - can manage users
%hr         ALL=USER_MGT

# Monitoring - can check status without password
monitoring  ALL=NOPASSWD: /usr/bin/systemctl status *

# Read drop-in files
#includedir /etc/sudoers.d

๐Ÿงช Practice Labs

Time to practice sudo configuration!

Lab 1: Your First visudo Edit (Beginner)

  1. Open visudo:

    sudo visudo

  2. Find the wheel group line:

    %wheel  ALL=(ALL)       ALL

  3. Add a comment above it:

    # Wheel group members have full sudo access
%wheel  ALL=(ALL)       ALL

  4. Save and exit (:wq)

  5. Verify no errors were reported

Lab 2: Grant Specific Command Access (Beginner)

  1. Create test user:

    sudo useradd -m testadmin
sudo passwd testadmin

  2. Open visudo:

    sudo visudo

  3. Add rule for testadmin:

    testadmin    ALL=/usr/bin/systemctl status *

  4. Test as testadmin:

    su - testadmin
sudo systemctl status sshd
# Works!
sudo systemctl restart sshd
# Denied! (not in allowed commands)
exit

Lab 3: The passwd root Vulnerability (Intermediate)

  1. Create user with passwd access:

    sudo useradd -m securitytest
sudo passwd securitytest

  2. Give passwd permission:

    sudo visudo

    Add:

    securitytest    ALL=/usr/bin/passwd

  3. Test the vulnerability:

    su - securitytest
sudo passwd root
# Dangerous! Can change root password!
# Press Ctrl+C to cancel
exit

  4. Fix with negation:

    sudo visudo

    Change to:

    securitytest    ALL=/usr/bin/passwd, !/usr/bin/passwd root

  5. Test fix:

    su - securitytest
sudo passwd root
# Now denied!
exit

Lab 4: Using Command Aliases (Intermediate)

  1. Open visudo:

    sudo visudo

  2. Add command aliases after the header:

    # Command Aliases
Cmnd_Alias SERVICES = /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl restart
Cmnd_Alias PACKAGES = /usr/bin/dnf install, /usr/bin/dnf remove, /usr/bin/dnf update

  3. Create user and grant access:

    svcadmin    ALL=SERVICES

  4. Test:

    sudo useradd -m svcadmin
sudo passwd svcadmin
su - svcadmin
sudo systemctl restart sshd
# Works!
exit

Lab 5: NOPASSWD Configuration (Intermediate)

  1. Open visudo:

    sudo visudo

  2. Add user with NOPASSWD:

    monitor    ALL=NOPASSWD: /usr/bin/systemctl status *

  3. Create and test:

    sudo useradd -m monitor
sudo passwd monitor
su - monitor
sudo systemctl status sshd
# No password prompt!
exit

Lab 6: Multiple Users, Same Permissions (Intermediate)

  1. Create multiple users:

    sudo useradd -m webadmin1
sudo useradd -m webadmin2
sudo passwd webadmin1
sudo passwd webadmin2

  2. Grant same permissions:

    sudo visudo

    Add:

    webadmin1, webadmin2    ALL=/usr/bin/systemctl restart httpd

  3. Test with both users

Lab 7: Timeout Configuration (Advanced)

  1. Check current behavior:

    sudo whoami
# Enter password
sudo whoami
# No password (cached)

  2. Open visudo:

    sudo visudo

  3. Add at top:

    Defaults    timestamp_timeout=5

  4. Save and test:

    sudo -k    # Clear cache
sudo whoami
# Enter password
# Wait 6 minutes
sudo whoami
# Password required again (5 min timeout)

Lab 8: User-Specific Timeout (Advanced)

  1. Create user:

    sudo useradd -m strictuser
sudo passwd strictuser

  2. Configure:

    sudo visudo

    Add:

    Defaults:strictuser    timestamp_timeout=0
strictuser    ALL=(ALL) ALL

  3. Test:

    su - strictuser
sudo whoami
# Enter password
sudo whoami
# Enter password again (no caching)
exit

Lab 9: Creating Complete User Aliases (Advanced)

  1. Open visudo:

    sudo visudo

  2. Add at top:

    # User Aliases
User_Alias JUNIORADMINS = user1, user2, user3
User_Alias SENIORADMINS = admin1, admin2

# Command Aliases
Cmnd_Alias BASIC_ADMIN = /usr/bin/systemctl status *, /usr/bin/journalctl

# Rules
JUNIORADMINS    ALL=BASIC_ADMIN
SENIORADMINS    ALL=(ALL) ALL

  3. Create users and test

Lab 10: Sudo as Different User (Advanced)

  1. Configure:

    sudo visudo

    Add:

    devuser    ALL=(apache) /usr/bin/touch /var/www/html/*

  2. Create user:

    sudo useradd -m devuser
sudo passwd devuser

  3. Test:

    su - devuser
sudo -u apache touch /var/www/html/test.txt
ls -l /var/www/html/test.txt
# Owner: apache
exit

Lab 11-15: Real-World Scenarios

Lab 11: HR Department Configuration

Create configuration for HR team that can manage users but not change root password or delete their own accounts.

Lab 12: Web Operations Team

Configure web ops team that can restart web services without password but need password for other admin tasks.

Lab 13: Database Administrator

Grant DBA ability to start/stop postgres, manage postgres user, but nothing else.

Lab 14: Security Audit User

Create user that can read logs and check status of all services but cannot make any changes.

Lab 15: Temporary Contractor Access

Configure limited access for contractor that expires (manually set timestamp to force frequent authentication).

Lab 16-20: Advanced Challenges

Lab 16: Create a complete multi-tier access system with junior, mid, and senior admin levels

Lab 17: Configure sudo logging to separate file and analyze the logs

Lab 18: Create command aliases for a complete web stack (nginx, php-fpm, mysql)

Lab 19: Implement emergency access account with NOPASSWD for specific recovery commands

Lab 20: Build a sudoers configuration for a company with 5 departments, each with different needs

๐Ÿ“š Best Practices

โœ… sudoers Best Practices

  1. ALWAYS use visudo

    • Never edit /etc/sudoers directly
    • Syntax validation prevents lockouts
    • File locking prevents conflicts

  2. Use absolute paths for commands

    # Good
john    ALL=/usr/bin/systemctl

# Bad
john    ALL=systemctl

  3. Restrict passwd root

    # Always include negation
user    ALL=/usr/bin/passwd, !/usr/bin/passwd root

  4. Start with least privilege

    • Grant only what's needed
    • Can always add more later
    • Hard to remove once granted

  5. Use command aliases

    • Makes configuration cleaner
    • Easier to maintain
    • Changes apply to all users at once

  6. Document your rules

    # Web operations team - can restart web services
%webops    ALL=/usr/bin/systemctl restart nginx, /usr/bin/systemctl restart php-fpm

  7. Test changes thoroughly

    • Test with affected user
    • Test both allowed and denied commands
    • Keep root session open while testing

  8. Use /etc/sudoers.d/ for additions

    # Don't modify main sudoers
# Create files in /etc/sudoers.d/
sudo visudo -f /etc/sudoers.d/webteam

  9. Regular audits

    • Review who has access
    • Remove users who left
    • Check for overly permissive rules

  10. Backup before major changes

    sudo cp /etc/sudoers /etc/sudoers.backup.$(date +%Y%m%d)

๐Ÿšจ Common Pitfalls to Avoid

โš ๏ธ

โŒ Mistakes to Avoid

  1. Editing /etc/sudoers directly

    sudo vi /etc/sudoers        # WRONG!
sudo visudo                 # RIGHT!

  2. Forgetting passwd root restriction

    # Dangerous
user    ALL=/usr/bin/passwd

# Safe
user    ALL=/usr/bin/passwd, !/usr/bin/passwd root

  3. Using relative command paths

    # Wrong
user    ALL=systemctl

# Right
user    ALL=/usr/bin/systemctl

  4. Choosing (Q)uit with syntax errors

    • Always choose (e)dit to fix
    • Never force save broken file
    • Keep root session open as backup

  5. Not testing changes

    • Test with actual user account
    • Test in separate terminal
    • Verify both success and denial cases

  6. Overly broad permissions

    # Too broad
user    ALL=(ALL) NOPASSWD: ALL

# Better
user    ALL=NOPASSWD: /usr/bin/systemctl status *

  7. Using wildcards unsafely

    # Dangerous
user    ALL=/usr/bin/*

# Safer
user    ALL=/usr/bin/systemctl restart httpd

  8. Not documenting changes

    • Add comments explaining why
    • Note when access was granted
    • Document expected usage

  9. Granting access to shell commands

    # Very dangerous
user    ALL=/bin/bash, /bin/sh
# User can get full root shell!

  10. Modifying while others are editing

    • visudo prevents this with locking
    • But check who's logged in as root
    • Coordinate changes in production

๐Ÿ“ Command Cheat Sheet

visudo Commands

# Edit main sudoers file
sudo visudo

# Edit specific file
sudo visudo -f /etc/sudoers.d/custom

# Check syntax without editing
sudo visudo -c

# Set editor
export EDITOR=nano
sudo visudo

Basic sudoers Syntax

# User with full access
username    ALL=(ALL)       ALL

# Group with full access
%groupname  ALL=(ALL)       ALL

# Specific commands
username    ALL=/usr/bin/cmd1, /usr/bin/cmd2

# Without password
username    ALL=NOPASSWD: /usr/bin/cmd

# Mixed (some with password, some without)
username    ALL=/usr/bin/cmd1, NOPASSWD: /usr/bin/cmd2

# Negation (deny specific)
username    ALL=/usr/bin/passwd, !/usr/bin/passwd root

# As different user
username    ALL=(apache) /usr/bin/touch /var/www/*

Aliases

# User Alias
User_Alias ADMINS = john, jane, bob

# Command Alias
Cmnd_Alias SERVICES = /usr/bin/systemctl start, /usr/bin/systemctl stop

# Host Alias
Host_Alias SERVERS = web01, web02, db01

# Using aliases
ADMINS    ALL=(ALL) ALL

Defaults

# Global timeout
Defaults    timestamp_timeout=15

# User-specific timeout
Defaults:username    timestamp_timeout=0

# No timeout (always ask)
Defaults    timestamp_timeout=0

# Global timestamp
Defaults    timestamp_type=global

# Require TTY
Defaults    requiretty

# Custom password prompt
Defaults    passprompt="[sudo] password: "

Common Patterns

# User management (safe)
user    ALL=/usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd, !/usr/bin/passwd root

# Service management
user    ALL=/usr/bin/systemctl start *, /usr/bin/systemctl stop *, /usr/bin/systemctl restart *

# Package management
user    ALL=/usr/bin/dnf install, /usr/bin/dnf remove, /usr/bin/dnf update

# Status check without password
user    ALL=NOPASSWD: /usr/bin/systemctl status *

# Log viewing
user    ALL=/usr/bin/tail /var/log/*, /usr/bin/less /var/log/*

๐ŸŽฏ Key Takeaways

โœ… Remember These Points

  1. Never edit /etc/sudoers directly - Always use visudo
  2. visudo validates syntax - Prevents breaking sudo
  3. Syntax: user host=(runas) commands - Basic rule format
  4. % prefix for groups - %wheel = wheel group
  5. ALL = any/all - Can be used for user, host, runas, commands
  6. Use absolute paths - /usr/bin/systemctl not systemctl
  7. passwd root is dangerous - Always restrict with !
  8. NOPASSWD = no password - Use sparingly for specific commands
  9. Aliases make it cleaner - Cmnd_Alias, User_Alias, Host_Alias
  10. Defaults set options - Timeout, logging, environment
  11. timestamp_timeout default is 15 - Minutes before re-prompt
  12. Choose (e)dit on errors - Never (Q)uit with broken syntax
  13. Test in separate terminal - Keep root access as backup
  14. Least privilege principle - Grant minimum necessary access
  15. Document everything - Comments explain why rules exist

๐Ÿš€ What's Next?

Congratulations! You've completed the privilege escalation and sudo section. Now you're ready to learn about basic Linux commands and how to use the terminal effectively!

In the next post (Part 6), we'll cover:

  • Linux case sensitivity (LS vs ls)
  • Understanding command structure
  • Short options (-a, -l) vs long options (--all, --list)
  • Combining options (-la vs -l -a)
  • Why single dash vs double dash matters
  • Common beginner mistakes with commands
  • Getting comfortable with the command line

Coming Up in Phase 1:

  • Part 7: Essential Navigation Commands (ls, pwd, cd, whoami)
  • Part 8: The touch Command
  • Part 9: The passwd Command
  • And 43 more posts!
โœ…

๐ŸŽ‰ Congratulations! You've completed Part 5 of the LFCS Certification series. You now understand how to safely configure sudo, grant specific permissions, and create secure privilege policies.

This is critical LFCS knowledge! The exam will test your ability to configure sudo properly, especially restricting dangerous commands like passwd root.

Practice is essential! Complete the 20 practice labs, especially the passwd root vulnerability lab. Understanding sudoers configuration is a key skill for any Linux system administrator.

๐Ÿ’ฌ Discussion

I'd love to hear about your experience:

  • Have you ever locked yourself out with a sudoers syntax error?
  • What's your approach to organizing sudoers rules?
  • Do you use /etc/sudoers.d/ or put everything in main sudoers?
  • Any creative sudo configurations you've implemented?

Connect with me:

  • ๐Ÿ™ GitHub - LFCS practice scripts
  • ๐Ÿ“ง Contact - Questions about LFCS

This is Part 5 of 52 in the LFCS Certification - Phase 1 series. Stay tuned for Part 6: Linux Command Basics!

Owais

Written by Owais

I'm an AIOps Engineer with a passion for AI, Operating Systems, Cloud, and Securityโ€”sharing insights that matter in today's tech world.

I completed the UK's Eduqual Level 6 Diploma in AIOps from Al Nafi International College, a globally recognized program that's changing careers worldwide. This diploma is:

  • โœ… Available online in 17+ languages
  • โœ… Includes free student visa guidance for Master's programs in Computer Science fields across the UK, USA, Canada, and more
  • โœ… Comes with job placement support and a 90-day success plan once you land a role
  • โœ… Offers a 1-year internship experience letter while you studyโ€”all with no hidden costs

It's not just a diplomaโ€”it's a career accelerator.

๐Ÿ‘‰ Start your journey today with a 7-day free trial

About Me

Related Articles

Continue exploring with these handpicked articles that complement what you just read

More Reading

One more article you might find interesting

โ† Back to All Posts