NEVER Edit /etc/sudoers File Directly
Unix Tutorial
But if you do have to edit /etc/sudoers, at least follow this advice to avoid locking yourself out.
How to Edit SUDOERS file Correctly
The proper way of updating sudo configuration is to use visudo command:
- it creates a temporary copy of the /etc/sudoers file and only commits changes if they are syntaxically correct
- visudo carries out basic sanity checks
- this approach even prevents multiple simultaneous edits of the /etc/sudoers file
Common Reasons for Editing /etc/sudoers Directly
There are some valid scenarios when using visudo is not easily possible – for instance, when deploying sudoers file using script or post-configuration system (although you should really use a specialised plugin, if possible).
Most commonly though, we edit /etc/sudoers directly simply because changes are not meant to be complicated – we’re fixing a typo or adding a user.
When Editing /etc/sudoers Goes Wrong
Hardly any such scenario is intentional, but it’s still useful to know why people regularly end up locking themselves out of sudo privileges.
Scenario 1: You make a typo in username/privilege
It’s VERY easy to make a typo and end up with wrong username or wrong command added to /etc/sudoers file.
This scenario is bad, but maybe not too bad: you could be editing someone else’s privileges so while that other user ends up without sudo access, you yourself still have a valid sudoers privilege and can work on fixing the situation.
Equally, some other sysadmin on your system might still have working sudo privilege, so they can fix your access for you.
Scenario 2: You lose connection in a middle of editing sudoers file
Depending on your habits, this may not be too bad. If you were using visudo, there’d be no issue at all: you were editing a copy of /etc/sudoers and not the actual file – so no changes were made and this means sudo setup is still solid.
If you were editing manually, there may still be a chance sudo config is okay. But if you have the habit of saving your work in progress (invoking save file in your editor), effectively saving live /etc/sudoers config before you truly finish working on it – you might have a problem because broken connection will mean only last saved changes are on your disk – and they may contain broken syntax or incomplete sudo privilege definitions.
Scenario 3: You make a typo and add or remove character in /etc/sudoers
Equally dangerous is just accidentally adding an extra character where it’s not expected – this means you end up with broken syntax of the sudoers file.
This scenario is really bad – because it means nobody on your system can use sudo to become root and fix the problem. You’ll probably need some sort of break-glass procedure where root user password is dug up and local login is necessary from server console to manually fix sudo.
How To Minimize Risks When Editing /etc/sudoers Directly
Step 1: Open another root session to the same system
Step 2: Edit file from interactive session
Step 3: Use visudo to check
Just like I explained in a previous post: run visudo -c to confirm all sudoers config files are valid.
That’s all for now. Stay safe editing your SUDO files!
See Also
Unix Tutorial
But if you do have to edit /etc/sudoers, at least follow this advice to avoid locking yourself out.
How to Edit SUDOERS file Correctly
The proper way of updating sudo configuration is to use visudo command:
- it creates a temporary copy of the /etc/sudoers file and only commits changes if they are syntaxically correct
- visudo carries out basic sanity checks
- this approach even prevents multiple simultaneous edits of the /etc/sudoers file
Common Reasons for Editing /etc/sudoers Directly
There are some valid scenarios when using visudo is not easily possible – for instance, when deploying sudoers file using script or post-configuration system (although you should really use a specialised plugin, if possible).
Most commonly though, we edit /etc/sudoers directly simply because changes are not meant to be complicated – we’re fixing a typo or adding a user.
When Editing /etc/sudoers Goes Wrong
Hardly any such scenario is intentional, but it’s still useful to know why people regularly end up locking themselves out of sudo privileges.
Scenario 1: You make a typo in username/privilege
It’s VERY easy to make a typo and end up with wrong username or wrong command added to /etc/sudoers file.
This scenario is bad, but maybe not too bad: you could be editing someone else’s privileges so while that other user ends up without sudo access, you yourself still have a valid sudoers privilege and can work on fixing the situation.
Equally, some other sysadmin on your system might still have working sudo privilege, so they can fix your access for you.
Scenario 2: You lose connection in a middle of editing sudoers file
Depending on your habits, this may not be too bad. If you were using visudo, there’d be no issue at all: you were editing a copy of /etc/sudoers and not the actual file – so no changes were made and this means sudo setup is still solid.
If you were editing manually, there may still be a chance sudo config is okay. But if you have the habit of saving your work in progress (invoking save file in your editor), effectively saving live /etc/sudoers config before you truly finish working on it – you might have a problem because broken connection will mean only last saved changes are on your disk – and they may contain broken syntax or incomplete sudo privilege definitions.
Scenario 3: You make a typo and add or remove character in /etc/sudoers
Equally dangerous is just accidentally adding an extra character where it’s not expected – this means you end up with broken syntax of the sudoers file.
This scenario is really bad – because it means nobody on your system can use sudo to become root and fix the problem. You’ll probably need some sort of break-glass procedure where root user password is dug up and local login is necessary from server console to manually fix sudo.
How To Minimize Risks When Editing /etc/sudoers Directly
Step 1: Open another root session to the same system
Step 2: Edit file from interactive session
Step 3: Use visudo to check
Just like I explained in a previous post: run visudo -c to confirm all sudoers config files are valid.
That’s all for now. Stay safe editing your SUDO files!
