NEVER Edit /etc/sudoers File Directly

Unix Tutorial Unix Tutorial

But if you do have to edit /etc/sudoers, at least follow this advice to avoid locking yourself out.

How to Edit SUDOERS file Correctly

The proper way of updating sudo configuration is to use visudo command:

  • it creates a temporary copy of the /etc/sudoers file and only commits changes if they are syntaxically correct
  • visudo carries out basic sanity checks
  • this approach even prevents multiple simultaneous edits of the /etc/sudoers file

Common Reasons for Editing /etc/sudoers Directly

There are some valid scenarios when using visudo is not easily possible – for instance, when deploying sudoers file using script or post-configuration system (although you should really use a specialised plugin, if possible).

Most commonly though, we edit /etc/sudoers directly simply because changes are not meant to be complicated – we’re fixing a typo or adding a user.

When Editing /etc/sudoers Goes Wrong

Hardly any such scenario is intentional, but it’s still useful to know why people regularly end up locking themselves out of sudo privileges.

Scenario 1: You make a typo in username/privilege

It’s VERY easy to make a typo and end up with wrong username or wrong command added to /etc/sudoers file.

This scenario is bad, but maybe not too bad: you could be editing someone else’s privileges so while that other user ends up without sudo access, you yourself still have a valid sudoers privilege and can work on fixing the situation.

Equally, some other sysadmin on your system might still have working sudo privilege, so they can fix your access for you.

Scenario 2: You lose connection in a middle of editing sudoers file

Depending on your habits, this may not be too bad. If you were using visudo, there’d be no issue at all: you were editing a copy of /etc/sudoers and not the actual file – so no changes were made and this means sudo setup is still solid.

If you were editing manually, there may still be a chance sudo config is okay. But if you have the habit of saving your work in progress (invoking save file in your editor), effectively saving live /etc/sudoers config before you truly finish working on it – you might have a problem because broken connection will mean only last saved changes are on your disk – and they may contain broken syntax or incomplete sudo privilege definitions.

Scenario 3: You make a typo and add or remove character in /etc/sudoers

Equally dangerous is just accidentally adding an extra character where it’s not expected – this means you end up with broken syntax of the sudoers file.

This scenario is really bad – because it means nobody on your system can use sudo to become root and fix the problem. You’ll probably need some sort of break-glass procedure where root user password is dug up and local login is necessary from server console to manually fix sudo.

How To Minimize Risks When Editing /etc/sudoers Directly

Step 1: Open another root session to the same system

Step 2: Edit file from interactive session

Step 3: Use visudo to check

Just like I explained in a previous post: run visudo -c to confirm all sudoers config files are valid.

That’s all for now. Stay safe editing your SUDO files!

See Also




Keep Learning with Me

Follow me on Facebook and Twitter or jump into Telegram chat!:
Recommended Software
I use Brave browser, it's awesome: Brave Browser I'm also a fan of SetApp for macOS: SetApp for macOS
IT Consultancy
I'm a principal consultant with Tech Stack Solutions. I help with cloud architectrure, AWS deployments and automated management of Unix/Linux infrastructure. Get in touch!

Recent Tweets