But if you do have to edit /etc/sudoers, at least follow this advice to avoid locking yourself out.
The proper way of updating sudo configuration is to use visudo command:
There are some valid scenarios when using visudo is not easily possible – for instance, when deploying sudoers file using script or post-configuration system (although you should really use a specialised plugin, if possible).
Most commonly though, we edit /etc/sudoers directly simply because changes are not meant to be complicated – we’re fixing a typo or adding a user.
Hardly any such scenario is intentional, but it’s still useful to know why people regularly end up locking themselves out of sudo privileges.
It’s VERY easy to make a typo and end up with wrong username or wrong command added to /etc/sudoers file.
This scenario is bad, but maybe not too bad: you could be editing someone else’s privileges so while that other user ends up without sudo access, you yourself still have a valid sudoers privilege and can work on fixing the situation.
Equally, some other sysadmin on your system might still have working sudo privilege, so they can fix your access for you.
Depending on your habits, this may not be too bad. If you were using visudo, there’d be no issue at all: you were editing a copy of /etc/sudoers and not the actual file – so no changes were made and this means sudo setup is still solid.
If you were editing manually, there may still be a chance sudo config is okay. But if you have the habit of saving your work in progress (invoking save file in your editor), effectively saving live /etc/sudoers config before you truly finish working on it – you might have a problem because broken connection will mean only last saved changes are on your disk – and they may contain broken syntax or incomplete sudo privilege definitions.
Equally dangerous is just accidentally adding an extra character where it’s not expected – this means you end up with broken syntax of the sudoers file.
This scenario is really bad – because it means nobody on your system can use sudo to become root and fix the problem. You’ll probably need some sort of break-glass procedure where root user password is dug up and local login is necessary from server console to manually fix sudo.
Just like I explained in a previous post: run visudo -c to confirm all sudoers config files are valid.
That’s all for now. Stay safe editing your SUDO files!