sudo / visudo

# -----------------------------------------------
#  Basic syntax for sudo
# -----------------------------------------------

# sudo {command}
#   → Runs a command as root
#   Example: sudo apt update

# sudo -u {username} {command}
#   → Runs a command as the specified user
#   Example: sudo -u kurisu python3 /home/kurisu/script.py

# sudo -i
#   → Starts a root login shell (loads root's environment variables)

# sudo -s
#   → Starts a root shell (inherits the current environment variables)

# sudo -l
#   → Lists the commands the current user is allowed to run with sudo

# -----------------------------------------------
#  Basic syntax for visudo
# -----------------------------------------------

# visudo
#   → Safely edits /etc/sudoers
#   → Rejects saves if a syntax error is found, making it safer than direct editing
#   → The editor can be changed via the $EDITOR environment variable
#   Example: sudo visudo
#   Example: sudo EDITOR=nano visudo

# visudo -c
#   → Checks the syntax of /etc/sudoers without opening it for editing
#   Example: sudo visudo -c

# visudo -f {file path}
#   → Edits an include file under /etc/sudoers.d/
#   Example: sudo visudo -f /etc/sudoers.d/okabe

# -----------------------------------------------
#  sudoers file format
# -----------------------------------------------

# {username} {host}=({run-as user}:{run-as group}) {command}

# okabe ALL=(ALL:ALL) ALL
#   → Allows okabe to run any command on any host
#     as any user or group

# %wheel ALL=(ALL:ALL) ALL
#   → Grants full sudo privileges to all members of the wheel group
#   → This is the standard administrator group on RHEL/AlmaLinux systems

# %sudo ALL=(ALL:ALL) ALL
#   → Grants full sudo privileges to all members of the sudo group
#   → This is the standard administrator group on Debian/Ubuntu systems

# -----------------------------------------------
#  NOPASSWD option
# -----------------------------------------------

# {username} ALL=(ALL) NOPASSWD: {command}
#   → Allows the specified command to be run without a password prompt
#   → Useful for automation scripts and CI/CD environments, but
#     keep the scope of allowed commands as narrow as possible to reduce security risk
#   Example: kurisu ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

# kurisu ALL=(ALL) NOPASSWD: ALL
#   → Allows all commands without a password prompt
#   → This is an extremely dangerous setting and should be avoided in production environments

# -----------------------------------------------
#  Command aliases
# -----------------------------------------------

# Cmnd_Alias {alias name} = {command1}, {command2}, ...
#   → Groups frequently used commands under a single alias name
#   Example: Cmnd_Alias WEBSERVICE = /usr/bin/systemctl restart nginx, /usr/bin/systemctl reload nginx

# -----------------------------------------------
#  Using include files
# -----------------------------------------------

# Placing files under /etc/sudoers.d/ lets you manage
# sudoers settings in separate files.
# File names must not contain '.' or '~'.

Operation	Command / Syntax	Description
Run a command as root	sudo {command}	Runs a command with root privileges temporarily. After the command finishes, you return to your regular user.
Run as another user	sudo -u {username} {command}	Runs a command as the specified user. Can be used to switch to any user, not just root.
Start a root shell (login)	sudo -i	Starts a root login shell. Loads root's home directory and environment variables.
Start a root shell (non-login)	sudo -s	Starts a root shell while inheriting the current environment variables.
List allowed commands	sudo -l	Displays the list of commands the current user is allowed to run with sudo. Useful for checking permissions.
Edit sudoers	sudo visudo	Safely edits /etc/sudoers. Automatically checks for syntax errors and prevents simultaneous editing via a lock file.
Edit an include file	sudo visudo -f /etc/sudoers.d/{filename}	Safely edits a file under /etc/sudoers.d/. Allows you to manage permissions separately per user or service.
Check syntax only	sudo visudo -c	Verifies that the syntax of /etc/sudoers is correct without making any edits.
Grant full access (user)	okabe ALL=(ALL:ALL) ALL	Grants a user full sudo privileges in sudoers. Allows any host, any run-as user, and any command.
Grant full access (group)	%wheel ALL=(ALL:ALL) ALL	Grants sudo privileges to all members of the wheel group. The % prefix indicates a group.
Configure NOPASSWD	kurisu ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx	Allows the specified command to run without a password. Convenient for automation, but keep allowed commands to a minimum.
Define a command alias	Cmnd_Alias {name} = {command1}, {command2}	Groups multiple commands under a single name. Improves the readability and maintainability of sudoers.
Add to wheel group	usermod -aG wheel {username}	Adds a user to the wheel group to grant sudo privileges. The standard method on RHEL/AlmaLinux systems.
Add to sudo group	usermod -aG sudo {username}	Adds a user to the sudo group to grant sudo privileges. The standard method on Debian/Ubuntu systems.

# Update the system package list as root
sudo apt update

# Check which sudo commands the current user is allowed to run
sudo -l

Run the following command:

$ sudo -l
Matching Defaults entries for okabe on lab-server:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User okabe may run the following commands on lab-server:
    (ALL : ALL) ALL

Add a user to the wheel group to grant sudo privileges (RHEL/AlmaLinux)

# -----------------------------------------------
#  Grant sudo privileges to kurisu (RHEL-based systems)
# -----------------------------------------------

# Add kurisu to the wheel group
# Always include -a (append); omitting it removes the user from all other groups
sudo usermod -aG wheel kurisu

# Verify that the group membership was applied
# The new group will not take effect until kurisu logs in again
groups kurisu

Running these commands produces the following output:

$ groups kurisu
kurisu : kurisu wheel

Use visudo to grant a specific user limited NOPASSWD privileges

# -----------------------------------------------
#  Allow daru to restart nginx
# -----------------------------------------------

# Safely edit the include file with visudo
sudo visudo -f /etc/sudoers.d/daru

Run the following command:

(The editor opens. Enter the content below and save.)

# Contents of /etc/sudoers.d/daru
# -----------------------------------------------
#  Allow daru to manage nginx without a password
# -----------------------------------------------

# Group the allowed commands into an alias
# Always use full paths to prevent path injection attacks
Cmnd_Alias NGINX_OPS = /usr/bin/systemctl restart nginx, \
                       /usr/bin/systemctl reload nginx, \
                       /usr/bin/systemctl status nginx

# Grant daru NOPASSWD access to NGINX_OPS only
# Avoid broad settings like NOPASSWD: ALL
daru ALL=(ALL) NOPASSWD: NGINX_OPS

The following example demonstrates this:

$ sudo visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/daru: parsed OK

The following example demonstrates this:

# Verify the configuration by running the command as daru
sudo -u daru sudo systemctl reload nginx

# Check which commands daru is allowed to run
sudo -l -U daru

Run the following command:

$ sudo -l -U daru
User daru may run the following commands on lab-server:
    (ALL) NOPASSWD: /usr/bin/systemctl restart nginx,
                    /usr/bin/systemctl reload nginx,
                    /usr/bin/systemctl status nginx

Delegate write access to a specific directory by running commands as another user

# -----------------------------------------------
#  Allow suzuha to write to a directory owned by mayuri
# -----------------------------------------------

# Check the owner of mayuri's data directory
ls -la /home/mayuri/data/

Running these commands produces the following output:

$ ls -la /home/mayuri/data/
drwxr-x--- 2 mayuri mayuri 4096 Mar 25 10:00 .
drwxr-xr-x 5 mayuri mayuri 4096 Mar 25  9:00 ..

The following example demonstrates this:

# Use visudo to allow suzuha to run commands as mayuri
sudo visudo -f /etc/sudoers.d/suzuha

The same logic can also be written as:

# Contents of /etc/sudoers.d/suzuha
# -----------------------------------------------
#  Allow suzuha to run cp as the mayuri user
# -----------------------------------------------

suzuha ALL=(mayuri) NOPASSWD: /usr/bin/cp

The same logic can also be written as:

# Run cp as mayuri from the suzuha user to copy the file
sudo -u mayuri cp /tmp/report.txt /home/mayuri/data/report.txt

# Verify the copy (the file owner will be mayuri)
ls -la /home/mayuri/data/

Run the following command:

$ ls -la /home/mayuri/data/
drwxr-x--- 2 mayuri mayuri 4096 Mar 25 10:15 .
drwxr-xr-x 5 mayuri mayuri 4096 Mar 25  9:00 ..
-rw-r--r-- 1 mayuri mayuri  512 Mar 25 10:15 report.txt

sudo lets regular users borrow only the privileges they need, only when they need them — making it far safer than working as root at all times. The /etc/sudoers file controls these permissions, and a syntax error in it will render sudo itself unusable. Always edit it through visudo, which checks the syntax on save and prevents simultaneous edits via a lock file.

The NOPASSWD option is useful for automation such as CI/CD pipelines and daemon management, but a setting like NOPASSWD: ALL creates a risk of a complete system takeover without any password. Use Cmnd_Alias with full paths to define the minimum set of commands required. The conventional administrator group differs by distribution: wheel on RHEL/AlmaLinux and sudo on Debian/Ubuntu. See useradd / usermod for details on adding users.