How to create custom sudo configuration files in /etc/sudoers

Advanced sudo settings

Some organizations have complex delegation requirements. For example, dev servers might support many members of the development team or separate groups for teams working on different projects. Delegating access to separate database servers, web servers and virtualization hosts is challenging. Maintaining a single /etc/sudoers file could become complex and difficult.

In these situations, create custom sudoers files specific to various users or different groups to ease both management and updates. Furthermore, these custom files remain unchanged through OS upgrades or service version changes.

An effective design and implementation of custom sudoers files also enables you to set RBACs. For example, say you want to define three roles: code-developer, code-reviewer and code-manager. Create a specific sudoers file for each role. Next, add the various standard Linux groups related to the code-developer role. Do the same for the code-reviewer and code-manager files. Each file might include one or more of these groups. Each file also contains the delegated privileges you grant to those groups.

This flexibility is crucial for more complex delegation scenarios.

The benefits of custom sudoers files include the following:

• Granular control. User and group-specific configuration files enable more precise control.
• Persistence through OS upgrades. The default /etc/sudoers file is at risk of being overwritten during system upgrades, but custom files are not, which is essential for complex configurations.
• Easier configuration management. You can change individual files without altering or risking the entire sudo configuration.
• Sharing configuration files across systems. Easily share files across systems by delegating granular control within standalone files. Say you need to delegate the same VM administration privileges across three different virtualization host servers. You can maintain a single file for use on each system. However, one of those systems might also need a unique sudo configuration that applies to a database admins group. This approach would be far more difficult to manage using a single sudoers file on each server.

How to manage the /etc/sudoers.d directory

Store custom sudo configuration files in the /etc/sudoers.d directory. The service automatically checks the directory for these additional files. Avoid making changes to the primary sudoers file if you use custom files. The more files you juggle, the harder they are to manage. Let the main file hold the default configuration and the custom files store the more advanced settings.

Use visudo when authoring or editing these files. It checks the syntax to avoid mistakes that might make logging into the system difficult or impossible.

Linux processes the configuration files in /etc/sudoers.d in numeric and alphabetical order. Avoid conflicts by adding numbers to filenames to control the processing order. For example, the numbers in the following example dictate how the system processes these files:

• 10_code-developer.
• 20_code-reviewer.
• 30_code-manager.

The 10_code-developer file processes before the other two.

Custom file examples

Chances are, your custom sudoers files will be less complex than the original. After all, they only need to contain the settings you want and the associated comments that explain them. This simplicity makes the files easier to maintain and share among systems with the same delegation requirements.

The basic syntax for sudoers entries is:

username ALL=(ALL) /path/to/command

For example, to enable user01 to run all commands, add this line to a custom sudoers file:

user01 ALL=(ALL:ALL) ALL

That's a wide-open configuration, so it would be better to restrict user01 to only specific commands by entering this line instead (provide the absolute path to whatever commands you want to include):

user01 ALL=(root) /usr/bin/dnf, /usr/bin/rpm

Both of the above examples require user01 to enter their password. You can remove this requirement by adding the NOPASSWD: indicator. The updated line looks like this:

user01 ALL=(root) NOPASSSWD: /usr/bin/dnf, /usr/bin/rpm

Custom sudo configurations really shine when working with large-scale deployments. In those cases, delegation to groups makes more sense. Here's an example that grants full admin access to the sysadmins group:

%sysadmins ALL=(ALL:ALL) ALL

Again, this is far more delegation than you're likely to grant. To delegate control of specific functionality, such as granting Docker administration privileges to a group named docker, use:

%docker ALL=(root) /usr/bin/docker

Don't forget to use comments to explain your settings.

Best practices for custom sudo files

Remember to implement the following practices when deploying custom sudo configuration files:

• Always use visudo to edit the files. The visudo tool checks the configuration file's syntax before implementing the changes to ensure you haven't made a mistake that renders the system inoperable.
• Use descriptive file names to simplify configuration and troubleshooting.
• Use a file naming standard that helps control the order of file processing.
• Provide detailed comments explaining the purpose of each delegation in the file.
• Set the root user and group as the owner of the custom files in the /etc/sudoers.d directory.
• Set the 0440 standard permissions on the custom files in the /etc/sudoers.d directory to ensure Linux properly enforces the delegations and prevents unexpected file changes.
• Use separate files for each role or delegation.
• Automate file deployments using rsync, Chef, Puppet, etc.
• Carefully monitor access to resources granted by sudo.
• Maintain strict version control. Consider using a mechanism such as Git.

Tying these best practices to your sudo delegations improves security and efficiency.

A better way to delegate

Delegating access to some or all commands on a Linux system with sudo is a critical security configuration. Today, powerful Linux servers host various databases, projects, virtualization clients, containers and dev environments. As a result, the scale of delegation goes beyond what the standard sudoers configuration file can manage in an organized manner.

Storing custom sudoers files in the /etc/sudoers.d directory offers administrators a more elegant and efficient way to manage delegation. Create specific files for particular users, groups or roles, and then prioritize those files using a numbered naming scheme (10_filename, 20_filename, 30_filename, etc.). Provide comprehensive comments in the files and configure the appropriate ownership and standard permissions. Consider integrating these configuration files into a version control system.

Examine your current delegation processes today and determine whether custom sudoers files would simplify your admin practices.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.