TechEarl

How to Edit the sudoers File Safely (visudo)

Edit sudo rules without locking yourself out: why visudo syntax-checks before saving, drop-in files in /etc/sudoers.d, and the rules you actually need.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Edit the sudoers file safely with visudo, which syntax-checks before saving, plus drop-in files in /etc/sudoers.d and common rules.

A single typo in /etc/sudoers can break sudo for everyone, and if root login is disabled you are then locked out of admin entirely. That is why you never open it in a plain editor. Always use visudo, which checks the syntax before it lets you save:

bash
sudo visudo

If you make a mistake, visudo refuses to write the broken file and offers to re-edit. That safety check is the entire point.

Use drop-in files, not the main file

Modern sudo reads everything in /etc/sudoers.d/, so the clean pattern is one small file per rule rather than editing the monolith:

bash
sudo visudo -f /etc/sudoers.d/deploy

Drop-ins are easier to manage, survive package upgrades that rewrite /etc/sudoers, and are trivial to remove (just delete the file). Use -f so visudo still syntax-checks the drop-in.

The rule format

code
# user host=(runas) commands
deploy   ALL=(ALL)        ALL
deploy   ALL=(ALL)        /usr/bin/systemctl restart nginx
%webops  ALL=(ALL:ALL)    /usr/bin/systemctl * nginx
  • user / %group who the rule is for (% marks a group).
  • host where it applies (ALL = everywhere; matters only on shared sudoers across machines).
  • (runas) which identities they may act as ((ALL) = any user, including root).
  • commands the exact allowed commands, or ALL.

Always use absolute paths for commands (/usr/bin/systemctl, not systemctl); a bare name can be satisfied by a malicious binary earlier on PATH.

Validate without editing

To check the whole sudoers configuration (main file plus all drop-ins) for errors, for example after writing a file from configuration management:

bash
sudo visudo -c

It prints parsed OK or names the file and line of the problem. Run it in CI or after any automated change.

Keep a safety net

Before tightening sudo rules, keep a second root-capable session open, exactly as with disabling root login. If a rule change locks you out and root login is off, recovery means single-user mode or a rescue boot. A spare session costs nothing and saves the afternoon.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxsudosudoersvisudoSecuritySystem Administration

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

Linux

How to Find the Largest Files on Disk (find, sort, du)

find / -xdev -type f -printf '%s %p\n' | sort -rn | head -20 gives you a ranked list of the biggest files on a full disk. The GNU one-liner, the BSD/macOS stat variant, why -xdev matters, human-readable output with numfmt, when to switch to du or ncdu for per-directory totals, and the mistakes that send a scan into /proc.

Linux

How to Find and Delete Files Safely with find -delete

find -delete removes every matched file with no confirmation and no undo. The safe pattern is to write the command with -print first, eyeball the list, then swap -print for -delete. Plus the directory-depth-first trap, when to use -exec rm instead, and the find -delete vs xargs rm -f tradeoff.

WordPress

How to Set Default Values in ACF Select Fields

ACF Select fields have a Default Value setting in the field group editor that handles the simple case. For dynamic defaults (computed from another field, role-based, or per-post-type), the acf/load_value filter is the right tool.