TechEarl

How to Edit the sudoers File Safely (visudo)

Edit sudo rules without locking yourself out: why visudo syntax-checks before saving, drop-in files in /etc/sudoers.d, and the rules you actually need.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Edit the sudoers file safely with visudo, which syntax-checks before saving, plus drop-in files in /etc/sudoers.d and common rules.

A single typo in /etc/sudoers can break sudo for everyone, and if root login is disabled you are then locked out of admin entirely. That is why you never open it in a plain editor. Always use visudo, which checks the syntax before it lets you save:

bash
sudo visudo

If you make a mistake, visudo refuses to write the broken file and offers to re-edit. That safety check is the entire point.

Use drop-in files, not the main file

Modern sudo reads everything in /etc/sudoers.d/, so the clean pattern is one small file per rule rather than editing the monolith:

bash
sudo visudo -f /etc/sudoers.d/deploy

Drop-ins are easier to manage, survive package upgrades that rewrite /etc/sudoers, and are trivial to remove (just delete the file). Use -f so visudo still syntax-checks the drop-in.

The rule format

code
# user host=(runas) commands
deploy   ALL=(ALL)        ALL
deploy   ALL=(ALL)        /usr/bin/systemctl restart nginx
%webops  ALL=(ALL:ALL)    /usr/bin/systemctl * nginx
  • user / %group who the rule is for (% marks a group).
  • host where it applies (ALL = everywhere; matters only on shared sudoers across machines).
  • (runas) which identities they may act as ((ALL) = any user, including root).
  • commands the exact allowed commands, or ALL.

Always use absolute paths for commands (/usr/bin/systemctl, not systemctl); a bare name can be satisfied by a malicious binary earlier on PATH.

Validate without editing

To check the whole sudoers configuration (main file plus all drop-ins) for errors, for example after writing a file from configuration management:

bash
sudo visudo -c

It prints parsed OK or names the file and line of the problem. Run it in CI or after any automated change.

Keep a safety net

Before tightening sudo rules, keep a second root-capable session open, exactly as with disabling root login. If a rule change locks you out and root login is off, recovery means single-user mode or a rescue boot. A spare session costs nothing and saves the afternoon.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxsudosudoersvisudoSecuritySystem Administration

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

List the files changed in git from the command line: working tree, staged, last commit, between two branches, and piping the list to a linter to check only what changed.
DevOps

How to List the Files Changed in Git

List the files changed in git: working tree, staged, the last commit, between branches, or since N commits. Then pipe the list straight into a linter so you only check what changed.

Rank the biggest files on a full disk with find -printf '%s %p' piped to sort -rn. The GNU one-liner, the BSD stat variant for macOS, why -xdev matters, human-readable sizes, and when du or ncdu beats find.
Linux

How to Find the Largest Files on Disk (find, sort, du)

find / -xdev -type f -printf '%s %p\n' | sort -rn | head -20 gives you a ranked list of the biggest files on a full disk. The GNU one-liner, the BSD/macOS stat variant, why -xdev matters, human-readable output with numfmt, when to switch to du or ncdu for per-directory totals, and the mistakes that send a scan into /proc.

find -delete removes every matched file with no confirmation. The safe -print-first dry-run pattern, depth-first directory deletion, when to use -exec rm vs xargs rm -f, and the BSD vs GNU differences.
Linux

How to Find and Delete Files Safely with find -delete

find -delete removes every matched file with no confirmation and no undo. The safe pattern is to write the command with -print first, eyeball the list, then swap -print for -delete. Plus the directory-depth-first trap, when to use -exec rm instead, and the find -delete vs xargs rm -f tradeoff.