Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done.


# /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.
# Example from

# User alias specification
# ------------------------
User_Alias    PPPUSERS = fred, bibi, jice, serge 
User_Alias    HALTUSERS = fred, bibi 
User_Alias    ROOT_FRIENDS = jice, serge, fred

# Host alias specification
# ------------------------
Host_Alias    ICI = localhost,, 
Host_Alias    LABAS =,, 
Host_Alias    WWW = www*, mail*, pop*, *fr

# Runas alias specification
# -------------------------
Runsas_Alias    USERPPP = pppuser, serialuser

# Cmnd alias specification
# ------------------------
Cmnd_Alias    STOPPC = /sbin/halt, /sbin/reboot,  !/sbin/shutdown -*, /sbin/shutdown -r, \
                       /sbin/shutdown -h 
Cmnd_Alias    PPPCMD = /etc/ppp/scripts/pppconnect, /etc/ppp/scripts/pppdisconnect

# User privilege specification
# ----------------------------
fred           localhost = (ALL) ALL, (root) !ALL
john           ALPHA     = /usr/bin/su [!-]*, !/usr/bin/su *root*
+secretaires   LOCALE    = PRINTING_CMDS, /usr/sbin/adduser [A-z]*

Troubles and tweaks


With the fix for CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars, the default behaviour of handling environment variables was switched to protect against malicious local users with sudo privileges getting sudo to do more than the malcontent was given privileges to do.

As a result, unless you modify your sudoers file to contain Defaults env_reset, you may experiance problems using sudo like the following:

If you had more complex setups where you meant to pass through environment variables, your work around may be more complex or no longer possible.

PASSWD option not working

sudo has a flag called exempt_group which contains a list of groups for which always NOPASSWD is true and setting PASSWD has no effect. On Debian Systems this list consists of the group sudo.

See also