I have written many articles on sudoers in the past such as best practices and solved many errors related to the sudoers files. This time, one of my readers requested me to verify his sudoers file? Below is the users’ sudoers file. This article explains how to check sudoers syntax.
# # This file MUST be edited with the ‘visudo’ command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin” # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on “#include” directives: #includedir /etc/sudoers.d
Though I went line by line and verified all the lines, I couldn’t find the problem. Some of the errors might not be visible to the human eye such as deletion of a character and not closing the braces properly, etc., So the question is how do you get syntax checking for a sudoers file?
The best practice to edit the sudoers file directly is by using visudo as it has a flag that will perform a syntax check on the sudoers file. You can run the below command after the changes are made to check the syntax is correct.
Until you confirm your sudoers file is proper, do NOT leave your ROOT session. Log in to the same server separately and try Sudo commands to check.
# visudo -c /etc/sudoers: parsed OK
Another awesome feature of visudo is you can tell it to check a specified file rather than only the /etc/sudoers file. This helps to check for the syntax of the file on any server before you roll it out to the production server.
# visudo -cf /tmp/sudoers /tmp/sudoers: parsed OK
