Linux Files - Understanding the /etc/sudoers file in Linux

Files in the /bin directory can be run without elevated privileges. For example, the pwd (present working directory) command is in the /bin directory (/bin/pwd). Any user will be able to execute the pwd command, because the pwd command does not require elevated privileges.

[Tim@server1 ~]# pwd


Commands in the /sbin directory, such as ifdown and ifup, require elevated privileges. In this example, when Tim attempts ifdown or ifup, a permission denied message appears. 

[Tim@server1 ~]# ifdown eth0
Permission denied


The /etc/sudoers file is what is used to determine if a user has permission to run commands that require elevated privileges. The /etc/sudoers file should not be edited using your preferred editor, such as vi or nano, because improperly editing the /etc/sudoers file can remove the ability to run commands that require elevated privileges. The visudo command should be used to edit the /etc/sudoers file. Only root can execute the visudo command.

The syntax of lines in the /etc/sudoers file is users hosts=(user:group) commands. By default, there should be a line that allows root to run all commands that require elevated privileges. Do not comment out this line.



Sometimes, the line will only have (ALL) instead of (ALL:ALL). This means that ALL is only applied to user, and not to group.

root ALL=(ALL) ALL


sudo command

Refer to these articles for the steps on how to give a user or group permission to run certain commands.

Now, the user or group that has been granted permission to run certain commands can use the sudo command to issue commands that require elevated privileges.



Recall that the syntax of lines in the /etc/sudoers file is users hosts=(user:group) commands. Aliases can be used for each section. Let's take an example where multiple users need permission to run multiple commands on certain hosts using a certain user and group. For example, Tim and Tammy and Roger and Dawn need permission to execute the halt and init and poweroff and reboot and shutdown and telinit commands on as admins.

Tim,Tammy,Roger,Dawn, /sbin/init, /sbin/poweroff, /sbin/reboot, /sbin/shutdown, /sbin/telinit


Aliases can be used. Instead of listing Tim, Tammy, Roger, Dawn, a User_Alias can be created.

User_Alias      REBOOT_USERS = Tim, Tammy, Roger, Dawn


Instead of listing halt and init and poweroff and reboot and shutdown and telinit, a Cmnd_Alias can be created.

Cmnd_Alias      REBOOT_COMMANDS = /sbin/halt, /sbin/init, /sbin/poweroff, /sbin/reboot, /sbin/shutdown, /sbin/telinit


Instead of listing, a Host_Alias can be created.

Host_Alias      REBOOT_HOSTS =


Instead of listing root:admins, a Runas_Alias can be created.. 

Runas_Alias     REBOOT_RUNAS = admins


The aliases can then be used.



Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter d8266 in the box below so that we can be sure you are a human.


November 10th, 2020 by DClark
Awesome explanation, thank you!

March 10th, 2021 by Buster
Thank you very much for this wonderful explanation. How can I create the Aliases file?

January 4th, 2022 by Marion D.
These explanations are clear and professionally's not always the case from other sites...thank you for that.

Web design by yours truely - me, myself, and I   |   |