sudoers - simple explanation requested

Everytime I want to be able to run something that requires me to be a sudoer too many times, I need to google for the formatting of /etc/sudoers to remind me again what exactly is the proper way to write it.

Now I see different writing styles in my sudoers file, which is the consequence of different google results over the months. I've also noticed that the second example (below) seems to work in XFCE, but not in Cinnamon (Gnome 3). This could be totally unrelated, but nontheless I'd like to know once and for all, what is the correct grammar of the sudoer line, and what is the difference between the given examples?

  1. redsandro ALL=NOPASSWD:/path/to/command
  2. redsandro ALL=(ALL) NOPASSWD:/path/to/command
  3. redsandro ALL=(ALL:ALL) NOPASSWD:/path/to/command

Also, what are all the ALL's for? One user, one command, yet I need to use the ALL keyword up to three times? Am I doing this wrong?

Of course, omitting NOPASSWD: makes you enter your password before you are permitted to run the command, but one point of confusion is the usage of = and :, for the final command that is the subject of the line can be prepended by either =, :, , or ), confusing grammar for similar semantics.


It's more than just a user and a command:


redsandro host=(user:group) tag:commands
  • host specifies the host names this line is valid for. Unless you are sharing asudoers file among different hosts that need different rules using the special value ALL meaning "all hosts" is a good choice.

  • user specifies which users you can use with the -u options to run the command. If you omit this you can't use the -u option.

  • group specifies which groups you can use with the -g options. If you omit it you can't use the -g option.

Both user and group understand the special value ALL as "all users/groups"

If you omit the whole (user:group) thing you can't use -u and -g but only run the command as root.

  • tag lets you specify some options, like NOPASSWD

So with your first example you can run the command as root but can't use -u and -g to run it as any other user or group.

With example 2. you can run the command as root or use -u to run it as any other user.

With 3. you can run the command as root or use -u or -g to run the command as any other user or group.


Let's take this one apart:
redsandro ALL=(ALL:ALL) NOPASSWD:/path/to/command

redsandro is the username we're giving permission to. Put a % at the front to make it apply to a group.

ALL is a name for this rule. Sudoers can do a lot more than just grant global permissions. That's where it gets complicated though.

= needs no explanation

ALL:ALL reads as (who_to_run_it_as:what_group_to_run_it_as). This way you can allow running a command, but only in the context of a specific user or group.

NOPASSWD: tells it to turn the password prompt off.

/path/to/command lets you specify specific commands path_to_commmand, another_command

The thing to remember is that while sudo is mostly used by home users to escalate to root privileges, it can be and is used to control access to specific commands in a much more granular way.