Frequently Asked Question

What goes in /etc/sudoers and why must I edit it with visudo?

/etc/sudoers is the policy file that tells sudo who may run what, as whom, on which hosts, and whether a password is required. A typical line is %sudo ALL=(ALL:ALL) ALL, which reads as "members of the Unix group sudo may run any command, as any target user and group, on any host". You can get arbitrarily precise: alice ALL=(root) NOPASSWD: /bin/systemctl restart nginx grants exactly one command, with no password prompt, to one user.

visudo is a wrapper around your editor that does two essential things: it takes an exclusive lock so two admins cannot clobber each other's edits, and it parses the file before saving, refusing to install a sudoers with syntax errors. A botched /etc/sudoers can render sudo unusable, and if root login is disabled you may have no way back in short of a rescue boot. Always use visudo; never edit sudoers with a plain editor. Better still, drop drop-in files into /etc/sudoers.d/ (also validated by visudo via visudo -f), which keeps customisations out of the distribution-managed main file.