Sudoers syntax

In the following sudo entry:

superadm ALL=(ALL) ALL

there are four fields:

  • The first one specifies a user that will be granted privileges for some command(s).
  • The second one is rarely used. It’s a list of hostnames on which this sudo entry will be effective. On standard setups only one host is relevant (localhost) so this field is usually left as ALL.
  • The fourth field is the list of commands superadm will be able to run with elevated privileges. ALL means all commands. Otherwise use a comma-separated list of commands.
  • The third field (the one written (…) that is optional) specifies which users (and groups) the superadm user will be able to run the following commands as. ALL means they can choose anything (unrestricted). It this field is omitted, it means the same as (root).


alan ALL = (root, bin : operator, system) /bin/ls, /bin/kill

Here, alan is allowed to run the two commands /bin/ls and /bin/kill as root (or bin), possibly with additional operator or system groups privileges.

So alan may choose to run ls as the bin user and with operator‘s group privileges like this:

sudo -u bin -g operator /bin/ls /whatever/directory

If -u is omitted, it’s the same as -u root. If -g is omitted, no additional group privileges are granted.

In order to skip password request:

alan ALL = (root, bin : operator, system) NOPASSWD:/bin/ls, /bin/kill