Commands.page Logo

What Is the Sudoers.d Directory Used for in Ubuntu?

This article explains the purpose and function of the sudoers.d directory within the Ubuntu operating system. It details how this directory allows administrators to manage sudo privileges modularly without editing the main sudoers file directly. Readers will learn about the security benefits, the correct file permissions required, and the standard procedure for adding new sudo rules safely.

The /etc/sudoers.d directory is designed to organize sudo configurations modularly. Historically, all sudo permissions were defined in a single file located at /etc/sudoers. Editing this main file directly carries risks, as a syntax error can lock administrators out of sudo privileges entirely. The sudoers.d directory solves this by allowing separate configuration files for different users, groups, or applications.

When the sudo command runs, it reads the main /etc/sudoers file. This main file contains a directive called #includedir /etc/sudoers.d. This instruction tells the system to also read and apply any valid configuration files found within that directory. This means you can add custom rules without touching the core system file.

This modular approach is particularly beneficial for package management. When you install software via apt that requires sudo access, the package can drop a specific configuration file into /etc/sudoers.d. If you later remove the software, the package manager can cleanly remove that specific file without affecting your other sudo configurations or risking corruption of the main sudoers file.

To add a new rule, you should never edit files in this directory with a standard text editor. Instead, use the visudo command with the -f flag. For example, running sudo visudo -f /etc/sudoers.d/myrule ensures the file is checked for syntax errors before saving. If there is a mistake, visudo will warn you and prevent the broken file from being installed, maintaining system security.

File permissions within this directory are strict. Any file inside /etc/sudoers.d must be owned by root and have permissions set to 0440 (read-only for owner and group). Files with incorrect permissions or ownership will be ignored by sudo to prevent security vulnerabilities. You can set these correctly using chmod 0440 and chown root:root after creating your configuration file.