.d directories, /etc/sudoers.d
In linux .d is a naming convention for configuration directories. (it literally stands for “directory”. Instead of having to edit one big config file, you can just put individual files in the .d directory and they get included automatically.
Some services that have this:
/etc/apt/sources.list.d/ –> Lets you add extra sources from where to download packages from
/etc/cron.d/ –> Packages drop their system cronjobs here instead of editing the system crontab
/etc/sysctl.d/ –> Control low level kernel parameters at runtime like disabling IPv6 or tweaking TCP settings.
/etc/sudoers.d/
The main /etc/sudoers file typically contains this line:
@includedir /etc/sudoers.d
This means we can set extra rules in that .d directory. Typically we use that to only grant sudo rights to specific commands for certain users.
For example we could have a user named deploy-user that can restart the app.
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp
(systemctl is used to manage services, like systemctl start nginx)
However:
- Files must have 0440 (owner, group can read, noone can write or execute) file permissions and be owned by root
- Files containing . or ~ in the filename are skipped
- Any syntax error in sudoers.d/ will lock out sudo entirely on the system. So use
visudo -f /etc/sudoers.d/yourfile.