The sudo command allows permitted users to execute commands as root or another user without sharing the root password, making it the preferred mechanism for privilege escalation on RHEL 8. Properly configuring sudo is a foundational security task: it creates an auditable record of privileged actions and limits blast radius when accounts are compromised. This tutorial walks through the /etc/sudoers syntax, drop-in configuration files in /etc/sudoers.d/, the wheel group shortcut, and how to verify and audit sudo permissions.

Prerequisites

  • A running RHEL 8 system with root access or an existing sudo-capable account
  • The sudo package installed (present by default on RHEL 8)
  • Basic familiarity with a terminal text editor such as vi or nano

Step 1 — Understanding the sudoers File and visudo

The main sudo policy lives in /etc/sudoers. Never edit this file with a regular text editor — always use visudo, which validates the syntax before saving and prevents you from locking yourself out of the system. A syntax error in /etc/sudoers disables sudo entirely until it is corrected.

# Open /etc/sudoers safely
sudo visudo

# Example sudoers rule syntax:
# user  host=(runas_user:runas_group)  commands
# alice ALL=(ALL:ALL) ALL

# Specify a different editor (if vi is unfamiliar)
sudo EDITOR=nano visudo

Step 2 — Granting Full sudo Access

The most permissive grant allows a user to run any command as any user. The NOPASSWD tag removes the password prompt, which is useful for service accounts or automated scripts but should be used with caution on interactive accounts.

# Full access with password prompt (recommended for humans)
alice ALL=(ALL) ALL

# Full access without password prompt (use sparingly)
alice ALL=(ALL) NOPASSWD:ALL

# Allow a user to run only specific commands
bob ALL=(ALL) /usr/bin/systemctl restart httpd, /usr/bin/systemctl status httpd

# Allow a user to run commands as a specific other user
carol ALL=(webuser) NOPASSWD: /opt/myapp/scripts/deploy.sh

Step 3 — Using Drop-in Files in /etc/sudoers.d/

Instead of editing /etc/sudoers directly, place individual grant files in /etc/sudoers.d/. Sudo reads every file in that directory automatically. This approach keeps configurations modular and makes it easy to remove a grant by deleting a single file. File names must not contain a dot or end with a tilde.

# Create a drop-in for the deploy user (use visudo -f to validate)
sudo visudo -f /etc/sudoers.d/deploy

# Contents of the file:
# deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp

# Set correct permissions (sudoers files must not be world-readable)
sudo chmod 0440 /etc/sudoers.d/deploy

# List all drop-in files
ls -l /etc/sudoers.d/

Step 4 — Adding Users to the wheel Group

RHEL 8 ships with a pre-configured sudoers rule that grants all members of the wheel group full sudo access. Adding a user to this group is the simplest and most maintainable way to grant sudo rights without touching /etc/sudoers at all.

# Add an existing user to the wheel group
sudo usermod -aG wheel alice

# Verify group membership
id alice

# Confirm the wheel rule is active in /etc/sudoers
sudo grep -i wheel /etc/sudoers
# Expected output: %wheel ALL=(ALL) ALL

Step 5 — Listing and Testing Permissions

Use sudo -l to display what commands a user is permitted to run. When combined with -U username, root can inspect another account’s permissions. Use sudo -u to execute a command as a specific user rather than root.

# List your own sudo permissions
sudo -l

# List permissions for another user (run as root)
sudo -l -U bob

# Run a command as another user
sudo -u webuser whoami
sudo -u postgres psql -c "SELECT version();"

# Run a shell as another user
sudo -u bob bash

Step 6 — Reviewing sudo Logs in /var/log/secure

Every sudo invocation — successful or not — is logged to /var/log/secure. Regular review of these logs helps detect unauthorized privilege escalation attempts. Each log entry records the calling user, the terminal, the target user, and the exact command executed.

# View recent sudo log entries
sudo grep sudo /var/log/secure | tail -20

# Watch for failed sudo attempts (wrong password or not in sudoers)
sudo grep "sudo.*NOT in sudoers|authentication failure" /var/log/secure

# Count sudo usage by user
sudo grep "sudo:" /var/log/secure | awk '{print $6}' | sort | uniq -c | sort -rn

Conclusion

You have configured sudo access using both direct /etc/sudoers rules and modular drop-in files, added users to the wheel group, tested permissions with sudo -l, executed commands as alternate users, and located the audit trail in /var/log/secure. These practices give you fine-grained, auditable privilege management on your RHEL 8 system.

Next steps: How to Manage Systemd Services and Units on RHEL 8, How to Set Up a Bash Profile and Environment Variables on RHEL 8, and How to Configure Firewalld on RHEL 8.