Initial Settings : Sudo Settings2021/02/19 |
Configure Sudo to separate users' duty if some people share privileges.
It does not need to install sudo manually because it is installed by default even if Minimal installed environment.
|
|
[1] | Transfer root privilege all to a user. |
[root@dlp ~]#
# add to the end: user [cent] can use all root privilege cent ALL=(ALL) ALL # how to write ⇒ destination host=(owner) command # verify with user [cent] [cent@dlp ~]$ /usr/bin/cat /etc/shadow /usr/bin/cat: /etc/shadow: Permission denied # denied normally
sudo /usr/bin/cat /etc/shadow Password:
.....# user's own password ..... chrony:!!:18163:::::: tcpdump:!!:18163:::::: # just executed
|
[2] | In addition to the setting of [1], set some commands prohibit. |
[root@dlp ~]#
# line 49: add # for example, set alias for the kind of shutdown commands Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \ /usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl # add ( prohibit commands in alias [SHUTDOWN] )
cent ALL=(ALL) ALL, !SHUTDOWN
# verify with user [cent] [cent@dlp ~]$ sudo /usr/sbin/reboot [sudo] password for cent: Sorry, user cent is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world. # denied normally
|
[3] | Transfer some commands with root privilege to users in a group. |
[root@dlp ~]#
# line 51: add # for example, set alias for the kind of user management commands Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \ /usr/bin/passwd # add to the end %usermgr ALL=(ALL) USERMGR # verify with user [redhat] [redhat@dlp ~]$ sudo /usr/sbin/useradd testuser [redhat@dlp ~]$ sudo /usr/bin/passwd testuser Changing password for user testuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # just executed
|
[4] | Transfer a command with root privilege to a user. |
[root@dlp ~]#
# add to the end: settings for each user fedora ALL=(ALL) /usr/sbin/visudo ubuntu ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd debian ALL=(ALL) /usr/bin/vi # for example, verify with user [fedora]
[fedora@dlp ~]$
## Sudoers allows particular users to run various commands assudo /usr/sbin/visudo ## the root user, without needing the root password. ## # just executed
|
[5] | It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/secure] file ), but if you'd like to keep only Sudo logs in another file, Configure like follows. |
[root@dlp ~]#
# add to the end # for example, output logs to [local1] facility Defaults syslog=local1
[root@dlp ~]#
vi /etc/rsyslog.conf # line 46,47: add like follows *.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages local1.* /var/log/sudo.log # The authpriv file has restricted access. authpriv.* /var/log/secure[root@dlp ~]# systemctl restart rsyslog |
Sponsored Link |
|