Fedora 21
Sponsored Link

Sudo Settings
Configure Sudo to separate users' duty if some people share privileges.
It's unnecessarry to install sudo manually because it is installed by default even if "Minimal Install".
[1] Transfer root privilege to a user all.
[root@dlp ~]#
# add at the last line: user 'fedora' can use all root privilege

fedora  ALL=(ALL)       ALL
# how to write ⇒ destination host=(owner) command
# make sure with the user 'fedora'

[fedora@dlp ~]$
/bin/cat /etc/shadow

cat: /etc/shadow: Permission denied
# denied normally
[fedora@dlp ~]$
sudo /bin/cat /etc/shadow

# own password
# just executed
[2] In addition to the setting [1], set that some commands are not allowed.
[root@dlp ~]#
# near line 49: add aliase for the kind of shutdown commands

Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \
/sbin/poweroff, /sbin/reboot, /sbin/init
# add ( commands in aliase 'SHUTDOWN' are not allowed )

# make sure with user 'fedora'

[fedora@dlp ~]$
sudo /sbin/shutdown -r now

Sorry, user fedora is not allowed to execute '/sbin/shutdown -r now' as root on dlp.srv.world.  
# denied normally
[3] Transfer some commands with root privilege to users in a group.
[root@dlp ~]#
# near line 51: add aliase for the kind of user management comamnds

Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
# add to the end

%usermgr ALL=(ALL) USERMGR
[root@dlp ~]#
groupadd usermgr

[root@dlp ~]#
usermod -G usermgr fedora

# make sure with user 'fedora'

[fedora@dlp ~]$
sudo /usr/sbin/useradd testuser

[fedora@dlp ~]$
# done normally

[fedora@dlp ~]$
sudo /usr/bin/passwd testuser

Changing password for user testuser.
New UNIX password:
# set testuser's password

Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[4] Transfer a command with root privilege to a user.
[root@dlp ~]#
# add at the end

fedora  ALL=(ALL)       /usr/sbin/visudo
cent    ALL=(ALL)       /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
ubuntu  ALL=(ALL)       /bin/vi

# make sure with user 'fedora'

[fedora@dlp ~]$
sudo /usr/sbin/visudo
# possible to open and edit

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
# make sure with user 'cent'

[cent@dlp ~]$
sudo /usr/sbin/userdel -r testuser

[cent@dlp ~]$
# normally done
# make sure with user 'ubuntu'

[ubuntu@dlp ~]$
sudo /bin/vi /boot/grub2/grub.cfg
# possible to open and edit

# grub.conf generated by anaconda
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
[5] The logs for sudo are kept in '/var/log/secure', but there are many kind of logs in it. So if you'd like to keep only sudo's log in a file, Set like follows.
[root@dlp ~]#
# add at the end

Defaults syslog=local1
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 54,55: add

local1.*                /var/log/sudo.log
# The authpriv file has restricted access.
authpriv.*              /var/log/secure

[root@dlp ~]#
systemctl restart rsyslog