Fedora 37
Sponsored Link

Initial Settings : Sudo Settings
Configure Sudo to separate users' duty if some people share privileges.
It does not need to install sudo manually because it is installed by default even if Minimal installed environment.
[1] Transfer root privilege all to a user.
[root@dlp ~]#
# add to the end : user [fedora] can use all root privilege

fedora  ALL=(ALL)       ALL
# how to write ⇒ destination host=(owner) command
# verify with user [fedora]

[fedora@dlp ~]$
/usr/bin/cat /etc/shadow

/usr/bin/cat: /etc/shadow: Permission denied  
# denied normally
[fedora@dlp ~]$
sudo /usr/bin/cat /etc/shadow

# user's password
# just executed
[2] In addition to the setting of [1], set some commands prohibit.
[root@dlp ~]#
# line 49 : add
# for example, set aliase for the kind of shutdown commands

Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \
/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl

# add ( prohibit commands in aliase [SHUTDOWN] )

fedora  ALL=(ALL)       ALL, !SHUTDOWN

# verify with user [fedora]

[fedora@dlp ~]$
sudo /usr/sbin/reboot

[sudo] password for fedora:
Sorry, user fedora is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world.  
# denied normally
[3] Transfer some commands with root privilege to users in a group.
[root@dlp ~]#
# line 51 : add
# for example, set aliase for the kind of user managment commands

Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \

# add to the end

%usermgr ALL=(ALL) USERMGR
[root@dlp ~]#
groupadd usermgr

[root@dlp ~]#
usermod -aG usermgr redhat

# verify with user [redhat]

[redhat@dlp ~]$
sudo /usr/sbin/useradd testuser

[redhat@dlp ~]$
sudo /usr/bin/passwd testuser

Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.  
# executed
[4] Transfer a command with root privilege to a user.
[root@dlp ~]#
# add to the end: settings for each user

fedora  ALL=(ALL)       /usr/sbin/visudo
ubuntu  ALL=(ALL)       /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
debian  ALL=(ALL)       /usr/bin/vi

# for example, verify with user [fedora]

[fedora@dlp ~]$
sudo /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
# just executed
[5] It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/secure] file ), but if you'd like to keep only Sudo logs in another file, Configure like follows.
[root@dlp ~]#
# add to the end
# for example, output logs to [local1] facility

Defaults syslog=local1
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 47,48 : add like follows

*.info;mail.none;authpriv.none;cron.none;local1.none   /var/log/messages
local1.*                /var/log/sudo.log

# The authpriv file has restricted access.
authpriv.*              /var/log/secure

[root@dlp ~]#
systemctl restart rsyslog

Matched Content