Sponsored Link

Sudo Settings
Configure Sudo to separate users' duty if some people share privileges.
It's unnecessarry to install sudo manually because it is installed by default even if "Minimal Install".
[1] For SUSE Linux, root password is required when using sudo by default settings, so, change it that users can authenticate with their own password when using sudo.
dlp:~ #
# line 35,36: comment out

Defaults targetpw
[2] Transfer root privilege to a user all.
dlp:~ #
# add to the end: user 'suse' can use all root privilege

suse ALL=(ALL) ALL
# how to write ⇒ destination host=(owner) command
# verify with user "suse"

/bin/cat /etc/shadow

/bin/cat: /etc/shadow: Permission denied    
# denied normally
sudo /bin/cat /etc/shadow

suse's password:    
# own password
# just executed
[3] In addition to the setting [1], set that some commands are not allowed.
dlp:~ #
# near line 30: add aliase for the kind of shutdown commands

Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \
/sbin/poweroff, /sbin/reboot, /sbin/init
# add ( commands in aliase 'SHUTDOWN' are not allowed )

suse ALL=(ALL) ALL,
# verify with user "suse"

sudo /sbin/shutdown -r now

Sorry, user suse is not allowed to execute '/sbin/shutdown -r now' as root on dlp.  
# 拒否された
[4] Transfer some commands with root privilege to users in a group.
dlp:~ #
# near line 30: add aliase for the kind of user management comamnds

Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
# add to the end

%usermgr ALL=(ALL) USERMGR
dlp:~ #
groupadd usermgr

dlp:~ #
usermod -G usermgr suse

# verify with user "suse"

sudo /usr/sbin/useradd testuser

# done normally

sudo /usr/bin/passwd testuser

Changing password for user testuser.
New UNIX password:    
# set testuser's password

Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[5] Transfer a command with root privilege to a user.
dlp:~ #
# add at the end

suse    ALL=(ALL)  /usr/sbin/visudo
cent    ALL=(ALL)  /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/passwd
ubuntu  ALL=(ALL)  /usr/bin/vi

# verify with user "suse"

sudo /sbin/visudo
# possible to open and edit

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
# verify with user "cent"

sudo /sbin/userdel -r testuser

# done normally
# verify with user "ubuntu"

sudo /bin/vi /boot/grub2/grub.cfg
# possible to open and edit

# grub.conf generated by anaconda
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
[6] The logs for sudo are kept in '/var/log/messages', but there are many kind of logs in it. If you'd like to keep only sudo's log in another file, Configure like follows.
dlp:~ #
# add to the end

Defaults syslog=local7
dlp:~ #
vi /etc/syslog-ng/syslog-ng.conf
# line 84: remove "local7"

filter f_local     { facility(local0, local1, local2, local3,
        local4, local5, local6); };
# line 87: add

filter f_sudo     { facility(local7); };
# line 99: add

filter f_messages { not facility(news, mail) and not filter(f_iptables)
and not filter(f_sudo)
; };
# line 219: add

destination sudolog { file("/var/log/sudo.log"); };
log { source(src); filter(f_sudo); destination(sudolog); };
dlp:~ #
/etc/init.d/syslog restart

Shutting down syslog services
Starting syslog services
Matched Content