Initial Settings : Sudo Settings2019/04/22 |
Configure Sudo to separate users' duty if some people share privileges.
|
|
[1] | Install Sudo. |
root@dlp:~# apt install sudo |
[2] | Grant root privilege to a user all. |
root@dlp:~#
# add to the end: user [ubuntu] can use all root privilege ubuntu ALL=(ALL:ALL) ALL # how to write ⇒ [user] [host=(owner)] [command] # push [Ctrl + x] key to quit visudo
# verify with user [ubuntu]
ubuntu@dlp:~$
ubuntu@dlp:~$ /sbin/reboot Failed to set wall message, ignoring: Interactive authentication required. Failed to reboot system via logind: Interactive authentication required. Failed to open /dev/initctl: Permission denied Failed to talk to init daemon. # denied normally
[sudo] password for ubuntu:
# password of [ubuntu]
Session terminated, terminating shell... # run normally
|
[3] | In addition to the setting of [1], add settings that some commands are not allowed. |
root@dlp:~#
# add alias for the kind of shutdown commands # Cmnd alias specification # add (commands in alias [SHUTDOWN] are not allowed)
ubuntu ALL=(ALL:ALL) ALL, !SHUTDOWN
# verify with user [ubuntu] ubuntu@dlp:~$ [sudo] password for ubuntu: Sorry, user ubuntu is not allowed to execute '/sbin/shutdown -r now' as root on ubuntu. # denied normally
|
[4] | Grant privilege of some commands to users in a group. |
root@dlp:~#
# add aliase for the kind of user management comamnds
# Cmnd alias specification
Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
# add to the end %usermgr ALL=(ALL) USERMGR groupadd usermgr
root@dlp:~#
vi /etc/group # add a user in this group usermgr:x:1002: ubuntu # verify with user [ubuntu] ubuntu@dlp:~$ ubuntu@dlp:~$ # run normally ubuntu@dlp:~$ Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully |
[5] | Grant privilege of some commands to a user. |
root@dlp:~#
# add to the end fedora ALL=(ALL:ALL) /usr/sbin/visudo cent ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd suse ALL=(ALL:ALL) /usr/bin/vim # run normally ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. # verify with user [cent] cent@dlp:~$
cent@dlp:~$
# run normally
# verify with user [suse] # run normally # ~/.profile: executed by Bourne-compatible login shells. |
[6] | The logs for sudo are kept in '/var/log/auth.log', but there are many kind of logs in it. So if you'd like to keep only sudo's log in another file, Set like follows. |
root@dlp:~#
# add to the end Defaults syslog=local1
root@dlp:~#
vi /etc/rsyslog.d/50-default.conf # line 8: add local1.* /var/log/sudo.log
auth,authpriv.*;local1.none /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
root@dlp:~# systemctl restart rsyslog
|
Sponsored Link |
|