Initial Settings : Sudo Settings2026/04/24 |
|
Configure Sudo to separate users' duty if some people share privileges. |
|
| [1] | Install Sudo. |
|
root@localhost:~# apt -y install sudo |
| [2] | Grant root privilege to a user all. |
|
root@localhost:~#
# add to last line : user [ubuntu] can use all root privilege ubuntu ALL=(ALL:ALL) ALL # how to write : [user] [host=(owner)] [command]
# push [Ctrl + x] key to quit visudo # verify with user [ubuntu]
ubuntu@dlp:~$
ubuntu@dlp:~$ /usr/bin/ls -la /root ls: cannot open directory '/root': Permission denied # denied normally [sudo] password for ubuntu: # password of [ubuntu] total 52 drwx------ 4 root root 4096 Apr 24 04:54 . drwxr-xr-x 20 root root 4096 Apr 24 04:14 .. -rw------- 1 root root 5 Apr 24 04:31 .bash_history -rw-r--r-- 1 root root 3106 Apr 20 08:46 .bashrc -rw------- 1 root root 20 Apr 24 04:48 .lesshst drwxrwxr-x 3 root root 4096 Apr 24 04:54 .local -rw-r--r-- 1 root root 132 Apr 20 08:46 .profile drwx------ 2 root root 4096 Apr 24 04:15 .ssh -rw------- 1 root root 12500 Apr 24 04:52 .viminfo -rw-rw-r-- 1 root root 11 Apr 24 04:52 .vimrc # run normally |
| [3] | In addition to the setting of [1], add settings that some commands are not allowed. |
|
root@localhost:~#
# add alias for the kind of shutdown commands # Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init, /bin/systemctl # add (commands in alias [SHUTDOWN] are not allowed) ubuntu ALL=(ALL:ALL) ALL, !SHUTDOWN # verify with user [ubuntu] ubuntu@dlp:~$ sudo /sbin/shutdown -r now [sudo] password for ubuntu: Sorry, user ubuntu is not allowed to execute '/sbin/shutdown -r now' as root on ubuntu. # denied normally |
| [4] | Grant privilege of some commands to users in a group. |
|
root@localhost:~#
# add alias for the kind of user management comamnds # Cmnd alias specification Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd # add to last line %usermgr ALL=(ALL) USERMGR # verify with user [ubuntu] ubuntu@dlp:~$ ubuntu@dlp:~$ # run normally ubuntu@dlp:~$ Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully |
| [5] | Grant privilege of some commands to a user. |
|
root@localhost:~#
# add to last line for each user setting
fedora ALL=(ALL:ALL) /usr/sbin/visudo
centos ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
debian ALL=(ALL:ALL) /usr/bin/vim
# run normally ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. # verify with user [centos] centos@dlp:~$
centos@dlp:~$
# run normally
# verify with user [debian] # run normally # ~/.profile: executed by Bourne-compatible login shells. |
| [6] | It's possible to display Sudo logs on Journald like follows. |
|
root@localhost:~# journalctl -t sudo Apr 24 04:56:30 ubuntu sudo[2910]: pam_unix(sudo:session): session opened for user root(uid=0) by ubuntu(uid=1000) Apr 24 04:56:30 ubuntu sudo[2910]: ubuntu : TTY=/dev/ttyS0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/ls /root Apr 24 04:56:30 ubuntu sudo[2910]: pam_unix(sudo:session): session closed for user root Apr 24 04:56:37 ubuntu sudo[2924]: pam_unix(sudo:session): session opened for user root(uid=0) by ubuntu(uid=1000) Apr 24 04:56:37 ubuntu sudo[2924]: ubuntu : TTY=/dev/ttyS0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/usr/bin/ls -la /root Apr 24 04:56:37 ubuntu sudo[2924]: pam_unix(sudo:session): session closed for user root ..... ..... |
| Sponsored Link |
|
|