CentOS Stream 9
Sponsored Link

Initial Settings : Sudo Settings2021/12/16

 
Configure Sudo to separate users' duty if some people share privileges.
It does not need to install sudo manually because it is installed by default even if Minimal installed environment.
[1] Transfer root privilege all to a user.
[root@dlp ~]#
# add to the end : user [cent] can use all root privilege

cent  ALL=(ALL)       ALL

# how to write ⇒ destination host=(owner) command
# verify with user [cent]

[cent@dlp ~]$
/usr/bin/cat /etc/shadow

/usr/bin/cat: /etc/shadow: Permission denied  
# denied normally
[cent@dlp ~]$
sudo /usr/bin/cat /etc/shadow

Password:     # user's own password

.....
.....
systemd-oom:!*:18957::::::
systemd-resolve:!*:18957::::::     # just executed
[2] In addition to the setting of [1], set some commands prohibit.
[root@dlp ~]#
# line 25 : add
# for example, set alias for the kind of shutdown commands

Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \
/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl

# add ( prohibit commands in alias [SHUTDOWN] )
cent  ALL=(ALL)       ALL, !SHUTDOWN

# verify with user [cent]

[cent@dlp ~]$
sudo /usr/sbin/reboot

[sudo] password for cent:
Sorry, user cent is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world.  
# denied normally
[3] Transfer some commands with root privilege to users in a group.
[root@dlp ~]#
# line 25 : add

# for example, set alias for the kind of user management commands

Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
/usr/bin/passwd

# add to the end
%usermgr ALL=(ALL) USERMGR

[root@dlp ~]#
groupadd usermgr

[root@dlp ~]#
usermod -aG usermgr redhat

# verify with user [redhat]

[redhat@dlp ~]$
sudo /usr/sbin/useradd testuser

[redhat@dlp ~]$
sudo /usr/bin/passwd testuser

Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.  
# just executed
[4] Transfer a command with root privilege to a user.
[root@dlp ~]#
# add to the end : settings for each user

fedora  ALL=(ALL)       /usr/sbin/visudo
ubuntu  ALL=(ALL)       /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
debian  ALL=(ALL)       /usr/bin/vi

# for example, verify with user [fedora]

[fedora@dlp ~]$
sudo /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##  
# just executed
[5] It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/secure] file ), however, if you'd like to keep only Sudo logs in another file, Configure like follows.
[root@dlp ~]#
# add to the end
# for example, output logs to [local1] facility

Defaults syslog=local1
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 46,47 : add like follows

*.info;mail.none;authpriv.none;cron.none;local1.none    /var/log/messages
local1.*                                                /var/log/sudo.log

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

[root@dlp ~]#
systemctl restart rsyslog

Matched Content