Initial Settings : Sudo Settings2024/04/26 |
Configure Sudo to separate users' duty if some people share privileges.
|
|
[1] | Install Sudo. |
root@localhost:~# apt -y install sudo |
[2] | Grant root privilege to a user all. |
root@localhost:~#
# add to last line : user [ubuntu] can use all root privilege ubuntu ALL=(ALL:ALL) ALL # how to write : [user] [host=(owner)] [command]
# push [Ctrl + x] key to quit visudo # verify with user [ubuntu]
ubuntu@dlp:~$
ubuntu@dlp:~$ /sbin/reboot Call to Reboot failed: Interactive authentication required. # denied normally [sudo] password for ubuntu: # password of [ubuntu] Session terminated, terminating shell... # run normally |
[3] | In addition to the setting of [1], add settings that some commands are not allowed. |
root@localhost:~#
# add alias for the kind of shutdown commands # Cmnd alias specification # add (commands in alias [SHUTDOWN] are not allowed)
ubuntu ALL=(ALL:ALL) ALL, !SHUTDOWN
# verify with user [ubuntu] ubuntu@dlp:~$
[sudo] password for ubuntu:
Sorry, user ubuntu is not allowed to execute '/sbin/shutdown -r now' as root on ubuntu.
# denied normally
|
[4] | Grant privilege of some commands to users in a group. |
root@localhost:~#
# add alias for the kind of user management comamnds
# Cmnd alias specification
Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
# add to the end %usermgr ALL=(ALL) USERMGR
# verify with user [ubuntu] ubuntu@dlp:~$ ubuntu@dlp:~$ # run normally ubuntu@dlp:~$ Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully |
[5] | Grant privilege of some commands to a user. |
root@localhost:~#
# add to last line for each user setting fedora ALL=(ALL:ALL) /usr/sbin/visudo centos ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd debian ALL=(ALL:ALL) /usr/bin/vim # run normally ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. # verify with user [centos] centos@dlp:~$
centos@dlp:~$
# run normally
# verify with user [debian] # run normally # ~/.profile: executed by Bourne-compatible login shells. |
[6] | It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/auth.log] file ), however, if you'd like to keep only Sudo logs in another file, Configure like follows. |
root@localhost:~#
# add to last line Defaults syslog=local1
root@localhost:~#
vi /etc/rsyslog.d/50-default.conf # line 8 : add local1.* /var/log/sudo.log
auth,authpriv.*;local1.none /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
root@localhost:~# systemctl restart rsyslog
|
Sponsored Link |