Initial Settings : Configure Sudo2021/08/17 |
|
Configure Sudo to separate users' duty if some people share privileges.
|
|
| [1] | Install Sudo. |
|
root@dlp:~# apt -y install sudo |
| [2] | Transfer root privilege to a user all. |
|
root@dlp:~#
# add to the end : user [bullseye] can use all root privilege # how to write ⇒ destination host=(owner) command bullseye ALL=(ALL:ALL) ALL # push [Ctrl + x] key to quit visudo
# verify with user [bullseye] bullseye@dlp:~$ /usr/sbin/reboot
Failed to set wall message, ignoring: Access denied
Failed to reboot system via logind: Access denied
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
# denied
bullseye@dlp:~$ sudo /usr/sbin/reboot
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for bullseye: # bullseye's password
.....
.....
# possible execute
|
| [3] | In addition to the setting [1], set that some commands are not allowed. |
|
root@dlp:~#
# add alias for the kind of shutdown commands # Cmnd alias specification Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \ /usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl # add ( commands in alias [SHUTDOWN] are not allowed ) bullseye ALL=(ALL:ALL) ALL, !SHUTDOWN # verify with user [bullseye] bullseye@dlp:~$ sudo /usr/sbin/reboot [sudo] password for bullseye: Sorry, user bullseye is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world. # 拒否された
|
| [4] | Transfer some commands with root privilege to users in a group. |
|
root@dlp:~#
# add alias for the kind of user management commands # Cmnd alias specification
Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
# add to the end
%usermgr ALL=(ALL:ALL) USERMGR
# verify with user [bullseye] bullseye@dlp:~$ sudo /usr/sbin/useradd testuser bullseye@dlp:~$ bullseye@dlp:~$ sudo /usr/bin/passwd testuser Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully # possible execute
|
| [5] | Transfer some specific commands with root privilege to a user. |
|
root@dlp:~#
# add to the end : set specific commands to each user
fedora ALL=(ALL:ALL) /usr/sbin/visudo
debian ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
ubuntu ALL=(ALL:ALL) /usr/bin/vim
# possible open and edit ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## # verify with user [debian] debian@dlp:~$ sudo /usr/sbin/userdel -r testuser
debian@dlp:~$
# possible execute
# verify with user [ubuntu]
ubuntu@dlp:~$
sudo /usr/bin/vim /root/.profile
# possible open and edit # ~/.profile: executed by Bourne-compatible login shells. |
| [6] | It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/auth.log] file ), however, if you'd like to keep only Sudo logs in another file, Configure like follows. |
|
root@dlp:~#
# add to the end Defaults syslog=local1
root@dlp:~#
vi /etc/rsyslog.conf # line 61 : add local1.* /var/log/sudo.log
auth,authpriv.*;local1.none /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
root@dlp:~# systemctl restart rsyslog
|
| Sponsored Link |