Initial Settings : Sudo Settings2022/05/13 |
Configure Sudo to separate users' duty if some people share privileges.
It does not need to install sudo manually because it is installed by default even if Minimal installed environment.
|
|
[1] | Transfer root privilege all to a user. |
[root@dlp ~]#
# add to the end : user [fedora] can use all root privilege fedora ALL=(ALL) ALL # how to write ⇒ destination host=(owner) command # verify with user [fedora] [fedora@dlp ~]$ /usr/bin/cat /etc/shadow /usr/bin/cat: /etc/shadow: Permission denied # denied normally
sudo /usr/bin/cat /etc/shadow Password:
.....# user's password ..... chrony:!!:18163:::::: tcpdump:!!:18163:::::: # just executed
|
[2] | In addition to the setting of [1], set some commands prohibit. |
[root@dlp ~]#
# line 49 : add # for example, set aliase for the kind of shutdown commands Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \ /usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl # add ( prohibit commands in aliase [SHUTDOWN] )
fedora ALL=(ALL) ALL, !SHUTDOWN
# verify with user [fedora] [fedora@dlp ~]$ sudo /usr/sbin/reboot [sudo] password for fedora: Sorry, user fedora is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world. # denied normally
|
[3] | Transfer some commands with root privilege to users in a group. |
[root@dlp ~]#
# line 51 : add # for example, set aliase for the kind of user managment commands Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \ /usr/bin/passwd # add to the end %usermgr ALL=(ALL) USERMGR # verify with user [redhat] [redhat@dlp ~]$ sudo /usr/sbin/useradd testuser [redhat@dlp ~]$ sudo /usr/bin/passwd testuser Changing password for user testuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # executed
|
[4] | Transfer a command with root privilege to a user. |
[root@dlp ~]#
# add to the end: settings for each user fedora ALL=(ALL) /usr/sbin/visudo ubuntu ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd debian ALL=(ALL) /usr/bin/vi # for example, verify with user [fedora]
[fedora@dlp ~]$
## Sudoers allows particular users to run various commands assudo /usr/sbin/visudo ## the root user, without needing the root password. ## # just executed
|
[5] | It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/secure] file ), but if you'd like to keep only Sudo logs in another file, Configure like follows. |
[root@dlp ~]#
# add to the end # for example, output logs to [local1] facility Defaults syslog=local1
[root@dlp ~]#
vi /etc/rsyslog.conf # line 47,48 : add like follows *.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages local1.* /var/log/sudo.log # The authpriv file has restricted access. authpriv.* /var/log/secure[root@dlp ~]# systemctl restart rsyslog |
Sponsored Link |