Fedora 38
Sponsored Link

Initial Settings : Sudo Settings2023/04/21
 
Configure Sudo to separate users' duty if some people share privileges.
It does not need to install sudo manually because it is installed by default even if Minimal installed environment.
[1] Transfer root privilege all to a user.
[root@dlp ~]#
visudo
# add to the end : user [fedora] can use all root privilege

fedora  ALL=(ALL)       ALL
# how to write ⇒ destination host=(owner) command
# verify with user [fedora]

[fedora@dlp ~]$
/usr/bin/cat /etc/shadow

/usr/bin/cat: /etc/shadow: Permission denied  
# denied normally
[fedora@dlp ~]$
sudo /usr/bin/cat /etc/shadow

Password:    
# user's password
.....
.....
systemd-coredump:!*:19312::::::
systemd-timesync:!*:19312::::::  
# just executed
[2] In addition to the setting of [1], set some commands prohibit.
[root@dlp ~]#
visudo
# line 49 : add
# for example, set alias for the kind of shutdown commands

Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \
/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl
# add ( prohibit commands in alias [SHUTDOWN] )

fedora  ALL=(ALL)       ALL, !SHUTDOWN
# verify with user [fedora]

[fedora@dlp ~]$
sudo /usr/sbin/reboot

[sudo] password for fedora:
Sorry, user fedora is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world.  
# denied normally
[3] Transfer some commands with root privilege to users in a group.
[root@dlp ~]#
visudo
# line 51 : add
# for example, set alias for the kind of user management commands

Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
/usr/bin/passwd
# add to the end

%usermgr ALL=(ALL) USERMGR
[root@dlp ~]#
groupadd usermgr

[root@dlp ~]#
usermod -aG usermgr redhat

# verify with user [redhat]

[redhat@dlp ~]$
sudo /usr/sbin/useradd testuser

[redhat@dlp ~]$
sudo /usr/bin/passwd testuser

Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.  
# executed
[4] Transfer a command with root privilege to a user.
[root@dlp ~]#
visudo
# add to the end: settings for each user

fedora  ALL=(ALL)       /usr/sbin/visudo
ubuntu  ALL=(ALL)       /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
debian  ALL=(ALL)       /usr/bin/vi
# for example, verify with user [fedora]

[fedora@dlp ~]$
sudo /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##  
# just executed
[5] It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/secure] file ), but if you'd like to keep only Sudo logs in another file, Configure like follows.
[root@dlp ~]#
visudo
# add to the end
# for example, output logs to [local1] facility

Defaults syslog=local1
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 47,48 : add like follows

*.info;mail.none;authpriv.none;cron.none;local1.none   /var/log/messages
local1.*                /var/log/sudo.log

# The authpriv file has restricted access.
authpriv.*              /var/log/secure
[root@dlp ~]#
systemctl restart rsyslog

Matched Content