Table of Contents
Ubuntu - Sudo - Configure privileges
Grant root privilege to a user
sudo visudo
Add to the end to allow testuser all root privileges:
- visudo
... testuser ALL=(ALL:ALL) ALL
Format is:
[user] [host=(owner)] [command]
Push [Ctrl + x] key to quit visudo.
Verify with user testuser
</code bash> testuser@sharewiz:~$ /sbin/reboot
Failed to set wall message, ignoring: Interactive authentication required. Failed to reboot system via logind: Interactive authentication required. Failed to open /dev/initctl: Permission denied Failed to talk to init daemon. # denied normally </code>
testuser@sharewiz:~$ sudo /sbin/reboot
Session terminated, terminating shell… # run normally
Restrict some commands
Add settings that some commands are not allowed.
sudo visudo
Add alias for the kind of shutdown commands:
- visudo
# Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init, /bin/systemctl ... # Add (commands in alias [SHUTDOWN] are not allowed) testuser ALL=(ALL:ALL) ALL, !SHUTDOWN
Verify
With user testuser
sudo /sbin/shutdown -r now
returns:
Sorry, user testuser is not allowed to execute '/sbin/shutdown -r now' as root on ubuntu.
Grant privilege of some commands to users in a group
sudo visudo
Add aliases for the kind of user management comamnds:
- visudo
# Cmnd alias specification Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd ... # add to the end %usermgr ALL=(ALL) USERMGR
Test
sudo groupadd usermgr
vi /etc/group # add a user in this group usermgr:x:1002:testuser
Verify with user testuser
sudo /usr/sbin/useradd testuser sudo /usr/bin/passwd testuser Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
Grant privilege of some commands to a user
sudo visudo
Add to the end
- visudo
... testuser1 ALL=(ALL:ALL) /usr/sbin/visudo testuser2 ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd testuser2 ALL=(ALL:ALL) /usr/bin/vim
Verify with user testuser1.
sudo /usr/sbin/visudo # run normally
Sudoers allows particular users to run various commands as the root user, without needing the root password.
Verify with user testuser2
sudo /usr/sbin/userdel -r testuser
Verify with user testuser3
sudo /usr/bin/vim /root/.profile
~/.profile: executed by Bourne-compatible login shells.
Logs
The logs for sudo are kept in '/var/log/auth.log', but there are many kind of logs in it.
So if you'd like to keep only sudo's log in another file, Set like follows.
sudo visudo
- visudo
... # Add to the end Defaults syslog=local1
Edit /etc/rsyslog.d/50-default.conf as root.
- /etc/rsyslog.d/50-default.conf
# line 8: add local1.* /var/log/sudo.log auth,authpriv.*;local1.none /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog
Restart rsyslog
sudo systemctl restart rsyslog