sudoers Configuration Provide Superuser Access To Normal User
SUDO means “Substitute for super user” or “Super user do”. Using sudo access or sudoers configuration normal user can execute commands as root privileges without providing them an root user password. sudoers configuration
This sudoers configuration will make super power to manage/provide access to particular for user, for particular command access. Even we can deny access to particular command and log every command user executes with sudo. Granular access management which makes most of the Linux Administrators life easier to mange security on user level.
sudoers Configuration Provide Superuser Access To Normal User
Let’s see How sudo works in example. In this example ravik user do not have sudo/administrator access to run /sbin related commands, below is the results.
[ravik@rhel7 ~]$ fdisk -l
fdisk: cannot open /dev/fd0: Permission denied
Now i would like to grant access to ravik user to fdisk command
Edit /etc/sudo configuration file and write the rule
First step is vi /etc/sudoers editing the sudo file
Create Command Alias
Cmnd_Alias FDISK = /usr/sbin/fdisk
Assign same command alias to particular user so that user will get access to that particular command
ravik ALL=(ALL) NOPASSWD: FDISK
Providing Access to Multiple Commands
Specify command alias and assign multiple commands to that like mentioned below
Cmnd_Alias MULTIPLE = /usr/sbin/fdisk, /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
Now assign to particular user to get all above commands permissions
aravi ALL=(ALL) NOPASSWD: MULTIPLE
Secure PATH instead of default path location
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Group Wise sudo Access
Instead of allocating permissions to all individual users you can simply provide access to group and join users to that will automatically get those commands execution access. Using this method will streamline the process of creating and adding users
Create group using below command, in this case i have used sudousers is the group name
# groupadd sudousers
Add members to sudousers who required sudo access/superuser access
# usermod -Ga sudousers aravi
Assign command access to group
# visudo %sudousers ALL=(ALL) NOPASSWD: MULTIPLE :wq <-- Save&Exit
Here on-words when you add user to sudousers group he will get all the commands access which you assign to that group in sudoers configuration
How to Restrict Command Access using Sudoers
Any command if you don’t want to give access to particular user or all the users you just need to add ! exclamation mark in front of command.
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, !/bin/umount
in this case umount command has been denied to execute in STORAGE alias. If you specify STORAGE alias to user can execute commands but not umount.
Defaults in Sudoers configuration
## Override built-in defaults Defauls syslog=auth, insults, syslog_goodpri=alert Defaults logfile=/var/log/sudo.log Default timestamp_timeout=0, log_year, tty_tickets Defauts mailto="aravikumar48@gmail.com", mail_always, mail_badpass, mail_no_user
Above sudoers configuration can help you to log the sudo commands to sudo.log file and send an email alert when user type bad password. Send logs to syslog server.
After all configuration sudoers file looks like below
That”s about sudoers configuration provide superuser access to normal user
Related Articles
Linux commands in regular day to day activities
Thanks for your wonderful Support and Encouragement