sudoers Configuration Provide Superuser Access To Normal User

SUDO means “Substitute for super user” or “Super user do”.  Using sudo access or sudoers configuration normal user can execute commands as root privileges without providing them an root user password. sudoers configuration

This sudoers configuration will make super power to manage/provide access to particular for user, for particular command access. Even we can deny access to particular command and log every command user executes with sudo. Granular access management which makes most of the Linux Administrators life easier to mange security on user level.

sudoers Configuration Provide Superuser Access To Normal User

Let’s see How sudo works in example. In this example ravik user do not have sudo/administrator access to run /sbin related commands, below is the results.

[ravik@rhel7 ~]$ fdisk -l
fdisk: cannot open /dev/fd0: Permission denied

Now i would like to grant access to ravik user to fdisk command

Edit /etc/sudo configuration file and write the rule

First step is vi /etc/sudoers editing the sudo file

Create Command Alias

Cmnd_Alias FDISK = /usr/sbin/fdisk

Assign same command alias to particular user so that user will get access to that particular command

ravik ALL=(ALL) NOPASSWD: FDISK

Providing Access to Multiple Commands

Specify command alias and assign multiple commands to that like mentioned below

Cmnd_Alias MULTIPLE = /usr/sbin/fdisk, /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

Now assign to particular user to get all above commands permissions

aravi    ALL=(ALL) NOPASSWD: MULTIPLE

Secure PATH instead of default path location

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

Group Wise sudo Access

Instead of allocating permissions to all individual users you can simply provide access to group and join users to that will automatically get those commands execution access. Using this method will streamline the process of creating and adding users

Create group using below command, in this case i have used sudousers is the group name

# groupadd sudousers

Add members to sudousers who required sudo access/superuser access

# usermod -Ga sudousers aravi

Assign command access to group

# visudo
%sudousers       ALL=(ALL)    NOPASSWD:  MULTIPLE

:wq <-- Save&Exit

Here on-words when you add user to sudousers group he will get all the commands access which you  assign to that group in sudoers configuration

How to Restrict Command Access using Sudoers

Any command if you don’t want to give access to particular user or all the users you just need to add ! exclamation mark in front of command.

Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, !/bin/umount

in this case umount command has been denied to execute in STORAGE alias. If you specify STORAGE alias to user can execute commands but not umount.

Defaults in Sudoers configuration

## Override built-in defaults
Defauls syslog=auth, insults, syslog_goodpri=alert
Defaults logfile=/var/log/sudo.log
Default timestamp_timeout=0, log_year, tty_tickets
Defauts mailto="aravikumar48@gmail.com", mail_always, mail_badpass, mail_no_user

Above sudoers configuration can help you to log the sudo commands to sudo.log file and send an email alert when user type bad password. Send logs to syslog server.

After all configuration sudoers file looks like below

sudoers file

sudoers file

That”s about sudoers configuration provide superuser access to normal user

Related Articles

Linux commands in regular day to day activities

32 YUM command examples

User Administration Guide

For All Linux videos

Thanks for your wonderful Support and Encouragement

ARK

My Name is ARK. Expert in grasping any new technology, Interested in Sharing the knowledge. Learn more & Earn More

Leave a Reply

Your email address will not be published.