0845680984
  1. Add User Accounts
  2. Enable root User Account
  3. Network Settings
  4. Service Settings
  5. Update System
  6. Vim Settings
  7. Sudo Settings

Configure Sudo to separate users’ duty if some people share privileges.

[1] Install Sudo.

root@localhost:~# apt -y install sudo

[2] Grant root privilege to a user all.

root@localhost:~# visudo
# add to the end: user [soncq] can use all root privilege
soncq    ALL=(ALL:ALL) ALL

# how to write ⇒ [user] [host=(owner)] [command]
# push [Ctrl + x] key to quit visudo
# verify with user [soncq]
soncq@localhost:~$ /sbin/reboot
Failed to set wall message, ignoring: Interactive authentication required.
Failed to reboot system via logind: Interactive authentication required.
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
# denied normally
soncq@localhost:~$ sudo /sbin/reboot
[sudo] password for soncq:                # password of [soncq]

Session terminated, terminating shell...   # run normally

[3] In addition to the setting of [1], add settings that some commands are not allowed.

root@localhost:~# visudo
# add alias for the kind of shutdown commands
# Cmnd alias specification

Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \
/sbin/poweroff, /sbin/reboot, /sbin/init, /bin/systemctl 

# add (commands in alias [SHUTDOWN] are not allowed)
soncq    ALL=(ALL:ALL) ALL, !SHUTDOWN

# verify with user [ubuntu]
soncq@localhost:~$ sudo /sbin/shutdown -r now
[sudo] password for soncq:

Sorry, user soncq is not allowed to execute '/sbin/shutdown -r now' as root on ubuntu.
# denied normally

[4] Grant privilege of some commands to users in a group.

root@localhost:~# visudo
# add aliase for the kind of user management comamnds
# Cmnd alias specification
Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd 

# add to the end
%usermgr ALL=(ALL) USERMGR
root@localhost:~# groupadd usermgr
root@localhost:~# vi /etc/group
# add a user in this group
usermgr:x:1002:soncq
# verify with user [soncq]
soncq@localhost:~$ sudo /usr/sbin/useradd testuser
soncq@localhost:~$     # run normally
soncq@localhost:~$ sudo /usr/bin/passwd testuser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

[5] Grant privilege of some commands to a user.

root@localhost:~# visudo
# add to the end for each user setting
fedora    ALL=(ALL:ALL) /usr/sbin/visudo
centos    ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
                        /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
debian    ALL=(ALL:ALL) /usr/bin/vim

# verify with user [fedora]
fedora@localhost:~$ sudo /usr/sbin/visudo
# run normally
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
# verify with user [centos]
centos@localhost:~$ sudo /usr/sbin/userdel -r testuser
centos@localhost:~$     # run normally
# verify with user [debian]
debian@localhost:~$ sudo /usr/bin/vim /root/.profile
# run normally
# ~/.profile: executed by Bourne-compatible login shells.

[6] It’s possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/auth.log] file ), however, if you’d like to keep only Sudo logs in another file, Configure like follows.

root@localhost:~# visudo
# add to the end
Defaults syslog=local1
root@localhost:~# vi /etc/rsyslog.d/50-default.conf
# line 8 : add
local1.*                        /var/log/sudo.log
auth,authpriv.*;local1.none     /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog

root@localhost:~# systemctl restart rsyslog

Leave a Comment

Your email address will not be published. Required fields are marked *

Bài viết gần đây:

Shopping Cart