Ubuntu 22.04 LTS: Manage Sudo

ubuntu22-04

Initial Settings

This section explain how to install and configure Sudo to separate users' duty if some people share privileges.

Step [1] Install Sudo.


root@bizantum:~# apt -y install sudo

Step [2] Grant root privilege to a user all.


root@bizantum:~# visudo
# add to the end: user [ubuntu] can use all root privilege
ubuntu    ALL=(ALL:ALL) ALL

# how to write ⇒ [user] [host=(owner)] [command]
# push [Ctrl + x] key to quit visudo
# verify with user [ubuntu]
ubuntu@bizantum:~$ /sbin/reboot
Failed to set wall message, ignoring: Interactive authentication required.
Failed to reboot system via logind: Interactive authentication required.
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
# denied normally
ubuntu@bizantum:~$ sudo /sbin/reboot
[sudo] password for ubuntu:                # password of [ubuntu]

Session terminated, terminating shell...   # run normally

Step [3] In addition to the setting of Step [2], add settings that some commands are not allowed.


root@bizantum:~# visudo
# add alias for the kind of shutdown commands
# Cmnd alias specification

Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \
/sbin/poweroff, /sbin/reboot, /sbin/init, /bin/systemctl 

# add (commands in alias [SHUTDOWN] are not allowed)
ubuntu    ALL=(ALL:ALL) ALL, !SHUTDOWN

# verify with user [ubuntu]
ubuntu@bizantum:~$ sudo /sbin/shutdown -r now
[sudo] password for ubuntu:

Sorry, user ubuntu is not allowed to execute '/sbin/shutdown -r now' as root on ubuntu.
# denied normally

Step [4] Grant privilege of some commands to users in a group.


root@bizantum:~# visudo
# add alias for the kind of user management comamnds
# Cmnd alias specification
Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd 

# add to the end
%usermgr ALL=(ALL) USERMGR
root@bizantum:~# groupadd usermgr
root@bizantum:~# vi /etc/group
# add a user in this group
usermgr:x:1002:ubuntu
# verify with user [ubuntu]
ubuntu@bizantum:~$ sudo /usr/sbin/useradd testuser
ubuntu@bizantum:~$     # run normally
ubuntu@bizantum:~$ sudo /usr/bin/passwd testuser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Step [5] Grant privilege of some commands to a user.


root@bizantum:~# visudo
# add to the end for each user setting
fedora    ALL=(ALL:ALL) /usr/sbin/visudo
centos    ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
                        /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
debian    ALL=(ALL:ALL) /usr/bin/vim

# verify with user [fedora]
fedora@bizantum:~$ sudo /usr/sbin/visudo
# run normally
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
# verify with user [centos]
centos@bizantum:~$ sudo /usr/sbin/userdel -r testuser
centos@bizantum:~$     # run normally
# verify with user [debian]
debian@bizantum:~$ sudo /usr/bin/vim /root/.profile
# run normally
# ~/.profile: executed by Bourne-compatible login shells.

Step [6] It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/auth.log] file ), however, if you'd like to keep only Sudo logs in another file, Configure like follows.


root@bizantum:~# visudo
# add to the end
Defaults syslog=local1
root@bizantum:~# vi /etc/rsyslog.d/50-default.conf
# line 8 : add
local1.*                        /var/log/sudo.log
auth,authpriv.*;local1.none     /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog

root@bizantum:~# systemctl restart rsyslog

Comments

Popular posts from this blog

Cyber Security: ISO 27001 Overview
Introduction ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for managing sensitive company information to ensure it remains secure. Understanding ISO 27001 is crucial for organizations aiming to protect their information assets.
Comprehensive Guide to Windows Subsystem for Linux (WSL): Benefits, Setup, and Usage
Introduction Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables natively on Windows 10, Windows 11, and Windows Server. It allows users to run a GNU/Linux environment directly on Windows, including most command-line tools, utilities, and applications.
Ultimate Guide to COBIT: Framework, Benefits, Implementation, and Impact
Introduction COBIT (Control Objectives for Information and Related Technologies) is a globally recognized framework for managing and governing enterprise IT. It provides comprehensive guidelines for organizations to achieve their objectives through the effective use of IT.
Understanding ISO/IEC 20000: A Comprehensive Guide to IT Service Management
Introduction ISO/IEC 20000 is an international standard for IT Service Management (ITSM). It provides a framework for managing and delivering IT services that meet business needs and customer requirements. The standard ensures consistent and high-quality IT service delivery through a set of processes and best practices.
Top SEO Tools for Digital Marketing: A Comprehensive Guide
Introduction In today's digital landscape, search engine optimization (SEO) is a critical component for any business looking to enhance its online presence and drive organic traffic. With the myriad of SEO tools available, navigating the digital marketing space can seem daunting. To streamline your efforts and achieve optimal results, it's essential to leverage the right tools that cater to your specific needs.
Debian 12 Bookworm: Install Kubeadm
Introduction In this article, we will explore the what, who, where, when, why, and how of Kubeadm functionality on the Debian 12 Bookworm platform, so let's get started.