Initial Settings : Sudo Settings |
Configure Sudo to separate users' duty if some people share privileges. It does not need to install sudo manually because it is installed by default even if Minimal installed environment. | |
| [1] | Transfer root privilege all to a user. |
[root@dlp ~]# # add to the end : user [cent] can use all root privilege cent ALL=(ALL) ALL # how to write ⇒ destination host=(owner) command # verify with user [cent] [cent@dlp ~]$ /usr/bin/cat /etc/shadow /usr/bin/cat: /etc/shadow: Permission denied # denied normally sudo /usr/bin/cat /etc/shadow Password: # user's own password ..... ..... systemd-oom:!*:18957:::::: systemd-resolve:!*:18957:::::: # just executed |
| [2] | In addition to the setting of [1], set some commands prohibit. |
[root@dlp ~]# # line 25 : add # for example, set alias for the kind of shutdown commands Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \ /usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl # add ( prohibit commands in alias [SHUTDOWN] ) cent ALL=(ALL) ALL, !SHUTDOWN # verify with user [cent] [cent@dlp ~]$ sudo /usr/sbin/reboot [sudo] password for cent: Sorry, user cent is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world. # denied normally |
| [3] | Transfer some commands with root privilege to users in a group. |
[root@dlp ~]# # line 25 : add # for example, set alias for the kind of user management commands Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
/usr/bin/passwd
# add to the end
%usermgr ALL=(ALL) USERMGR
# verify with user [redhat] [redhat@dlp ~]$ sudo /usr/sbin/useradd testuser [redhat@dlp ~]$ sudo /usr/bin/passwd testuser Changing password for user testuser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # just executed |
| [4] | Transfer a command with root privilege to a user. |
[root@dlp ~]# # add to the end : settings for each user fedora ALL=(ALL) /usr/sbin/visudo ubuntu ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd debian ALL=(ALL) /usr/bin/vi # for example, verify with user [fedora] [fedora@dlp ~]$ ## Sudoers allows particular users to run various commands assudo /usr/sbin/visudo ## the root user, without needing the root password. ## # just executed |
| [5] | It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in [/var/log/secure] file ), however, if you'd like to keep only Sudo logs in another file, Configure like follows. |
[root@dlp ~]# # add to the end # for example, output logs to [local1] facility Defaults syslog=local1 [root@dlp ~]# vi /etc/rsyslog.conf # line 46,47 : add like follows *.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages local1.* /var/log/sudo.log # The authpriv file has restricted access. authpriv.* /var/log/secure[root@dlp ~]# systemctl restart rsyslog |
No comments:
Post a Comment