====== Ubuntu - Sudo - Configure privileges ====== ===== Grant root privilege to a user =====


sudo visudo

Add to the end to allow testuser all root privileges: ... testuser ALL=(ALL:ALL) ALL Format is: [user] [host=(owner)] [command] Push [Ctrl + x] key to quit visudo. ---- ===== Verify with user testuser ===== testuser@sharewiz:~$ /sbin/reboot Failed to set wall message, ignoring: Interactive authentication required. Failed to reboot system via logind: Interactive authentication required. Failed to open /dev/initctl: Permission denied Failed to talk to init daemon. # denied normally


testuser@sharewiz:~$ sudo /sbin/reboot

Session terminated, terminating shell... # run normally ---- ===== Restrict some commands ===== Add settings that some commands are not allowed.


sudo visudo

Add alias for the kind of shutdown commands: # Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init, /bin/systemctl ... # Add (commands in alias [SHUTDOWN] are not allowed) testuser ALL=(ALL:ALL) ALL, !SHUTDOWN ---- ==== Verify ==== With user testuser


sudo /sbin/shutdown -r now

returns:


Sorry, user testuser  is not allowed to execute '/sbin/shutdown -r now' as root on ubuntu.

---- ===== Grant privilege of some commands to users in a group =====


sudo visudo

Add aliases for the kind of user management comamnds: # Cmnd alias specification Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd ... # add to the end %usermgr ALL=(ALL) USERMGR ---- ==== Test ====


sudo groupadd usermgr


vi /etc/group
# add a user in this group

usermgr:x:1002:testuser

---- Verify with user testuser


sudo /usr/sbin/useradd testuser
sudo /usr/bin/passwd testuser

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

---- ===== Grant privilege of some commands to a user =====


sudo visudo

Add to the end ... testuser1 ALL=(ALL:ALL) /usr/sbin/visudo testuser2 ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd testuser2 ALL=(ALL:ALL) /usr/bin/vim Verify with user testuser1.


sudo /usr/sbin/visudo
# run normally

---- Sudoers allows particular users to run various commands as the root user, without needing the root password. Verify with user testuser2


sudo /usr/sbin/userdel -r testuser

---- Verify with user testuser3


sudo /usr/bin/vim /root/.profile

~/.profile: executed by Bourne-compatible login shells. ---- ===== Logs ===== The logs for sudo are kept in '/var/log/auth.log', but there are many kind of logs in it. So if you'd like to keep only sudo's log in another file, Set like follows.


sudo visudo

... # Add to the end Defaults syslog=local1 Edit /etc/rsyslog.d/50-default.conf as root. # line 8: add local1.* /var/log/sudo.log auth,authpriv.*;local1.none /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog ---- ==== Restart rsyslog ====


sudo systemctl restart rsyslog