sudo visudo
Add to the end to allow testuser all root privileges:
... testuser ALL=(ALL:ALL) ALL
Format is:
[user] [host=(owner)] [command]
Push [Ctrl + x] key to quit visudo.
</code bash> testuser@sharewiz:~$ /sbin/reboot
Failed to set wall message, ignoring: Interactive authentication required. Failed to reboot system via logind: Interactive authentication required. Failed to open /dev/initctl: Permission denied Failed to talk to init daemon. # denied normally </code>
testuser@sharewiz:~$ sudo /sbin/reboot
Session terminated, terminating shell… # run normally
Add settings that some commands are not allowed.
sudo visudo
Add alias for the kind of shutdown commands:
# Cmnd alias specification Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init, /bin/systemctl ... # Add (commands in alias [SHUTDOWN] are not allowed) testuser ALL=(ALL:ALL) ALL, !SHUTDOWN
With user testuser
sudo /sbin/shutdown -r now
returns:
Sorry, user testuser is not allowed to execute '/sbin/shutdown -r now' as root on ubuntu.
sudo visudo
Add aliases for the kind of user management comamnds:
# Cmnd alias specification Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd ... # add to the end %usermgr ALL=(ALL) USERMGR
sudo groupadd usermgr
vi /etc/group # add a user in this group usermgr:x:1002:testuser
Verify with user testuser
sudo /usr/sbin/useradd testuser sudo /usr/bin/passwd testuser Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
sudo visudo
Add to the end
... testuser1 ALL=(ALL:ALL) /usr/sbin/visudo testuser2 ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \ /usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd testuser2 ALL=(ALL:ALL) /usr/bin/vim
Verify with user testuser1.
sudo /usr/sbin/visudo # run normally
Sudoers allows particular users to run various commands as the root user, without needing the root password.
Verify with user testuser2
sudo /usr/sbin/userdel -r testuser
Verify with user testuser3
sudo /usr/bin/vim /root/.profile
~/.profile: executed by Bourne-compatible login shells.
The logs for sudo are kept in '/var/log/auth.log', but there are many kind of logs in it.
So if you'd like to keep only sudo's log in another file, Set like follows.
sudo visudo
... # Add to the end Defaults syslog=local1
Edit /etc/rsyslog.d/50-default.conf as root.
# line 8: add local1.* /var/log/sudo.log auth,authpriv.*;local1.none /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog
sudo systemctl restart rsyslog