Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Users & Groups: Configure Superuser Access
Understanding /etc/sudoers and /etc/sudoers.d/
The /etc/sudoers
file controls who can use the sudo
command and specifies the level of access they have. It is a plain text file that should be edited with visudo
. Modifying the /etc/sudoers
file should be done with caution, as any mistakes can potentially lead to system vulnerabilities or lockouts.
The /etc/sudoers.d/
directory is where individual sudo
configuration files can be placed and are typically named with the user or group for which the configuration file relates to.
The sudo
files consists of user specifications and command specifications. User specifications define which users or groups are allowed to execute commands with elevated privileges. Command specifications define which commands users are allowed to run with elevated privileges and any additional restrictions or options.
To edit the /etc/sudoers
file it is recommended to run visudo
as this tool will perform some syntax checks to help mitigate the risk of breaking the file. For drop in files under /etc/sudoers.d/
you have to specify the file with the -f
option, for example: visduo -f /etc/sudoers.d/user1
Below are just some of the configuration options available to fine-tune the sudo
command behavior:
-
User Specification: The user specification allows you to define who can use the
sudo
command. It follows the format:username host=(runasuser:runasgroup) command
Here's an explanation of each field:
- username: This field specifies the username or user alias to which the user specification applies. You can use the actual username or predefined aliases such as
%admin
for a group. - host: The host field specifies the hosts on which the user is allowed to run the specified command. You can use the wildcard character (
ALL
) to allow the user to run the command on any host. - runasuser: This field defines the user the command will be run as. It can be a username or user alias. If omitted, it defaults to
root
. You can use the wildcard character (ALL
) to allow the user to run the command as any user. - runasgroup: The runasgroup field specifies the group the command will be run as. If omitted, it defaults to the primary group of
runasuser
. You can use the wildcard character (ALL
) to allow the user to run the command as any group. - command: The command field specifies the command or command alias that the user is allowed to run with
sudo
. It can include the full path to the command or use command aliases defined in the file.
- username: This field specifies the username or user alias to which the user specification applies. You can use the actual username or predefined aliases such as
-
Run as Another User: To allow a user to execute commands as another user, use the
Runas_Spec
option. It follows the format:username ALL=(targetuser) ALL
Replace
username
with the actual username of the user who should have access, andtargetuser
with the username of the user they should be able to execute commands as. -
Command Aliases: Command aliases allow you to define groups of commands for easier management. You can specify a command alias using the
Cmnd_Alias
option:Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/reboot
This allows users to run the
/sbin/poweroff
and/sbin/reboot
commands. -
Restricting Command Arguments: You can restrict users to specific command arguments using the
NOPASSWD
option:username ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
This allows the user to run
apt-get update
without entering their password. -
Limiting Run Time: The
timestamp_timeout
option sets the time in minutes before the user needs to enter their password again when runningsudo
:Defaults timestamp_timeout=30
This sets the timeout to 30 minutes.
-
Logging: The
logfile
option allows you to specify a custom log file forsudo
commands:Defaults logfile=/var/log/sudo.log
This logs
sudo
commands to/var/log/sudo.log
.
sudo Command
The sudo
command allows users to execute commands as another user, typically the root user, with elevated privileges. It provides a way to delegate specific administrative tasks to authorized users without giving them full superuser access.
The below table shows some common options that are used with the sudo
command:
Option | Description |
---|---|
-u, --user <username> |
Specifies the username of the user under which you want to execute the command. |
-s, --shell |
Executes the command within a shell, using the target user's permissions and environment. |
-E, --preserve-env |
Ensures that the user's environment variables are retained when running the command, maintaining their context. |
-i, --login |
Initiates a login shell as the target user, emulating a direct user login with associated environment settings. |
Exercises
Update the default timeout option to extend the period for when a sudo password is required again:
Open the /etc/sudoers
file:
sudo visudo
Edit or add the timestamp_timeout
option to the file, setting the timeout to 30 minutes:
Defaults timestamp_timeout=30
The default timeout is 5 minutes so you will soon notice having to enter your password a lot less.
Login as the root
user:
Using sudo
to login as root
is useful in environments where you do not want to share the password for the root
account and helps audit logins:
sudo -i
Logout of the root
account.
exit
Allow the web admin user to manage the httpd
service:
Create the web admin user:
sudo useradd web_admin
Install httpd if required:
sudo yum install -y httpd
Create drop in file /etc/sudoers.d/web_admin
with the required configuration:
sudo visudo -f /etc/sudoers.d/web_admin
Add contents:
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl start httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart httpd
Switch to the web_admin
user:
sudo su - web_admin
Start and stop the httpd service to prove sudo
access is working:
sudo systemctl start httpd && echo started
sudo systemctl stop httpd && echo stopped
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.