Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Users & Groups: Configure Superuser Access
Understanding /etc/sudoers and /etc/sudoers.d/
The /etc/sudoers file controls who can use the sudo command and specifies the level of access they have. It is a plain text file that should be edited with visudo. Modifying the /etc/sudoers file should be done with caution, as any mistakes can potentially lead to system vulnerabilities or lockouts.
The /etc/sudoers.d/ directory is where individual sudo configuration files can be placed and are typically named with the user or group for which the configuration file relates to.
The sudo files consists of user specifications and command specifications. User specifications define which users or groups are allowed to execute commands with elevated privileges. Command specifications define which commands users are allowed to run with elevated privileges and any additional restrictions or options.
To edit the /etc/sudoers file it is recommended to run visudo as this tool will perform some syntax checks to help mitigate the risk of breaking the file. For drop in files under /etc/sudoers.d/ you have to specify the file with the -f option, for example: visduo -f /etc/sudoers.d/user1
Below are just some of the configuration options available to fine-tune the sudo command behavior:
-
User Specification: The user specification allows you to define who can use the
sudocommand. It follows the format:username host=(runasuser:runasgroup) commandHere's an explanation of each field:
- username: This field specifies the username or user alias to which the user specification applies. You can use the actual username or predefined aliases such as
%adminfor a group. - host: The host field specifies the hosts on which the user is allowed to run the specified command. You can use the wildcard character (
ALL) to allow the user to run the command on any host. - runasuser: This field defines the user the command will be run as. It can be a username or user alias. If omitted, it defaults to
root. You can use the wildcard character (ALL) to allow the user to run the command as any user. - runasgroup: The runasgroup field specifies the group the command will be run as. If omitted, it defaults to the primary group of
runasuser. You can use the wildcard character (ALL) to allow the user to run the command as any group. - command: The command field specifies the command or command alias that the user is allowed to run with
sudo. It can include the full path to the command or use command aliases defined in the file.
- username: This field specifies the username or user alias to which the user specification applies. You can use the actual username or predefined aliases such as
-
Run as Another User: To allow a user to execute commands as another user, use the
Runas_Specoption. It follows the format:username ALL=(targetuser) ALLReplace
usernamewith the actual username of the user who should have access, andtargetuserwith the username of the user they should be able to execute commands as. -
Command Aliases: Command aliases allow you to define groups of commands for easier management. You can specify a command alias using the
Cmnd_Aliasoption:Cmnd_Alias SHUTDOWN_CMDS = /sbin/poweroff, /sbin/rebootThis allows users to run the
/sbin/poweroffand/sbin/rebootcommands. -
Restricting Command Arguments: You can restrict users to specific command arguments using the
NOPASSWDoption:username ALL=(ALL) NOPASSWD: /usr/bin/apt-get updateThis allows the user to run
apt-get updatewithout entering their password. -
Limiting Run Time: The
timestamp_timeoutoption sets the time in minutes before the user needs to enter their password again when runningsudo:Defaults timestamp_timeout=30This sets the timeout to 30 minutes.
-
Logging: The
logfileoption allows you to specify a custom log file forsudocommands:Defaults logfile=/var/log/sudo.logThis logs
sudocommands to/var/log/sudo.log.
sudo Command
The sudo command allows users to execute commands as another user, typically the root user, with elevated privileges. It provides a way to delegate specific administrative tasks to authorized users without giving them full superuser access.
The below table shows some common options that are used with the sudo command:
| Option | Description |
|---|---|
-u, --user <username> |
Specifies the username of the user under which you want to execute the command. |
-s, --shell |
Executes the command within a shell, using the target user's permissions and environment. |
-E, --preserve-env |
Ensures that the user's environment variables are retained when running the command, maintaining their context. |
-i, --login |
Initiates a login shell as the target user, emulating a direct user login with associated environment settings. |
Exercises
Update the default timeout option to extend the period for when a sudo password is required again:
Open the /etc/sudoers file:
sudo visudo
Edit or add the timestamp_timeout option to the file, setting the timeout to 30 minutes:
Defaults timestamp_timeout=30
The default timeout is 5 minutes so you will soon notice having to enter your password a lot less.
Login as the root user:
Using sudo to login as root is useful in environments where you do not want to share the password for the root account and helps audit logins:
sudo -i
Logout of the root account.
exit
Allow the web admin user to manage the httpd service:
Create the web admin user:
sudo useradd web_admin
Install httpd if required:
sudo yum install -y httpd
Create drop in file /etc/sudoers.d/web_admin with the required configuration:
sudo visudo -f /etc/sudoers.d/web_admin
Add contents:
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl start httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload httpd
web_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart httpd
Switch to the web_admin user:
sudo su - web_admin
Start and stop the httpd service to prove sudo access is working:
sudo systemctl start httpd && echo started
sudo systemctl stop httpd && echo stopped
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.