www.server-world.

info /en/note

Initial Settings : Configure Sudo2021/08/17

Debian 11 Bullseye

Configure Sudo to separate users' duty if some people share privileges.

[1] Install Sudo.
root@dlp:~#
apt -y install sudo

[2] Transfer root privilege to a user all.

root@dlp:~#
visudo

# add to the end : user [bullseye] can use all root privilege

# how to write ⇒ destination host=(owner) command

bullseye ALL=(ALL:ALL) ALL

# push [Ctrl + x] key to quit visudo

# verify with user [bullseye]

bullseye@dlp:~$

/usr/sbin/reboot

Failed to set wall message, ignoring: Access denied

Failed to reboot system via logind: Access denied
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
# denied

bullseye@dlp:~$
sudo /usr/sbin/reboot

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

1/4
 #3) With great power comes great responsibility.

[sudo] password for bullseye: # bullseye's password

.....
.....
# possible execute
[3] In addition to the setting [1], set that some commands are not allowed.
root@dlp:~#
visudo

# add alias for the kind of shutdown commands

# Cmnd alias specification

Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \
/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl

# add ( commands in alias [SHUTDOWN] are not allowed )

bullseye ALL=(ALL:ALL) ALL, !SHUTDOWN

# verify with user [bullseye]

bullseye@dlp:~$
sudo /usr/sbin/reboot

[sudo] password for bullseye:

Sorry, user bullseye is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world.

# 拒否された
[4] Transfer some commands with root privilege to users in a group.
root@dlp:~#
visudo

# add alias for the kind of user management commands

# Cmnd alias specification

Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd

# add to the end

%usermgr ALL=(ALL:ALL) USERMGR

root@dlp:~#
groupadd usermgr

root@dlp:~#
usermod -aG usermgr bullseye

# verify with user [bullseye]

bullseye@dlp:~$
sudo /usr/sbin/useradd testuser

2/4
bullseye@dlp:~$
bullseye@dlp:~$
sudo /usr/bin/passwd testuser

Enter new UNIX password:

Retype new UNIX password:
passwd: password updated successfully

# possible execute
[5] Transfer some specific commands with root privilege to a user.
root@dlp:~#
visudo

# add to the end : set specific commands to each user

fedora ALL=(ALL:ALL) /usr/sbin/visudo

debian ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod,
/usr/bin/passwd
ubuntu ALL=(ALL:ALL) /usr/bin/vim

# verify with user [fedora]

fedora@dlp:~$
sudo /usr/sbin/visudo

# possible open and edit

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.
##

# verify with user [debian]

debian@dlp:~$
sudo /usr/sbin/userdel -r testuser

debian@dlp:~$

# possible execute

# verify with user [ubuntu]

ubuntu@dlp:~$
sudo /usr/bin/vim /root/.profile

# possible open and edit

# ~/.profile: executed by Bourne-compatible login shells.

3/4
 It's possible to display Sudo logs on Journald ( with [journalctl] command ) or Rsyslogd ( in
[6] [/var/log/auth.log] file ), however, if you'd like to keep only Sudo logs in another file, Configure
like follows.
root@dlp:~#
visudo

# add to the end

Defaults syslog=local1

root@dlp:~#
vi /etc/rsyslog.conf

# line 61 : add

local1.* /var/log/sudo.log

auth,authpriv.*;local1.none /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog

root@dlp:~#
systemctl restart rsyslog

Matched Content

4/4