Skip to content

1. sudo Configuration in Linux.md

Latest commit

Β 

History

History
174 lines (137 loc) Β· 4.42 KB

1. sudo Configuration in Linux.md

File metadata and controls

174 lines (137 loc) Β· 4.42 KB

πŸ” Sudo Configuration in Linux (/etc/sudoers File)

sudo (Superuser Do) allows authorized users to execute commands as root or another user while keeping system security intact. The /etc/sudoers file controls who can use sudo and what they can do.

This guide explains configuring sudo permissions properly using the visudo command.

πŸ“Œ 1. Granting Sudo Privileges to a User

βœ… Method 1: Add the User to the sudo Group

On Ubuntu/Debian, users in the sudo group have admin privileges by default.

1️⃣ Add a user (nikhil) to the sudo group

sudo usermod -aG sudo nikhil

2️⃣ Verify with:

groups nikhil

3️⃣ Test sudo access:

su - nikhil
sudo whoami

βœ… Output:

root

πŸ“Œ For RHEL/CentOS, use the wheel group instead:

sudo usermod -aG wheel nikhil

πŸ“Œ 2. Editing the sudoers File Safely

Always use visudo to edit /etc/sudoers to avoid syntax errors.

sudo visudo

βœ… Add a User with Full Root Privileges

Find the line:

root    ALL=(ALL:ALL) ALL

Below it, add:

nikhil  ALL=(ALL:ALL) ALL

πŸ”Ή This allows nikhil to run any command as root.

πŸ“Œ 3. Grant Sudo Access Without a Password (NOPASSWD)

To allow nikhil to run sudo without entering a password, modify:

nikhil  ALL=(ALL) NOPASSWD: ALL

πŸ“Œ Use Case: Helpful for automation and scripts.

πŸ“Œ 4. Restrict User to Specific Commands

To allow nikhil to only restart Apache:

nikhil  ALL=(ALL) NOPASSWD: /bin/systemctl restart apache2

βœ… Now nikhil can run:

sudo systemctl restart apache2

❌ But cannot run sudo rm -rf /.

πŸ“Œ 5. Grant Sudo to a User Group

Instead of adding individual users, grant sudo access to an entire group:

%developers  ALL=(ALL:ALL) ALL

βœ… All users in the developers group can use sudo.

To add a user (john) to the group:

sudo usermod -aG developers john

πŸ“Œ 6. Command Aliases in sudoers File

To simplify management, define command aliases:

Cmnd_Alias WEB_CMDS = /bin/systemctl restart apache2, /bin/systemctl reload nginx
Cmnd_Alias NET_CMDS = /sbin/ifconfig, /bin/ping

Assign them:

nikhil  ALL=(ALL) NOPASSWD: WEB_CMDS, PASSWD: NET_CMDS

βœ… nikhil can restart Apache/Nginx without a password
βœ… But must enter a password to run networking commands

πŸ“Œ 7. Restrict Users from Running Certain Commands

To block dangerous commands (like rm -rf or fdisk):

nikhil ALL=(ALL) ALL, !/bin/rm, !/sbin/fdisk

βœ… nikhil can run all commands except rm and fdisk.

πŸ“Œ 8. Log All Sudo Activity

Enable logging to track sudo usage:

Defaults logfile="/var/log/sudo.log"

βœ… All sudo commands will be logged in /var/log/sudo.log.

To view logs:

cat /var/log/sudo.log

πŸ“Œ 9. Allow Root Access Without a Password for a Specific User

Defaults:nikhil !authenticate

βœ… nikhil can run sudo without being asked for a password.

πŸ“Œ 10. Secure Sudo: Disable Root Login via sudo

To prevent users from running sudo su or sudo -i (full root shell):

Defaults !root_sudo

βœ… Users cannot escalate to full root privileges.

πŸ“Œ 11. Removing a User from Sudo Access

To remove sudo access from a user:

sudo deluser nikhil sudo    # Ubuntu/Debian
sudo gpasswd -d nikhil wheel  # RHEL/CentOS

βœ… nikhil can no longer run sudo.

πŸ“Š Summary of Sudoers Configuration

Configuration Entry in /etc/sudoers Effect
Full sudo access nikhil ALL=(ALL) ALL nikhil can run all commands
No password required nikhil ALL=(ALL) NOPASSWD: ALL nikhil can run sudo without password
Specific command only nikhil ALL=(ALL) NOPASSWD: /bin/systemctl restart apache2 Can restart Apache but nothing else
Restrict commands nikhil ALL=(ALL) ALL, !/bin/rm, !/sbin/fdisk Cannot run rm or fdisk
Allow group sudo %developers ALL=(ALL) ALL All developers group members can use sudo
Disable root escalation Defaults !root_sudo Prevents sudo su
Log sudo commands Defaults logfile="/var/log/sudo.log" Tracks sudo usage