Introduction
This tutorial will teach you how to grant a local user in Linux full sudo privileges. We’ll also discover how to grant a user restricted sudo access, allowing them to use sudo only for a predetermined set of commands.
Granting a user full Sudo access
Any user with full sudo privileges has root access to the Linux command line. When we execute commands in the terminal that call for access to the filesystem’s root directories or files, this is necessary.
Explain the sudo user?
● Sudoers (nothing but sudo users) allows particular users to run various root user commands without needing a root password.
● /etc/sudoers
is the configuration file for sudoers to configure the normal user as privileged user.
● It is not recommended to open this file using # vim
editor because this editor cannot check the syntax by default and whatever we typed in that file that will blindly save in this file.
● So, one editor is specially available for opening this file, ie.,# visudo
and all normal users cannot execute this command. Only root user can run this command.
● Once this file is opened nobody can open this file again on another terminal because “The file is busy” message is displayed on the terminal for security reasons.
How to give different sudo permissions to normal users?
Open the /etc/sudoers file by executing #visudo
command and go to line no. 98 and type as
Username | Machine | Command |
---|---|---|
root | ALL=(ALL) | ALL |
raju | All= | ALL |
Example:
# visudo raju ALL=(ALL) ALL
—-Save and exit this file.
Note:
When we trying to save this file if any syntax errors in this file, those errors are displayed with line no’s and What you do ? (will be displayed, here press ‘e’ to edit this file and modify those errors or mistakes and save save this file.
● Now a Normal user raju can run any command with sudo priviledge
● Let’s Verify the same by run below command to switch to user raju if logged in by other user.
# su - raju
Now the normal user raju can also add the users to the system by adding sudo
before the command.
# sudo useradd <useradd>
Note: We can assign sudo permissions to ‘n’ no. of users by specifying names separated by commas ( , ) or line by line.
How to give only some command access permissions to normal user.
Instead of giving all permissions to normal user we can give only some commands by editing /etc/sudoers
files and adding below lines.
Example :
# visudo student ALL=/usr/sbin/useradd, /usr/sbin/usermod raju ALL=NOPASSWD:/usr/sbin/useradd, /usr/sbin/usermod
How to give sudo permissions to one group or groups.
* We can also apply to one group or groups as follows.
* First create the users, assign one group to those users and also assign the passwords for
those users. Open /etc/sudoers
file by executing the command # visudo
and type as follows.
Syntex:
%<group name> ALL=ALL
Example:
%oracle ALL=ALL
How to create command alias and give these command access to a user.
* We can also create one command alias and add some commands to that alias
and mention that alias to users as follows by editing /etc/sudoers
files and adding below lines..
#visudo Cmnd_Alias NETWORKING=/usr/sbin/route, /usr/sbin/ifconfig <username> <machines>=<command alias name> raju ALL=NETWORKING
How to create user alias and add the users in to that alias and give some command acess.
* We can also create one user alias and add the users to that alias and
assign some commands to that alias as follows.
Syntex:
User_Alias <user alias name>=<user1>, <user2>, <user3>, ....
Example:
# visudo User_Alias OURTEAM=raju, shyam, ram, gopal OURTEAM ALL=ALL
How to set time interval to zero so that whenever the sudo user executes any command then it will ask password for every command.
# visudo Defaults timestamp_timeout=0
Note: The above will apply to all users including root also. If we want to make it as only for normal users, then
Defaults : <user1>, <user2>, <user3> timestamp_timeout=0
Note:By adding the above timestamp_timeout, the system will ask passwords for user1, user2, user3 to execute sudo commands each time
In which location the sudo user commands history is logged?
All the sudo users commands history is logged in /var/log/secure file to make a record of sudo user commands.
To see the contents of this file
# cat /var/log/secure
To see the updates of this file continuously and press ctrl + c to quit the tailf
# tailf /var/log/secure