Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to configure sudo access in Linux. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

What is sudo?

Sudo is a program that ordinary users can use to execute commands as superusers or other users, as specified by security policy.

Access for sudo users is controlled by the / etc/sudoers file.

What are the advantages of sudo users?

In Linux systems, if you are not familiar with a command, sudo is a safe way to run it.

The Linux system keeps logs in / var/log/secure and / var/log/auth.log files, and you can verify what actions sudo users have implemented.

Each time it prompts for a password for the current operation. So, you will have time to verify that this operation is what you want to do. If you find that it is incorrect behavior, you can safely exit and do not perform this operation.

RHEL-based systems such as Redhat (RHEL), CentOS, and Oracle Enterprise Linux (OEL) are different from Debian-based systems such as Debian, Ubuntu, and LinuxMint.

We will show you how to do this in the two distributions mentioned in this article.

There are three methods that can be applied to two distributions.

Add users to the appropriate group. For RHEL-based systems, we need to add users to the wheel group. For Debain-based systems, we add users to the sudo or admin group.

Manually add users to the / etc/group file.

Use the visudo command to add users to the / etc/sudoers file.

How do I configure sudo access on a RHEL/CentOS/OEL system?

In RHEL-based systems such as Redhat (RHEL), CentOS, and Oracle Enterprise Linux (OEL), you can do this using the following three methods.

Method 1: how to use wheel groups to grant superuser access to ordinary users in Linux?

Wheel is a special group in RHEL-based systems that provides additional permissions to authorize users to execute restricted commands like a superuser.

Note that the wheel group should be activated in the / etc/sudoers file to gain this access.

# grep-I wheel / etc/sudoers # # Allows people in group wheel to run all commands%wheel ALL= (ALL) ALL#% wheel ALL= (ALL) NOPASSWD: ALL

Suppose we have created a user account to perform these operations. Here, I will use daygeek as a user account.

Execute the following command to add users to the wheel group.

# usermod-aG wheel daygeek

We can determine this through the following command.

# getent group wheelwheel:x:10:daygeek

I'm going to test if user daygeek can access files that belong to the root user.

$tail-5 / var/log/securetail: cannot open / var/log/secure for reading: Permission denied

An error occurred when I tried to access the / var/log/secure file as a normal user. I'll use sudo to access the same file. Let's take a look at this trick.

Sudo tail-5 / var/log/secure [sudo] password for daygeek:Mar 17 07:01:56 CentOS7 sudo: daygeek: TTY=pts/0; PWD=/home/daygeek; USER=root; COMMAND=/bin/tail-5 / var/log/secureMar 17 07:01:56 CentOS7 sudo: pam_unix (sudo:session): session opened for user root by daygeek (uid=0) Mar 17 07:01:56 CentOS7 sudo: pam_unix (sudo:session): session closed for user rootMar 17 07:05:10 CentOS7 sudo: daygeek: TTY=pts/0; PWD=/home/daygeek; USER=root COMMAND=/bin/tail-5 / var/log/secureMar 17 07:05:10 CentOS7 sudo: pam_unix (sudo:session): session opened for user root by daygeek (uid=0) method 2: how do I use the / etc/group file in RHEL/CentOS/OEL to grant root access to ordinary users?

We can manually add users to the wheel group by editing the / etc/group file.

You can do this simply by opening the file and appending the appropriate user to the appropriate group.

$grep-I wheel / etc/groupwheel:x:10:daygeek,user1

In this example, I will use the user account user1.

I'm going to check if user user1 has sudo access by restarting the Apache httpd service on the system. Let's see this magic trick.

Sudo systemctl restart httpd [sudo] password for user1: $sudo grep-I user1 / var/log/secure [sudo] password for user1:Mar 17 07:09:47 CentOS7 sudo: user1: TTY=pts/0; PWD=/home/user1; USER=root; COMMAND=/bin/systemctl restart httpdMar 17 07:10:40 CentOS7 sudo: user1: TTY=pts/0; PWD=/home/user1; USER=root; COMMAND=/bin/systemctl restart httpdMar 17 07:12:35 CentOS7 sudo: user1: TTY=pts/0; PWD=/home/user1; USER=root COMMAND=/bin/grep-I httpd / var/log/secure method 3: how do I use the / etc/sudoers file to grant root access to ordinary users in Linux?

The access rights of sudo users are controlled by the / etc/sudoers file. Therefore, simply add the user to the wheel group in the sudoers file.

Simply append the desired user to the / etc/sudoers file with the visudo command.

# grep-I user2 / etc/sudoersuser2 ALL= (ALL) ALL

In this example, I will use the user account user2.

I'm going to check if user user2 has sudo access by restarting the MariaDB service on the system. Let's see this magic trick.

$sudo systemctl restart mariadb [sudo] password for user2: $sudo grep-I mariadb / var/log/secure [sudo] password for user2:Mar 17 07:23:10 CentOS7 sudo: user2: TTY=pts/0; PWD=/home/user2; USER=root; COMMAND=/bin/systemctl restart mariadbMar 17 07:26:52 CentOS7 sudo: user2: TTY=pts/0; PWD=/home/user2; USER=root; COMMAND=/bin/grep-I mariadb / var/log/secure how do I configure sudo access in Debian/Ubuntu systems?

In Debian-based systems such as Debian, Ubuntu, and LinuxMint, you can do this using the following three methods.

Method 1: how to use sudo or admin groups to grant root access to ordinary users in Linux?

Sudo or admin are special groups in Debian-based systems that provide additional permissions to authorize users to execute restricted commands like superusers.

Note that the sudo or admin group should be activated in the / etc/sudoers file to gain this access.

# grep-I 'sudo\ | admin' / etc/sudoers # Members of the admin group may gain root privileges%admin ALL= (ALL) ALL # Allow members of group sudo to execute any command%sudo ALL= (ALL:ALL) ALL

Suppose we have created a user account to perform these operations. Here, I will use 2gadmin as a user account.

Execute the following command to add users to the sudo group.

# usermod-aG sudo 2gadmin

We can determine this through the following command.

# getent group sudosudo:x:27:2gadmin

I'm going to test if user 2gadmin can access files that belong to the root user.

$less / var/log/auth.log/var/log/auth.log: Permission denied

An error occurred when I tried to access the / var/log/auth.log file as a normal user. I'm going to access the same file using sudo. Let's take a look at this magic trick.

Sudo tail-5 / var/log/auth.log [sudo] password for 2gadmin:Mar 17 20:39:47 Ubuntu18 sudo: 2gadmin: TTY=pts/0; PWD=/home/2gadmin; USER=root; COMMAND=/bin/bashMar 17 20:39:47 Ubuntu18 sudo: pam_unix (sudo:session): session opened for user root by 2gadmin (uid=0) Mar 17 20:40:23 Ubuntu18 sudo: pam_unix (sudo:session): session closed for user rootMar 17 20:40:48 Ubuntu18 sudo: 2gadmin: TTY=pts/0; PWD=/home/2gadmin; USER=root COMMAND=/usr/bin/tail-5 / var/log/auth.logMar 17 20:40:48 Ubuntu18 sudo: pam_unix (sudo:session): session opened for user root by 2gadmin (uid=0)

Alternatively, we can do the same by adding users to the admin group.

Run the following command to add users to the admin group.

# usermod-aG admin user1

We can determine this through the following command.

# getent group adminadmin:x:1011:user1

Let's take a look at the output.

$sudo tail-2 / var/log/auth.log [sudo] password for user1:Mar 17 20:53:36 Ubuntu18 sudo: user1: TTY=pts/0; PWD=/home/user1; USER=root; COMMAND=/usr/bin/tail-2 / var/log/auth.logMar 17 20:53:36 Ubuntu18 sudo: pam_unix (sudo:session): session opened for user root by user1 (uid=0) method 2: how to use the / etc/group file in Debian/Ubuntu to grant superuser access to ordinary users?

We can manually add users to the sudo group or admin group by editing the / etc/group file.

You can do this simply by opening the file and appending the appropriate user to the appropriate group.

$grep-I sudo / etc/groupsudo:x:27:2gadmin,user2

In this example, I will use the user account user2.

I'm going to check if user user2 has sudo access by restarting the Apache httpd service on the system. Let's see this magic trick.

Sudo systemctl restart apache2 [sudo] password for user2: $sudo tail-f / var/log/auth.log [sudo] password for user2:Mar 17 21:01:04 Ubuntu18 systemd-logind: New session 22 of user user2.Mar 17 21:01:04 Ubuntu18 systemd: pam_unix (systemd-user:session): session opened for user user2 by (uid=0) Mar 17 21:01:33 Ubuntu18 sudo: user2: TTY=pts/0; PWD=/home/user2; USER=root COMMAND=/bin/systemctl restart apache2 method 3: how to use the / etc/sudoers file to grant superuser access to ordinary users in Linux?

The access rights of sudo users are controlled by the / etc/sudoers file. Therefore, simply add the user to the sudo or admin group in the sudoers file.

Simply append the desired user to the / etc/sudoers file with the visudo command.

# grep-I user3 / etc/sudoersuser3 ALL= (ALL:ALL) ALL

In this example, I will use the user account user3.

I'm going to check if user user3 has sudo access by restarting the MariaDB service on the system. Let's see this magic trick.

Sudo systemctl restart mariadb [sudo] password for user3: $sudo tail-f / var/log/auth.log [sudo] password for user3:Mar 17 21:12:32 Ubuntu18 systemd-logind: New session 24 of user user3.Mar 17 21:12:49 Ubuntu18 sudo: user3: TTY=pts/0; PWD=/home/user3; USER=root COMMAND=/bin/systemctl restart mariadbMar 17 21:12:49 Ubuntu18 sudo: pam_unix (sudo:session): session opened for user root by user3 (uid=0) Mar 17 21:12:53 Ubuntu18 sudo: pam_unix (sudo:session): session closed for user rootMar 17 21:13:08 Ubuntu18 sudo: user3: TTY=pts/0; PWD=/home/user3; USER=root COMMAND=/usr/bin/tail-f / var/log/auth.logMar 17 21:13:08 Ubuntu18 sudo: pam_unix (sudo:session): session opened for user root by user3 (uid=0) on "how to configure sudo access in Linux" this article ends here. I hope the above content can be of some help to you, so that you can learn more knowledge. If you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.