How to Edit the Sudoers File

In this article, we shall focus majorly on adding users to the sudoers file and limiting their actions within sudo to prevent major security set back termed as sample of privilege escalation.

sudo is the Super User Do used to execute that will otherwise require root/super user privileges.

It located in the /etc/sudoers file and  visudo used to edit the sudoers file.

There are three sections: host, user and command alias specification.

Lets, look at some of the rules:

root ALL=(ALL:ALL) ALL means root user has unlimited range of privilege and can use and command.

%sudo ALL=(ALL:ALL) ALL means sudo is a group and in case any user has sudo as the group he/she can use any command

Create users

We will create three users, security, updater, developer having responsibility iptables and nmap, apt, service respectively.

sudo adduser username  where username should be different for the users.

Edit sudoers file

Firstly, you must know the long path to a command  by using whereis command where command is command name such as nmap,iptables.

With knowing the long path to a command we can add them to the ‘Cmnd_Alias’ in the visudo.

Add the following Cmnd_Alias SEC = /usr/bin/nmap, /usr/bin/iptables where Cmnd_Alias is for command group and name should be specified.

Add the following User_Alias name = username where name can be any name and username should username on the system.
User_Alias GROUPONE = security

Next we bind the commands to the username User_Alias ALL = Cmnd_Alias where user alias is the username group and command group respectively.
GROUPONE ALL = SEC
GROUPTHREE ALL = NOPASSWD: SER Here NOPASSWD: means user will not be asked for password.

Save and exit the editor.

To check sudo privileges given to a user sudo -l

Groups

Administrators can also use groups to assign administrative power to users.

Most used group is sudo, it can be used as the primary group sudo adduser username --ingroup sudo

Adding sudo as the supplementary group of a user.sudo usermod -aG sudo newuser1 where G is for supplementary group and a is to append user to supplementary group which is sudo.

 

In conclusion, we have seen how an administrator can assign single root privileges to a user and also how to assign a user all the privileges using the sudo group. In addition, other administrative groups are wheel and admin depending with the Linux distribution.

 

Leave a Reply