- Joshua Mukonyi
- September 1, 2021
In this article, we shall focus majorly on adding users to the sudoers file and limiting their actions within sudo to prevent major security set back termed as sample of privilege escalation.
sudo is the Super User Do used to execute that will otherwise require root/super user privileges.
It located in the
/etc/sudoers file and
visudo used to edit the sudoers file.
There are three sections: host, user and command alias specification.
Lets, look at some of the rules:
root ALL=(ALL:ALL) ALL means root user has unlimited range of privilege and can use and command.
%sudo ALL=(ALL:ALL) ALL means sudo is a group and in case any user has sudo as the group he/she can use any command
We will create three users, security, updater, developer having responsibility iptables and nmap, apt, service respectively.
sudo adduser username where username should be different for the users.
Edit sudoers file
Firstly, you must know the long path to a command by using
whereis command where command is command name such as nmap,iptables.
With knowing the long path to a command we can add them to the ‘Cmnd_Alias’ in the visudo.
Add the following
Cmnd_Alias SEC = /usr/bin/nmap, /usr/bin/iptables where Cmnd_Alias is for command group and name should be specified.
Add the following
User_Alias name = username where name can be any name and username should username on the system.
User_Alias GROUPONE = security
Next we bind the commands to the username
User_Alias ALL = Cmnd_Alias where user alias is the username group and command group respectively.
GROUPONE ALL = SEC
GROUPTHREE ALL = NOPASSWD: SER Here
NOPASSWD: means user will not be asked for password.
Save and exit the editor.
To check sudo privileges given to a user
Administrators can also use groups to assign administrative power to users.
Most used group is sudo, it can be used as the primary group
sudo adduser username --ingroup sudo
Adding sudo as the supplementary group of a user.
sudo usermod -aG sudo newuser1 where G is for supplementary group and a is to append user to supplementary group which is sudo.
In conclusion, we have seen how an administrator can assign single root privileges to a user and also how to assign a user all the privileges using the sudo group. In addition, other administrative groups are wheel and admin depending with the Linux distribution.