Configure sudo permissions for ordinary users in linux

Table of contents

• 1. About sudo

• 2. The working process of sudo

• 3. Configure sudo permissions for ordinary users

  • 3.1 Method 1: Change the ordinary user’s affiliated group to wheel so that it has sudo permissions (recommended)
  • 3.2 Method 2: Modify the /etc/sudoers file so that ordinary users have sudo permissions

• 4. Detailed explanation of the /etc/sudoers configuration file

  

1. About sudo

The sudo command provides a mechanism to provide trusted users with administrative privileges on the system without sharing the root user’s password. They can perform most administrative operations, but do not have full permissions like root. sudo is a program that ordinary users can use to execute commands as superuser or other users, as specified by security policy. The sudo user’s access rights are controlled by the /etc/sudoers file.

2. The working process of sudo

1. When a user executes sudo, the system will actively search for the /etc/sudoers file to determine whether the user has the permission to execute sudo.

2. After confirming that the user has the permission to execute sudo, let the user enter his or her own password for confirmation.

3. If the password is entered successfully, the subsequent sudo commands will be executed.

4. Root does not need to enter a password when executing sudo (there is a rule such as root ALL=(ALL) ALL configured in the sudoers file)

5. If the identity you want to switch is the same as the executor, you do not need to enter a password.

3. Configure sudo permissions for ordinary users

Executing the visudo command is equivalent to executing the vim /etc/sudoers command, but when saving and exiting, visudo will check the internal syntax to prevent the user from entering incorrect information, so it is recommended to use visudo. In addition, root privileges are required to execute the visudo command. There are two methods to configure sudo permissions for ordinary users, which are introduced one by one below.

3.1 Method 1: Change the ordinary user’s affiliated group to wheel so that it has sudo permissions (recommended)

1.wheel is a special user group in RHEL-based systems. It provides additional permissions and can authorize users to execute restricted commands like super users.

#This user group has been created by the system and by default.
[root@mast ~]# grep wheel /etc/group
wheel:x:10:

2. First, make sure that the line “%wheel ALL=(ALL) ALL” in the /etc/sudoers file is not commented.

[root@mast ~]# cat /etc/sudoers
#Make sure that the line "%wheel ALL=(ALL) ALL" in the /etc/sudoers file is not commented
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

3. Change the nginx user’s affiliated group to wheel so that the nginx user has sudo permissions

#nginx user is an already created user
[root@mast ~]# id nginx
uid=8000(nginx) gid=8000(nginx) groups=8000(nginx)

#Change the nginx user's affiliated group to wheel
[root@mast ~]# usermod -aG wheel nginx

[root@mast ~]# id nginx
uid=8000(nginx) gid=8000(nginx) groups=8000(nginx),10(wheel)

[root@mast ~]# grep wheel /etc/group
wheel:x:10:nginx

[root@mast ~]# su - nginx
Last login: Wed Oct 28 16:48:36 CST 2020 on pts/0

#Users using nginx cannot view the /etc/shadow file
[nginx@mast ~]$ tail -f /etc/shadow
tail: cannot open /etc/shadow’ for reading: Permission denied
tail: no files remaining

#Users using nginx cannot view the /etc/shadow file, but after adding sudo in front, you can view the /etc/shadow file by entering the nginx password.
[nginx@mast ~]$ sudo tail -f /etc/shadow
[sudo] password for nginx:
rpc:!!:18023:0:99999:7:::
rpcuser:!!:18023::::::
nfsnobody:!!:18023::::::
tss:!!:18341::::::
stick:$6$yKQtTFMB$YszPx1AOZQfV91stJ4NXmR/DoLU2DjluS5uycrFexU4.yMCw7kjkyQYKIF7UcE4PPCAsM.QyKaDIAgOY6zbrn/:18550:0:99999:7:::
www:!!:18557:0:99999:7:::

Since then, nginx has sudo permissions.

3.2 Method 2: Modify the /etc/sudoers file so that ordinary users have sudo permissions

1. In the /etc/sudoers file, there is the line “root ALL=(ALL) ALL”. Just add a similar line under this line. Add the www user to it and you will have sudo permissions. For the line “root ALL=(ALL) ALL”, now explain the meaning: the first ALL refers to the host in the network, and the ALL in the second bracket refers to the target user, that is, who is the identity to execute the command , the last ALL of course refers to the command name.

[root@mast ~]# id www
uid=8003(www) gid=8003(www) groups=8003(www)

#Add the www user to the /etc/sudoers file
#means that the user www can use all commands
#But if you only want a certain user to have sudo permissions for a certain command, you can set it like this: putong ALL=(ALL) /usr/bin/systemctl. If set like this, the putong user will only have sudo permissions when executing the systemctl command.
[root@mast ~]# cat /etc/sudoers
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
www ALL=(ALL) ALL

[root@mast ~]# su www

#www does not have permission to view /etc/shadow
[www@mast root]$ tail -f /etc/shadow
tail: cannot open /etc/shadow’ for reading: Permission denied
tail: no files remaining

#www does not have the permission to view /etc/shadow, but you can view the file contents by adding sudo.
[www@mast root]$ sudo tail -f /etc/shadow

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for www:
rpc:!!:18023:0:99999:7:::
rpcuser:!!:18023::::::
nfsnobody:!!:18023::::::
tss:!!:18341::::::
www:$6$EOuaJn9t$Qpm5GszWdDZ.dGP/GVcTzbzyeLpFqi9Zg84UmAGjnUtBb9QGV0KI7pRJGN6NiRnNvBTEKwVxjmu2Spn6l5dH6/:18564:0:99999:7:::


#For example, if we want user Daniel to execute the kill command as jimmy or rene on the Linux host, we can write the configuration file like this:
Daniel linux=(jimmy,rene) /bin/kill
#But there is still a question, should Daniel perform as jimmy or rene? At this time we should think of sudo -u, which is used exactly at this time. Daniel can use sudo -u jimmy kill PID or sudo -u rene kill PID.

IV. Detailed explanation of the /etc/sudoers configuration file

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
## This file allows a specific user to use a variety of commands like the root user without requiring the root user's password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## At the bottom of the file, many examples of related commands are provided for selection. These examples can be used by specific users or
##Used by user group
##
## This file must be edited with the 'visudo' command.
## This file must be edited using the "visudo" command

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
## For a group of servers, you may prefer to use the hostname (possibly a wildcard of the full domain name)
## , or IP address, you can configure the host alias at this time
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
## This is not very common because you can use groups instead of aliases for a group of users
# User_Alias ADMINS = jsmith, mikem

## Command Aliases
## These are groups of related commands...
## Specify an alias for a series of related commands (of course it can be one), by giving the alias sudo permissions,
## All commands contained in the alias can be called through sudo. Here are some examples.

## Networking Network operation related command aliases
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient
, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig
, /sbin/mii-tool

## Installation and management of software Software installation management related command aliases
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services Service-related command aliases
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database Local database upgrade command alias
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage disk operation related command aliases
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe
, /bin/mount, /bin/umount

## Delegating permissions Delegating permission related command alias
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes process-related command aliases
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers driver command alias
# Cmnd_Alias DRIVERS = /sbin/modprobe

#Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
# Some related configurations of environment variables, please see man soduers for details.
Defaults requiretty

Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep + = "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep + = "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep + = "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep + = "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## The following is the rule configuration: which users can execute which commands on which server (sudoers files can be shared on multiple systems)
## Syntax (grammar):
##
## user MACHINE=COMMANDS User logged in host = (identity that can be changed) Commands that can be executed
##
## The COMMANDS section may have other options added to it.
## The command part can be accompanied by some other options
##
## Allow root to run any commands anywhere
## Allow the root user to execute any command in any path
root ALL=(ALL) ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
## Allow users in the user group in sys to use commands configured in all aliases such as NETWORKING
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE
, DRIVERS

## Allows people in group wheel to run all commands
## Allow users in the wheel user group to execute all commands
%wheel ALL=(ALL) ALL

## Same thing without a password
## Allow users in the wheel group to use all commands without entering the user's password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
## Allow users in the users user group to use the mount, unmount, and chrom commands like the root user.
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
## Allow users in the users user group to shut down the localhost server
# %users localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
## Read files placed in the /etc/sudoers.d/ folder (the # here does not mean that this is a statement)
#includedir /etc/sudoers.d

Reference links:

https://blog.csdn.net/a19881029/article/details/18730671