This post will help you with How to provide Sudo access using visudo in Linux.
If you are interested in learning, Request you to go through the below recommended tutorial.
DevOps Full Course Tutorial for Beginners - DevOps Free Training Online
Docker Full Course Tutorial for Beginners - Docker Free Training Online
Kubernetes Full Course Tutorial for Beginners - Kubernetes Free Training Online
Ansible Full Course Tutorial for Beginners - Ansible Free Training Online
Openstack Full Course Tutorial for Beginners - Openstack Free Training Online
Lets discuss how to correctly and securely obtain root privileges, with a special focus on editing the /etc/sudoers file.Docker Full Course Tutorial for Beginners - Docker Free Training Online
Kubernetes Full Course Tutorial for Beginners - Kubernetes Free Training Online
Ansible Full Course Tutorial for Beginners - Ansible Free Training Online
Openstack Full Course Tutorial for Beginners - Openstack Free Training Online
How to provide Sudo access using visudo in Linux
What is SUDO or Sudoers?
The sudo command offers a mechanism for providing trusted users with administrative access to a system without sharing the password of the root user.When users given access via this mechanism precede an administrative command with sudo they are prompted to enter their own password. Once authenticated, and assuming the command is permitted, the administrative command is executed as if run by the root user.
It is executed like this:
Unlike su, sudo will request the password of the user calling the command, not the root password.
In the following section, we will discuss how to modify the configuration in greater detail.
Note: Never edit this file with a normal text editor! Always use the visudo command instead!
Because improper syntax in the sudoers file can leave you with a system where it is impossible to obtain elevated privileges, it is important to use the visudo command to edit the file.
The visudo command opens a text editor like normal, but then validates the syntax of the file upon saving. This prevents configuration errors from blocking "sudo" operations, which may be your only way of obtaining root privileges.
Traditionally, visudo opens the /etc/sudoers file with the "vi" text editor.
sudoers file has many lines, some are commented and some of which we will not discuss in this article.
Let's take a look at what these lines do.
Default Lines:
The first line, "Defaults env_reset", resets the terminal environment to remove any user variables. This is a safety measure used to clear potentially harmful environmental variables from the sudo session.
The second line, which begins with "Defaults secure_path=...", specifies the PATH (the places in the filesystem the operating system will look for applications) that will be used for sudo operations. This prevents using user paths which may be harmful.
User Privilege Lines
The third and fourth lines, we are somewhat familiar with. The fourth line you added yourself, but you might not have investigated the details of what each portion was accomplishing.
The first field indicates the username that the rule will apply to (user1).
The first "ALL" indicates that this rule applies to all hosts.
The first "ALL" within the bracket indicates that the user1 user can run commands as all users.
The second "ALL" withing the bracket indicates that the user1 user can run commands as all groups.
The last "ALL" indicates these rules apply to all commands.
This means that our "root" and "user1" users can run any command using sudo, as long as they provide their password.
Group Privilege Lines
The last two lines are similar to the user privilege lines, but they specify sudo rules for groups.
Names beginning with a "%" indicate group names.
Here, we see the "admin" group can execute any command as any user on any host. Similarly, the "sudo" group can has the same privileges, but can execute as any group as well.
How To Create Aliases
The sudoers file can be organized more easily by grouping things with various kinds of "aliases".
For instance, we can create three different groups of users, with overlapping membership:
You can also create aliases for: users -> User_Alias, run commands as other users -> Runas_Alias, host -> Host_Alias and command -> Cmnd_Alias
As you can see the alias OPERATORS includes the users joe, mike and jude, the alias OP includes the users root and operator, alias OFNET includes the network 10.1.2.0 (all the C class), and the command alias PRINTING includes the commands lpc and lprm.
So, a typical sudoers file may look like this:
User_Alias OPERATORS = joe, mike, jude
Runas_Alias OP = root, operator
Host_Alias OFNET = 10.1.2.0/255.255.255.0
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
OPERATORS ALL=ALL
#The users in the OPERATORS group can run any command from any terminal.
linux ALL=(OP) ALL
# The user linux can run any command from any terminal as any user in the OP group (root or operator).
user2 OFNET=(ALL) ALL
# user user2 may run any command from any machine in the OFNET network, as any user.
user3 ALL= PRINTING
# user user3 may run lpc and lprm from any machine.
greenlinux ALL=(ALL) ALL
# user greenlinux may run any command from any machine acting as any user.
If you want not to be asked for a password use this form:
greenlinux ALL=(ALL) NOPASSWD: ALL
Stay connected with us on social networking sites, Thank you.
It is executed like this:
sudo command_to_execute
Unlike su, sudo will request the password of the user calling the command, not the root password.
In the following section, we will discuss how to modify the configuration in greater detail.
What is Visudo?
The sudo command is configured through a file located at /etc/sudoers.Note: Never edit this file with a normal text editor! Always use the visudo command instead!
Because improper syntax in the sudoers file can leave you with a system where it is impossible to obtain elevated privileges, it is important to use the visudo command to edit the file.
The visudo command opens a text editor like normal, but then validates the syntax of the file upon saving. This prevents configuration errors from blocking "sudo" operations, which may be your only way of obtaining root privileges.
Traditionally, visudo opens the /etc/sudoers file with the "vi" text editor.
How to modify Sudoers file?
sudoers file has many lines, some are commented and some of which we will not discuss in this article.
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root ALL=(ALL:ALL) ALL
user1 ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
Let's take a look at what these lines do.
Default Lines:
The first line, "Defaults env_reset", resets the terminal environment to remove any user variables. This is a safety measure used to clear potentially harmful environmental variables from the sudo session.
The second line, which begins with "Defaults secure_path=...", specifies the PATH (the places in the filesystem the operating system will look for applications) that will be used for sudo operations. This prevents using user paths which may be harmful.
User Privilege Lines
The third and fourth lines, we are somewhat familiar with. The fourth line you added yourself, but you might not have investigated the details of what each portion was accomplishing.
user1 ALL=(ALL:ALL) ALL
The first field indicates the username that the rule will apply to (user1).
The first "ALL" indicates that this rule applies to all hosts.
The first "ALL" within the bracket indicates that the user1 user can run commands as all users.
The second "ALL" withing the bracket indicates that the user1 user can run commands as all groups.
The last "ALL" indicates these rules apply to all commands.
This means that our "root" and "user1" users can run any command using sudo, as long as they provide their password.
Group Privilege Lines
The last two lines are similar to the user privilege lines, but they specify sudo rules for groups.
Names beginning with a "%" indicate group names.
Here, we see the "admin" group can execute any command as any user on any host. Similarly, the "sudo" group can has the same privileges, but can execute as any group as well.
How To Create Aliases
The sudoers file can be organized more easily by grouping things with various kinds of "aliases".
For instance, we can create three different groups of users, with overlapping membership:
You can also create aliases for: users -> User_Alias, run commands as other users -> Runas_Alias, host -> Host_Alias and command -> Cmnd_Alias
User_Alias OPERATORS = joe, mike, jude
Runas_Alias OP = root, operator
Host_Alias OFNET = 10.1.2.0/255.255.255.0
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
As you can see the alias OPERATORS includes the users joe, mike and jude, the alias OP includes the users root and operator, alias OFNET includes the network 10.1.2.0 (all the C class), and the command alias PRINTING includes the commands lpc and lprm.
So, a typical sudoers file may look like this:
User_Alias OPERATORS = joe, mike, jude
Runas_Alias OP = root, operator
Host_Alias OFNET = 10.1.2.0/255.255.255.0
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
OPERATORS ALL=ALL
#The users in the OPERATORS group can run any command from any terminal.
linux ALL=(OP) ALL
# The user linux can run any command from any terminal as any user in the OP group (root or operator).
user2 OFNET=(ALL) ALL
# user user2 may run any command from any machine in the OFNET network, as any user.
user3 ALL= PRINTING
# user user3 may run lpc and lprm from any machine.
greenlinux ALL=(ALL) ALL
# user greenlinux may run any command from any machine acting as any user.
If you want not to be asked for a password use this form:
greenlinux ALL=(ALL) NOPASSWD: ALL
Related Content on Linux might be useful to you to improve your Linux Skills.
How to Configure IP Address on Ubuntu using Netplan
How to Access Linux Server from Windows Remotely
Configure SSH Passwordless Login Authentication (SSH-keygen)
How to Create LVM Partition in Linux – LVM Tutorial
Install & Configure Samba Server on Linux (RHEL7 / CentOS7)
How to Access Linux Server from Windows Remotely
Configure SSH Passwordless Login Authentication (SSH-keygen)
How to Create LVM Partition in Linux – LVM Tutorial
Install & Configure Samba Server on Linux (RHEL7 / CentOS7)
Keep practicing and have fun. Leave your comments if any.
Support Us: Share with your friends and groups.Stay connected with us on social networking sites, Thank you.
0 Comments