Sorry for the delay between posts , I have been having a bit trouble lately with computer , but have 95 percent of the troubles sorted out. Anywho…
Sudo for those that dont use it , elevates a user or groups privalages so that the they can run commands as root. What can commands can also be specified in the /etc/sudoers file and can be edit as root with sudo visudo -f /etc/sudoers or without sudo and with the root user su -c ‘visudo -f /etc/sudoers’
The sudoers file contains two main areas aliases and user specifications. Theres are four main alias types:
Type — Example
User:—User_Alias Admins = 01ben , mickeyj4j
Host:—Host_Alias Fileserver = 192.168.1.1, 192.168.1.2
Runas:—Runas_Alias Admin = 01ben, mickeyj4j
Cmnd:—Cmnd_Alias SECURITY=/usr/bin/passwd, /usr/bin/su
User_Aliases is rarely used as the same can be achieved by using a regular group such as group %Admin.
Host Alias can assign variables to the computers based on their ip address or hostname.
Runas_Alias lists users that other users can run commands as other users.
Cmnd_alias can group commands together in one alias.
User Specifications is the part where what user/groups are allowed to run
Looking at the following command aliases
Cmnd_Alias SECURITY=/usr/bin/passwd, /usr/bin/su
Cmnd_Alias SHELLS=/bin/csh, /bin/sh, /usr/bin/es, /usr/bin/ksh, /bin/ksh, /usr/bin/rc,
/usr/bin/tcsh, /bin/tcsh, /usr/bin/esh, /bin/dash, /bin/bash, /bin/rbash,
Cmnd_Alias TEXT=/usr/bin/visudo, /usr/bin/nano, /usr/bin/vi, /usr/bin/mousepad, /usr/bin/kate,
Cmnd_Alias FILE=/usr/bin/thunar, /usr/bin/dolphin, /usr/bin/nautilus, /usr/bin/
01ben ALL=/usr/bin/, /usr/sbin/, !SECURITY, !SHELLS, !TEXT, !FILE
This would allow user ’01ben’ access to all in /usr/bin, /usr/sbin except for those those specified. I personally setup sudo per group as opposed to per user so if you were wanting mulitple user to have access to all commands in /usr/bin and /usr/sbin without them from being able to run sudo su , sudo passwd , sudo -i which could be use to gain full access to the root account use
%group ALL=/usr/bin/, /usr/sbin/, !SECURITY, !SHELLS
then add all the users that you want into the group ‘group’
Another common setup is to be able to use sudo with out a passwd on all commands , something I do not recommend as if you really need that , you may as well login as the root user. But if you do the configuration would be
user ALL=NOPASSWD: ALL
%group ALL=NOPASSWD: ALL
There are more configurations than that , too many to write about here , but think about who actually needs to use sudo and why.