Tech Junkie Blog - Real World Tutorials, Happy Coding!: Linux CentOS In-Depth: Adding Users As Sudo User

Monday, January 14, 2019

Linux CentOS In-Depth: Adding Users As Sudo User

Sometimes you don't want to do everything with the root account.  So there are some super users who you trust as administrators.  For those users you want them to be able to run the sudo command.  A sudo command allows a user to run commands with root privileges without logging in as root.
For example something like this sudo yum update unlike the su command which prompts you for the root password.  The sudo command prompts you for the password of the logged in user.

In order for the sudo to work we have to configure the /etc/sudoers file.  There is a special command for editing the sudoers file and it's the visudo command.  This command should be used at all times when editing the sudoers file instead of a text editor.

The sudoers file contains command aliases for different command sets.  For example the alias for networking is

Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

So let's say we created a group called networkadmin and want the group to be responsible for networking we can put the entree %networkadmin ALL = NETWORKING

By default the wheel group has all the access to the commands

%wheel ALL=(ALL) ALL

If we want to assign all the commands to an individual we can do the same thing

jason ALL = (ALL) ALL

What we can do is give jason access to all the commands because he is the tech lead, but only give the developers commands for SOFTWARE, and SERVICES

Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

We could breakup the users into User_Alias which is a group that exists in the sudoers file, that we can mix and match users into these aliases.

For example let's we have  four developers dora, john, todd, jason.  Two of them are junior developers and the other two are senior developers.

We could create a user alias of JUNIORDEV and SENIORDEV, here is how it would look

User_Alias        JUNIORDEV = todd, john
User_Alias        SENIORDEV = jason, dora

Now we can assign the User_Alias to the Cmnd_Alias



As you can see the junior developers only have access to the commands that are in the software command alias, while the senior developers have access to both the SOFTWARE and SERVICES

Similar Posts:

No comments:

Post a Comment