Ivy Consultants Inc.

Consulting Services for Security, Networking, Wi-Fi and Windows Server

In this lesson, we will explore how to delegate administrative privileges using the sudo command and how to manage sudo permissions through the /etc/sudoers file. This will enable us to run commands as another user, typically the superuser, which is essential for performing system administrative tasks.

Let’s take a look at our john_doe user if he tries to run the sudo command:

john_doe@ip-10-0-7-219:/home/iacadmin$ sudo whoami

# [sudo] password for john_doe:

# john_doe is not in the sudoers file.  This incident will be reported.

We can see that the user was unable to run the sudo command because they are not in the sudoers file. In this lesson, you will learn how to fix this issue.

Understanding the Sudoers File

The /etc/sudoers file is a crucial configuration file that specifies which users and groups can run what commands on which hosts, and as which users. It’s a central part of the sudo system and requires careful editing to ensure system security and functionality.

Syntax of the Sudoers File

The syntax for entries in the /etc/sudoers file is as follows:

user host=(run_as_user:run_as_group) commands

Here’s a breakdown of the syntax user host=(run_as_user:run_as_group) commands:

  1. user:
    1. This is the username of the individual who is being granted permissions. This could also be a %group if you are specifying a user group instead of an individual user.
  2. host:
    1. This specifies the hostname or hostnames on which this rule applies. This allows for host-specific rules in environments where the /etc/sudoers file is shared across multiple machines.
  3. (run_as_user:run_as_group):
    1. This part specifies as which user and/or group the commands can be executed.
    1. run_as_user: The username that the user is allowed to switch to.
    1. run_as_group: The group name that the user is allowed to switch to.
    1. If either is set to ALL, it means the user can run commands as any user or group respectively.
  4. commands:
    1. This is the list of commands that the user is allowed to run. This could be a single command, a list of commands separated by commas, or the keyword ALL to allow all commands.

Editing the Sudoers File

visudo (Edit the Sudoers File) To edit the sudoers file, it’s recommended to use the visudo command, which opens the file in a safe fashion and checks for syntax errors before saving:

sudo visudo

Adding a User to the Sudoers File

To grant a user sudo privileges, you add them to the sudoers file with the appropriate permissions. For example, to allow john_doe to run all commands as any user by adding the following to the bottom of the /etc/sudoers file:

john_doe ALL=(ALL:ALL) ALL

Creating an Alias

You can create a command alias to group commonly used commands together. For instance, to group a few commands under the alias MY_CMDS:

# Cmnd alias specification

Cmnd_Alias MY_CMDS = /bin/whoami, /bin/ls

Granting Limited Sudo Access

You can also grant a user access to only specific commands. For instance, to allow john_doe to run only the commands in our group:

# In the sudoers file:

john_doe ALL=(ALL:ALL) MY_CMDS

Validating Sudo Access

sudo -l (List User Sudo Permissions) After editing the sudoers file, you can check a user’s sudo permissions with the sudo -l command:

sudo -l -U john_doe

Testing Limited Sudo Access

From your root user, su to john_doe:

sudo su john_doe