Configure Sudo to separate users' duty if some people share privileges.
[1] Transfer root privilege to a user all.
[root@localhost ~]# visudo
...
# add to the end: user [future] can use all root privilege
future ALL=(ALL) ALL # destination host=(owner) command
Verify with user [future]
[future@localhost ~]# cat /etc/shadow
cat: /etc/shadow: Permission denied # denied normally
Use sudo
[future@localhost ~]# sudo cat /etc/shadow
Password: # own password
...
ftp:*:18042:0:99999:7:::
nobody:*:18042:0:99999:7:::
systemd-coredump:!!:18434::::::
systemd-network:!!:18434::::::
systemd-resolve:!!:18434::::::
dbus:!!:18434::::::
systemd-timesync:!!:18434:::::: # just executed
...
[2] In addition to the setting [1], set that some commands are not allowed.
[root@localhost ~]# visudo
...
# add aliase for the kind of shutdown commands
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown,
/sbin/poweroff, /sbin/reboot, /sbin/init, /bin/systemctl
# add ( commands in aliase [SHUTDOWN] are not allowed )
future ALL=(ALL) ALL, !SHUTDOWN
Verify with user [future]
[future@localhost ~]# sudo shutdown -r now
Password:
Sorry, user future is not allowed to execute '/sbin/shutdown -r now' as root on localhost.localdomain. # denied normally
[3] Transfer some commands with root privilege to users in a group.
[root@localhost ~]# visudo
...
# add aliase for the kind of user management comamnds
Cmnd_Alias USERMGR = /sbin/useradd, /sbin/userdel, /sbin/usermod,
/bin/passwd
# add to the end
%usermgr ALL=(ALL) USERMGR
[root@localhost ~]# groupadd usermgr
[root@localhost ~]# usermod -a -G usermgr future
Verify with user [future]
[future@localhost ~]# sudo useradd testuser
[future@localhost ~]# # run normally
[future@localhost ~]# sudo passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
