Sudo Settings

Configure Sudo to separate users' duty if some people share privileges.

[1] Transfer root privilege to a user all.

[[email protected] ~]# visudo
...
# add to the end: user [future] can use all root privilege
future ALL=(ALL) ALL    # destination host=(owner) command

Verify with user [future]

[[email protected] ~]# cat /etc/shadow
cat: /etc/shadow: Permission denied    # denied normally

Use sudo

[[email protected] ~]# sudo cat /etc/shadow
Password:    # own password

...
ftp:*:18042:0:99999:7:::
nobody:*:18042:0:99999:7:::
systemd-coredump:!!:18434::::::
systemd-network:!!:18434::::::
systemd-resolve:!!:18434::::::
dbus:!!:18434::::::
systemd-timesync:!!:18434::::::       # just executed
...

[2] In addition to the setting [1], set that some commands are not allowed.

[[email protected] ~]# visudo
...
# add aliase for the kind of shutdown commands
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown,
/sbin/poweroff, /sbin/reboot, /sbin/init, /bin/systemctl

# add ( commands in aliase [SHUTDOWN] are not allowed )
future ALL=(ALL) ALL, !SHUTDOWN

Verify with user [future]

[[email protected] ~]# sudo shutdown -r now
Password:
Sorry, user future is not allowed to execute '/sbin/shutdown -r now' as root on localhost.localdomain.  # denied normally

[3] Transfer some commands with root privilege to users in a group.

[[email protected] ~]# visudo
...
# add aliase for the kind of user management comamnds
Cmnd_Alias USERMGR = /sbin/useradd, /sbin/userdel, /sbin/usermod,
/bin/passwd

# add to the end
%usermgr ALL=(ALL) USERMGR

[[email protected] ~]# groupadd usermgr
[[email protected] ~]# usermod -a -G usermgr future

Verify with user [future]

[[email protected] ~]# sudo useradd testuser
[[email protected] ~]#       # run normally
[[email protected] ~]# sudo passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.