Transfer root privileges to normal users in linux

How to give root privileges to other users in linux?

[ Step 1 ] Transfer root privilege to normal user in linux.

[root@sudoadmin ~]# visudo
# add at the bottom: user 'cent' can use all root privilege
cent    ALL=(ALL)    ALL 

# how to write ⇒ destination host=(owner) command
# make sure with user 'cent'
[cent@sudoadmin ~]$ /sbin/shutdown -r now
shutdown: you must be root to do that!   # denied normally
[cent@sudoadmin ~]$ sudo /sbin/shutdown -r now
Password:     # own password
Broadcast message from root (pts/0) (Mon Jan 3 11:37:41 2016):

The system is going down for reboot NOW!   # just executed
[ Step 2 ] In addition to the setting Step [1], some commands are not allow

[root@sudoadmin ~]# visudo

# near line 49: add aliase for the kind of shutdown commands
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \
/sbin/poweroff, /sbin/reboot, /sbin/init

# add ( commands in aliase 'SHUTDOWN', 'SOFTWARE' are not allowed )
# * 'SOFTWARE' is defined by default
centALL=(ALL)ALL, !SHUTDOWN, !SOFTWARE

# make sure with user 'cent'
[cent@sudoadmin ~]$ sudo /sbin/shutdown -r now
Password:
Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on sudoadmin.sudoadmin.com.   # denied
[cent@sudoadmin ~]$ sudo /usr/bin/yum update
Password:
Sorry, user cent is not allowed to execute '/usr/bin/yum update' as root on sudoadmin.sudoadmin.com.   # denied

[Step 3] Transfer some commands with root privilege to users in a group

[root@sudoadmin ~]# visudo

# near line 51: add aliase for the kind of user management comamnds
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
/usr/bin/passwd

# add at the bottom
%usermgr ALL=(ALL) USERMGR

[root@sudoadmin ~]# groupadd usermgr
[root@sudoadmin ~]# vi /etc/group

# add users in this group
usermgr:x:502:cent

# make sure with user 'cent'
[cent@sudoadmin ~]$ sudo /usr/sbin/useradd testuser
[cent@sudoadmin ~]$       # done normally
[cent@sudoadmin ~]$ sudo /usr/bin/passwd testuser
Changing password for user testuser.
New UNIX password:        # set testuser password
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

[ Step 4 ] Transfer a command with root provilege to a user

[root@sudoadmin ~]# visudo

# add at the bottom
cent ALL=(ALL) /usr/sbin/visudo
fedora ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
suse ALL=(ALL) /bin/vi

# make sure with user 'cent'
[cent@sudoadmin ~]$ sudo /usr/sbin/visudo

# possible to open and edit
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

# make sure with user 'fedora'
[fedora@sudoadmin ~]$ sudo /usr/sbin/userdel -r testuser
[fedora@sudoadmin ~]$      # done normally

# make sure with user 'suse'
[suse@sudoadmin ~]$ sudo /bin/vi /boot/grub/grub.conf

# possible to open and edit
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that

[ Step 5 ] The logs for sudo are kept in ‘/var/log/secure’, but there are many kind of logs in it. So if you’d like to keep only sudo’ log in a file, Set like follows.

[root@sudoadmin ~]# visudo

# add at the bottom
Defaults syslog=local1

[root@sudoadmin ~]# cp /etc/syslog.conf /etc/syslog.conf.bk
[root@sudoadmin ~]# vi /etc/syslog.conf

# The authpriv file has restricted access.
local1.* /var/log/sudo.log# line 10: add
authpriv.* /var/log/secure

[root@sudoadmin ~]# /etc/rc.d/init.d/syslog restart
Shutting down kernel logger:[  OK  ]
Shutting down system logger:[  OK  ]
Starting system logger:[  OK  ]
Starting kernel logger:[  OK  ]

Was this article Helpful? [ratings]
If Have any questions or any suggestion for me,
Please reply in comments.

Author: Hitesh Satarkar

Hitesh Satarkar currently working as a Linux/Unix administrator. But I also play Windows both in server and desktop area. Interested in information technology, information security and writing.

Leave a Reply

avatar
  Subscribe  
Notify of