Website Toolbase

Sudoers

The sudoers file is a configuration file used in Unix-like operating systems (such as Linux) to define user permissions for running commands with superuser privileges via the sudo command. It controls who can run what commands as which user (often root), and under what conditions.

The typical location of the sudoers file is located at the /etc/sudoers location on the machine but it is always advisable to edit it with the visudo utility to avoid common syntax & logic errors while editing the configuration. Here are some files related to users & root management which will be used in this section

$> /etc/sudoers 
$> /etc/passwd
$> /etc/shadow

Adding users to `sudo` group to allow sudo access

When creating a user with sudo access we need to add the user into the sudo group first to allow accessing root. We can do the following with the following command : 

$> sudo useradd -m -s /bin/bash <username>

Here there are some parameters used which means :

  • -m : Creates the user directory

  • -s : defines the user welcome shell

After creating the user we will add the user into the sudo group to allow access root

$> sudo su
$> sudo usermod -aG sudo <username>

Here the parameter -aG defines to adding user into the group.

Adding users to sudoers file to allow sudo access

When we require the user to be able to access root but we dont want to add the user into sudo group then we can directly give access to users from the sudoers file.

$> sudo visudo
# User privilege specification
root ALL=(ALL:ALL) ALL
<username> ALL=(ALL:ALL) ALL

This will allow the user to get same level of access as the root user on the system

The block structure of the following files is like this : 

<username> <which_user>=(<which_user_runas>:<which_group_runas>) <which_files>

Limiting user root access to certain path or files

As we have configured the user above with all the rights we can also configure user to be able to access certain files only.

$> sudo visudo
# User privilege specification
root ALL=(ALL:ALL) ALL
<username> ALL=(ALL) /usr/bin/apt

This will only allow the user to access the apt command with the root level rights and limiting the overall root access of the user.

If we want that user should not require the password while performing allowed root levels we can configure the file like : 

$> sudo visudo
# User privilege specification
root ALL=(ALL:ALL) ALL
<username> ALL=(ALL) NOPASSWD: /usr/bin/apt

Locking and unlocking users

When we require that certain users should not be able to access we can lock their access using the following commands : 

$> sudo usermod -L <username> ##Lock user

To unlock the user back we can use : 

$> sudo usermod -U <username> ## unlock user

To verify the users account are locked or unlocked we can pass the following command : 

$> sudo cat /etc/shadow

Here there are two conditions :

  • If we have ! sign before the user password which means the user is locked

  • If dont the user is unlocked and we can access it

Here ! indicates the following users are locked

Allowing root level perms based on groups

You want to give 10 users permission to run the command /usr/bin/apt with sudo (for package management) without giving them full access to all commands.

  • reate a new group (e.g., apt-users):

    sudo groupadd apt-users

  • Add the 10 users to the apt-users group:

    sudo usermod -aG apt-users <username>

    Repeat this for each of the 10 users.

  • Edit the sudoers file (using visudo for safety):

    sudo visudo

  • Add the rule for the apt-users group:

    %apt-users ALL=(ALL) /usr/bin/apt

Permanently blocking root account by changing shells

Changing welcome shells of the user can be the most prominent ways to block the logins. To check the current shells of the user we can see using the following command : 

$> sudo cat /etc/passwd
the last section after ":" indicates the current shells

Here are some common shells seen in that files :

  • /bin/bash: A widely used, feature-rich shell that supports scripting, job control, and command-line editing.

  • /usr/sbin/nologin: Prevents login access, often used for system or service accounts that should not have a shell.

  • /bin/sync: A command shell that syncs file system data before shutdown or restart, primarily for the sync user.

  • /bin/false: A shell that immediately exits with a failure status, preventing login; often used for service accounts.

Here the shell /bin/bash is the shell which provides the terminal access so changing shell of the user root from /bin/bash will make the user shell inaccessible , So to change the shell of user we can pass the following command :

DANGER : Before passing this command ensure atleast one another user is configured with sudo access otherwise the session might be bricked

Changing the shell of user root : 

$> chsh root
Password: 
Changing the login shell for vishvam
Enter the new value, or press ENTER for the default
        Login Shell [/bin/bash]: /usr/sbin/nologin
# Changing the shell to /usr/sbin/nologin will block the shell access of user root

This is how we can manage sudoers file and limit the attack vectors to minimum. In the next section we will learn about ufw.

PreviousSecuring SSHNextUFW (Uncomplicated FW)

Last updated