Skip to main content

Admin Privileges - Sudoers

User & Group Privileges

For users to have escalated privilege on a server (root access), they need to be granted this permission.

sudo

Users with sudo access have full administrator permissions, which means that they can essentially perform any task on the system.

There are 2 methods we can use to grant users sudo access:

1. usermod

sudo usermod -aG sudo username

You can then validate that this has worked by checking the groups that the specified user is included in:

groups username

2. Editing the sudoers file directly

Users with sudo access are defined within the /etc/sudoers file. This file should ONLY ever be edited using the visudo text editor - as this will check the syntax for any errors.

visudo

There are a few flags to be aware of for visudo.

-c Checks the file (/etc/sudoers) for syntax errors without opening the file.
-f  Specifies an alternate sudoers file to edit or check.
-s Runs visudo in "strict mode." When in strict mode, visudo treats any syntax warning as a fatal error. By default, visudo may tolerate certain non-critical issues, but with -s, it will be extra strict and enforce stricter rules.

To add a new user to the sudoers group, we need to append a line to the /etc/sudoers file.

1. Edit the /etc/sudoers file using visudo:

visudo

2. Find the line that reads # User privilege specification and add the following line below it:

username ALL=(ALL:ALL) ALL
2B. Granting specific sudo access

A useful functionality available within the sudoers file is that refined sudo permissions can be set. For example, let's say I don't want to grant a user full sudo access, but I do want to give them access to some administrator commands that require sudo access, here we can set specific sudo permissions.

username ALL=(ALL) /bin/systemctl restart nginx.service
username ALL=(ALL:ALL) /usr/bin/apt update,/user/bin/apt upgrade

Note: As best practice, you're best off specifying the full binary path of the commands you wish to grant access to. This prevents a user from renaming a binary to apt (in this example) and being able to run the command with sudo privilege.

Adding user groups to sudoers

In addition to adding specific users to the sudoers group, we can also add user groups. Once again, this is best achieved by editing the sudoers file directly using visudo.

1. Edit the sudoers file

visudo

2.  Find the line that reads # User privilege specification and add the following line below it:

%groupname ALL=(ALL:ALL) ALL

Groups are defined by placing a % symbol in front of the group name.

You can also give groups specific sudo permission, as mentioned here.

Wheel

The alternative to adding users to the sudoers file, is to add users to the Wheel group. The Wheel group is essentially an exclusion that can be added for users to allow access to certain roles.

By default, any users in the wheel group have full privileges on the server.

An example of how this could be utilised, would be to add a rule into the /etc/wheel file that specifies a group that can be used to perform a specific task. Users that need this privilege could then be added to this file.

PolicyKit

PolicyKit (also known as polkit) is a toolkit for defining and handling authorizations in Linux systems. It is used to manage privileges for unprivileged processes to perform tasks that normally require higher privileges, such as those of the root user. This allows for more fine-grained control over what users and processes are allowed to do without requiring full administrative access.

No Comments
Back to top