Menu Close

Chapter 22. Managing sudo access

System administrators can grant sudo access to allow non-root users to execute administrative commands that are normally reserved for the root user. As a result, non-root users can execute such commands without logging in to the root user account.

22.1. User authorizations in sudoers

The /etc/sudoers file specifies which users can run which commands using the sudo command. The rules can apply to individual users and user groups. You can also use aliases to simplify defining rules for groups of hosts, commands, and even users. Default aliases are defined in the first part of the /etc/sudoers file.

When a user tries to use sudo privileges to run a command that is not allowed in the /etc/sudoers file, the system records a message containing username : user NOT in sudoers to the journal log.

The default /etc/sudoers file provides information and examples of authorizations. You can activate a specific example rule by removing the # comment character from the beginning of the line. The authorizations section relevant for user is marked with the following introduction: 

## Next comes the main part: which users can run what software on
## which machines  (the sudoers file can be shared between multiple
## systems).

You can use the following format to create new sudoers authorizations and to modify existing authorizations: 

username hostname=path/to/command

Where:

  • username is the name of the user or group, for example, user1 or %group1.
  • hostname is the name of the host on which the rule applies.
  • path/to/command is the complete absolute path to the command. You can also limit the user to only performing a command with specific options and arguments by adding those options after the command path. If you do not specify any options, the user can use the command with all options.

You can replace any of these variables with ALL to apply the rule to all users, hosts, or commands.

Warning

With overly permissive rules, such as ALL ALL=(ALL) ALL, all users are able to run all commands as all users on all hosts. This can lead to security risks.

You can specify the arguments negatively using the ! operator. For example, use !root to specify all users except the root user. Note that using the allowlists to allow specific users, groups, and commands, is more secure than using the blocklists to disallowing specific users, groups, and commands. By using the allowlists you also block new unauthorized users or groups.

Warning

Avoid using negative rules for commands because users can overcome such rules by renaming commands using the alias command.

The system reads the /etc/sudoers file from beginning to end. Therefore, if the file contains multiple entries for a user, the entries are applied in order. In case of conflicting values, the system uses the last match, even if it is not the most specific match.

The preferred way of adding new rules to sudoers is by creating new files in the /etc/sudoers.d/ directory instead of entering rules directly to the /etc/sudoers file. This is because the contents of this directory are preserved during system updates. In addition, it is easier to fix any errors in the separate files than in the /etc/sudoers file. The system reads the files in the /etc/sudoers.d directory when it reaches the following line in the /etc/sudoers file: 

#includedir /etc/sudoers.d

Note that the number sign # at the beginning of this line is part of the syntax and does not mean the line is a comment. The names of files in that directory must not contain a period . and must not end with a tilde ~.

22.2. Granting sudo access to a user

System administrators can grant sudo access to allow non-root users to execute administrative commands. The sudo command provides users with administrative access without using the password of the root user.

When users need to perform an administrative command, they can precede that command with sudo. The command is then executed as if they were the root user.

Be aware of the following limitations:

  • Only users listed in the /etc/sudoers configuration file can use the sudo command.
  • The command is executed in the shell of the user, not in the root shell.

Prerequisites

  • root access

Procedure

  1. As root, open the /etc/sudoers file. 

    # visudo

    The /etc/sudoers file defines the policies applied by the sudo command.

  2. In the /etc/sudoers file, find the lines that grant sudo access to users in the administrative wheel group. 

    ## Allows people in group wheel to run all commands
%wheel        ALL=(ALL)       ALL
  3. Make sure the line that starts with %wheel does not have the # comment character before it.
  4. Save any changes, and exit the editor.

  5. Add users you want to grant sudo access to into the administrative wheel group. 

     # usermod --append -G wheel username

    Replace username with the name of the user.

    Verification steps

    • Verify that the user is added to the administrative wheel group: 

      # id username
uid=5000(username) gid=5000(_username) groups=5000(username),10(wheel)

22.3. Enabling unprivileged users to run certain commands

You can configure a policy that allows unprivileged user to run certain command on a specific workstation. To configure this policy, you need to create and edit file in the sudoers.d directory.

Prerequisites

  • root access

Procedure

  1. As root, create a new sudoers.d directory under /etc/: 

    # mkdir -p /etc/sudoers.d/

  2. Create a new file in the /etc/sudoers.d directory: 

    # visudo -f /etc/sudoers.d/file-name

    Replace file-name with the name of the file you want to create. The file will open automatically.

  3. Add the following line to the newly created file: 

    username hostname = /path/to/the/command

    Replace username with the name of the user. Replace hostname with the name of the host. Replace /path/to/the/command with the absolute path to the command (for example, /usr/bin/dnf).

  4. Save any changes, and exit the editor.

    Example 22.1. Enabling an unprivileged user to install programs with dnf

    To enable the user sarah to install programs on the localhost.localdomain workstation using the dnf utilities with sudo privileges, use:

    1. As root, create a new sudoers.d directory under /etc/: 

      # mkdir -p /etc/sudoers.d/

    2. Create a new file in the /etc/sudoers.d directory: 

      # visudo -f /etc/sudoers.d/sarah

      The file will open automatically.

    3. Add the following line to the /etc/sudoers.d/sarah file: 

      sarah localhost.localdomain = /usr/bin/dnf

      Ensure that the two command paths are separated by a , comma followed by a space.

    4. Optional: To receive email notifications every time the user sarah attempts to use sudo privileges, add the following lines to the file: 

      Defaults    mail_always
Defaults    mailto="email@domain.com"

    5. To verify if the user sarah can run the dnf command with sudo privileges, switch the account: 

      # su sarah -

    6. Enter the sudo dnf command: 

      $ sudo dnf
[sudo] password for sarah:

      Enter the sudo password for the user sarah.

    7. The system displays the list of dnf commands and options: 

      ...
usage: dnf [options] COMMAND
...

      If you receive the sarah is not in the sudoers file. This incident will be reported. message, the configuration was not completed correctly. Ensure that you are executing this procedure as root and that you followed the steps thoroughly.

22.4. Additional resources

  • The sudo(8) man page
  • The visudo(8) man page