I once wrote a guide about managing users in Linux/Ubuntu, and I introduced the concept of Sudo, what I didn't cover is how to limit the scope of what a sudo user can do on our system, which we would be covering in this guide.
What is Sudo
Sudo which is sometimes referred to as "superuser Do" is a utility program in a Linux based system that allows specific users to run programs or to use a specific system commands with the security privileges of another user (in Ubuntu, this is the root).
In fact, the first time you install your ubuntu server, the new user you created during your server setup would be granted a sudo access, which would act in place of a root user or execute commands as if you are a root user.
There is a group in ubuntu called sudo, this was the group our first user was added to when we set up our Ubuntu Server.
The problem with the sudo group is that any member of the sudo group is able to use sudo like the root user, they can even go as far as destroying a whole system, to prevent this, we would be restricting the scope of what some users can do when they are given the sudo access in the system.
For example, you could give a specific user admin access to install a software update while also restricting the user to not do other things (like rebooting or accessing other system files).
If you run the following command:
sudo usermod -aG sudo dummy
This would give the user "dummy" access to everything on the system, depending on your setup, you might actually configure what the user can do.
To configure the sudo, we edit the /etc/sudoers, which is the configuration files that contain the rules a user must follow when using the sudo command, to edit the sudoers we use the visudo command.
Before we go on to editing the sudoers, the question you might wanna ask is why should we edit using the visudo command?
The Visudo command ensures you are editing the etc/sudoers in a safe and secure way on Linux based system, one major advantage of using the visudo is that it helps in locking the sudoers file against multiple simultaneous edits, this way any user trying to edit the file while you are also editing would get a message to try again later.
Also, it checks the syntax of your edits and does a basic sanity check, this would ensure you are saving in the correct syntax and helps prevent you from accidentally destroying the sudoers file. The thing is, if you make errors in the sudoers file, you may be locked out of your system, which wouldn't be a nice thing at all, so ensure you always use visudo when editing the sudoers file.
Editing Sudoers Using Visudo Command
To edit the sudoers, run the following command:
On Ubuntu, this opens up the nano text editor by default. If you prefer other editors e.g vim editor, you can use the command:
sudo EDITOR=vim visudo this would open up the sudoers file in the vim editor.
Since I am using the nano editor, this is my output:
the line the arrow is pointing to:
%sudo ALL=(ALL:ALL) ALL is the line of configuration that enables sudo access to any user who is a member of the sudo group.
The name doesn't have to be sudo, you can change the group name to anything you like, for example, you can create a group called "staff" or "admins".
Note: Before you change or add a new group to the sudoers, make sure that the group is created on your system and you should also make sure you add yourself and any specific user you want to add, this way, you won't lock out of administartor access to the server.
If you take a closer look at that line, you would see a percent sign (%) at the start of the sudo group line, this indicates that the name that follows should be treated as the group instead of a user.
If you take a closer look at the sudoers file, you would see this line:
root ALL=(ALL:ALL) ALL
You see we don't have a percent sign at the beginning, so we are basically calling out a username (root), and granting a User privilege specification (the rest of the line is the same as the sudo group line, the difference here is that, this deals only with a user).
You can copy this line and create a new one for a different user, the downside of this method is you would always open the sudoers file to make a configuration, which is why granting access to users using the group approach is recommended, to add a new user, all you have to do is to add a user to the group (considering you've configured the group access in the sudoers) or remove them from the group rather than using the visudo each time.
Let's get to understand the configuration lines:
Starting with the root user line:
root ALL=(ALL:ALL) ALL
- The first entry indicates the username(in this case root) the configuration would apply to
- The first "ALL" means that the root user is able to use sudo from any terminal/machine.
- The second "ALL" means the root can use sudo to impersonate any other users; the root can execute a command as another user
- The third "ALL" means the root can use sudo to impersonate any other groups; the root can execute a command as another group
- The last ALL refers to what commands the root is able to execute; in this case, the root can run any command.
Let's see some use cases:
Restrict The Command A User Can Run
dummy ALL=(ALL:ALL) /usr/bin/apt
You can see I have restricted the user "dummy" to only execute apt commands, for example, he can use an apt update, apt upgrade, apt dist-upgrade and any other sub-command of apt.
However, if the user "dummy" wants to use any other commands aside from the apt commands(e.g. reboot, shutdown, e.t.c), he would be prevented from doing so.
Let's try rebooting the system while we are logged in as the user "dummy"
and I got the following output:
As you can see, the user dummy can't execute any other command with the exception of the apt commands, if you want to allow user dummy to reboot or shutdown the system instead while preventing from doing other things, you can use this:
dummy ALL=(ALL:ALL) /usr/sbin/reboot,/usr/sbin/shutdown
dummy is only allowed to reboot or shut down the system, if the user "dummy" tries to execute any other command, he will receive an error message.
Note: It is highly recommended you use full paths to commands when editing the commands a user can execute, for example, I used the reboot full path: /usr/sbin/reboot rather than using the shortened version. This way, a user won't be able to create a script named reboot to do any shady stuffs, which is why it is recommended to use the full path in order to limit the user to the binary stored at that specific path.
Did you spot any problem?
I bet you did! The user "dummy" can impersonate other users, take a look at the above example again:
dummy ALL=(ALL:ALL) /usr/sbin/reboot,/usr/sbin/shutdown
This is saying, the user "dummy" can execute the command /usr/sbin/reboot, and /usr/sbin/shutdown as any user and any group, for example, if I call sudo -u anotheruser reboot, then this would reboot the system if and only if the "anotheruser" only has the right to reboot the system. But basically it isn't recommended to add unless you really need to.
So, to solve this, we remove the (ALL:ALL) part from the line to prevent the user "dummy" from using the -u option of the sudo to run execute commands as other users, which would result in the following output:
dummy ALL= /usr/sbin/reboot,/usr/sbin/shutdown
And if you actually want to impersonate a specif users, we can call out the username and group that the user "dummy" can impersonate.
dummy ALL=(anotheruser:groupname) ALL
In the above example, the user "dummy" is able to run commands on behalf of the user "anotheruser" and group "groupname".
To limit it on a machine by machine base, you can set the hostname of your server in the first "ALL", for example:
dummy ubuntu-server=(anotheruser:groupname) ALL
It just doesn't make sense to keep copying and pasting configurations for different users in the sudoers, to make it a breeze, you can use groups, for example, you can create a reboot group;users who can reboot the system, an apt group;users who can use the apt commands.
To allow a member of apt group to execute any apt commands or any other sub-command of apt, you could do the following:
%apt ubuntu-server= /usr/bin/apt
Note that, before you change or add a new group to the sudoers, make sure that the group is created on your system and you should also make sure you add yourself and any specific user you want to add. This way, you won't lock yourself out of the server.
Let me show you an example:
1.) You create the group apt:
sudo groupadd apt from your root account or any sudo user with the root privilege
2.) Add the specific user to that group:
sudo usermod -aG apt dummy
Then you can add whatever configuration you want in the sudoers.
You can learn more about groups and managing users in Linux
We can go on and on about configuring the sudoers, but this should get you up and running.