Grant users permission to execute commands with sudoers

The most important aspect of securing a Linux system would be to manage your user’s permissions. Users can have the ability to execute certain commands with the use of sudo. In order to make changes to that, we have to modify the sudoers file.

With sudoers, we can give our users the ability to only execute certain or all commands/programs available in the system. When you first install Linux, only root can execute system commands by default. When a user tries using sudo, they will be denied access and reported to the designated administrator’s email.

Editing the sudoers file

The sudoers file is typically located at /etc/sudoers. It is recommended to use the visudo command to edit this file.

Depending on the Linux distribution, your sudoers file may already be filled with content that is self explanatory. Here, we can define what users or groups can run what commands with the sudo program.

For example, we can give the user John the ability to run all commands on the system:

John     ALL=(ALL:ALL) ALL

This is not recommended unless you can trust the user. The first ALL refers to the hostname of the machine. The second ALL is the user that the command is executed on behalf of. The third ALL is the group. The last ALL refers to the command that John will be allowed to execute through sudo.

To be more specific, lets give John the ability to make changes to iptables rules:

John     ALL=(ALL:ALL) /sbin/iptables

Now John will only be able to use iptables and nothing else with sudo.

For groups, we can do the same thing here:

%admin     ALL=(ALL:ALL) ALL

Now any user who’s in group admin will be able to execute any command on behalf of anybody.

Let’s say admin is the root user of the system and also the group, we can also do it like this:

John     SERVER=(admin:admin) /sbin/shutdown -h 0

John will now be able to shutdown the system instantly under the hostname SERVER. He will also execute the command on behalf of the root user admin and group admin.