Hands-on lab for assigning limited sudo privileges

In this lab, you'll create some users and assign them different levels of privileges. To simplify things, we'll use the CentOS virtual machine.

1. Log in to the CentOS virtual machine and create user accounts for Lionel, Katelyn, and Maggie:

        sudo useradd lionel
        sudo ueradd katelyn
        sudo useradd maggie
        sudo passwd lionel
        sudo passwd katelyn
        sudo passwd maggie

1. Open visudo:

        sudo visudo

Find the STORAGE command alias and remove the comment symbol from in front of it.

1. Add the following lines to the end of the file, using tabs to separate the columns:

        lionel     ALL=(ALL)    ALL
        katelyn  ALL=(ALL) /usr/bin/systemctl status sshd
        maggie  ALL=(ALL) STORAGE

Save the file and exit visudo.

1. To save time, we'll use su to log into the different user accounts. You won't need to log out of your own account to perform these steps. First, log in to Lionel's account and verify that he has full sudo privileges by running several root-level commands:

        su - lionel
        sudo su -
        exit
        sudo systemctl status sshd
        sudo fdisk -l
        exit

1. This time, log in as Katelyn and try to run some root-level commands. (Don't be too disappointed if they don't all work, though.)

        su - katelyn
        sudo su -
        sudo systemctl status sshd
        sudo systemctl restart sshd
        sudo fdisk -l
        exit

1. Finally, log in as Maggie, and run the same set of commands that you ran for Katelyn.
2. Keep in mind that although we only had three inpidual users for this lab, you could just as easily have handled more users by setting them up in user aliases or Linux groups.

Since sudo is such a great security tool, you would think that everyone would use it, right? Sadly, that's not the case. Pretty much any time you look at either a Linux tutorial website or a Linux tutorial YouTube channel, you'll see the person who's doing the demo logged in at the root user command prompt. In some cases, I've seen the person remotely logged in as the root user on a cloud-based virtual machine. Now, if logging in as the root user is already a bad idea, then logging in across the internet as the root user is an even worse idea. In any case, seeing everybody do these tutorial demos from the root user's shell drives me absolutely crazy.

Having said all this, there are some things that don't work with sudo. Bash shell internal commands, such as cd don't work with it, and injecting kernel values into the /proc filesystem also doesn't work with it. For tasks such as these, a person would have to go to the root command prompt. Still though, make sure that only users who absolutely have to use the root user command prompt have access to it.