The sudo command allows you to run programs with the security privileges of another user. Usually this command is used to run command as a\u00a0 superuser.<\/p>\n
The configuration files are :<\/p>\n
Instead of editing these files usually the command tool called visudo<\/strong> is used<\/p>\n [root@centos9vm ~]#<\/strong> visudo<\/p>\n In the editor that opens add the below like to provide user\u00a0shiju<\/strong>.<\/p>\n shiju\u00a0 ALL=(ALL)\u00a0 \u00a0 \u00a0 \u00a0ALL<\/p>\n By doing the above the user\u00a0shiju<\/strong> can run any command which the user\u00a0root<\/strong> can run by adding the command\u00a0sudo\u00a0<\/strong>in front of the command.<\/p>\n [shiju@centos9vm ~]$<\/strong> useradd sam [shiju@centos9vm ~]$<\/strong> sudo useradd sam Now let us remove the line “shiju\u00a0 ALL=(ALL)\u00a0 \u00a0 \u00a0 \u00a0ALL<\/strong>” from using the editor\u00a0visudo<\/strong>. Once done, the the user\u00a0shiju<\/strong> will not be able to execute command that only\u00a0root<\/strong> will be able to run.<\/p>\n [shiju@centos9vm ~]$<\/strong> sudo useradd sam1 Let us add the below line in sudoers using\u00a0visudo<\/strong> and check the result<\/p>\n shiju\u00a0 \u00a0ALL=(ALL)\u00a0 \u00a0 \u00a0 \u00a0\/usr\/bin\/cat \/var\/log\/httpd\/error_log<\/em><\/p>\n Now run the below command and verify the result<\/p>\n [shiju@centos9vm ~]$<\/strong> sudo \/usr\/bin\/cat \/var\/log\/httpd\/error_log [shiju@centos9vm ~]$<\/strong> sudo \/usr\/bin\/cat \/var\/log\/httpd\/access_log Adding the below line in sudoers file via the editor\u00a0visudo<\/strong> will result in system not asking for password when using the\u00a0sudo<\/strong> command<\/p>\n shiju\u00a0 \u00a0ALL=(ALL)\u00a0 \u00a0 \u00a0 \u00a0NOPASSWD:ALL<\/p>\n Let us try executing the command used above as see the difference<\/p>\n [root@centos9vm ~]#<\/strong> sudo cat \/var\/log\/httpd\/error_log All these changes will be edited to the file\u00a0\/etc\/sudoers<\/strong> by the\u00a0visudo<\/strong> editor. However, one could also add similar entries in \/etc\/sudoers\/<any file><\/strong>, and these entries too will be read when loading the sudo related entries.<\/p>\n","protected":false},"excerpt":{"rendered":"
\nuseradd: Permission denied.
\nuseradd: cannot lock \/etc\/passwd; try again later.<\/p>\n
\n[sudo] password for shiju:
\n[shiju@centos9vm ~]$<\/strong><\/p>\n
\n[sudo] password for shiju:
\nshiju is not in the sudoers file. This incident will be reported.
\n[shiju@centos9vm ~]$<\/strong><\/p>\n
\n[sudo] password for shiju:
\n[Mon Feb 12 11:20:49.358785 2024] [core:notice] [pid 1858:tid 1858] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0<\/p>\n
\nSorry, user shiju is not allowed to execute ‘\/usr\/bin\/cat \/var\/log\/httpd\/access_log’ as root on centos9vm.
\n[shiju@centos9vm ~]$<\/strong><\/p>\n
\n[Mon Feb 12 11:20:49.358785 2024] [core:notice] [pid 1858:tid 1858] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
\n[root@centos9vm ~]#<\/strong><\/p>\n