To transfer root privileges to a specific user, you can use the visudo command to edit the sudoers file.
[root@dlp ~]# visudo
Add the following line at the end of the file to allow the user 'cent' to use all root privileges:
cent ALL=(ALL) ALL
After this, the user 'cent' can execute commands with sudo:
[cent@dlp ~]$ sudo /usr/bin/cat /etc/shadow
Password: # Enter the user's own password
In addition to transferring root privileges, you can also set up prohibitions for specific commands. For example, you can create an alias for shutdown commands and then prohibit them for the user 'cent.'
[root@dlp ~]# visudo
Add the following lines to create an alias and prohibit the commands:
# Set alias for shutdown commands
Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \
/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl
# Allow user 'cent' to use all root privileges except for shutdown commands
cent ALL=(ALL) ALL, !SHUTDOWN
Now, the user 'cent' will be denied access to shutdown commands when using sudo.
To transfer root privileges to users in a group for specific commands, follow these steps:
[root@dlp ~]# visudo
Add the following lines to create an alias for user management commands and allow the 'usermgr' group to use them:
# Set alias for user management commands
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
/usr/bin/passwd
# Allow users in the 'usermgr' group to use user management commands
%usermgr ALL=(ALL) USERMGR
Create the 'usermgr' group if it doesn't already exist:
[root@dlp ~]# groupadd usermgr
Add a user to the 'usermgr' group, for example:
[root@dlp ~]# usermod -aG usermgr redhat
Now, users in the 'usermgr' group can execute user management commands with sudo.
To transfer root privileges to a specific user for a particular command, use the visudo command:
[root@dlp ~]# visudo
Add the following line at the end of the file to allow the 'fedora' user to execute the 'visudo' command:
fedora ALL=(ALL) /usr/sbin/visudo
Now, the 'fedora' user can use sudo visudo.
By default, Sudo logs can be viewed using the journalctl command or found in the /var/log/secure file. However, if you'd like to keep Sudo logs in a separate file, follow these steps:
Edit the sudoers file:
[root@dlp ~]# visudo
Add the following line at the end of the file to specify the log facility:
Defaults syslog=local1
Next, edit the /etc/rsyslog.conf file to configure the log file location:
[root@dlp ~]# vi /etc/rsyslog.conf
Add the following lines to specify the log file location:
*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages
local1.* /var/log/sudo.log
Restart the rsyslog service:
[root@dlp ~]# systemctl restart rsyslog
Now, Sudo logs will be stored in the /var/log/sudo.log file, separate from other system logs.