Privilege escalation with sudo
Normal user in Linux can be allowed to execute privileged commands with sudo rights.
Sudoers configuration file is /etc/sudoers, however editing this file directly is not advisable either you can use visudo to edit this file or create a template file under /etc/sudoers.d.
I would suggest use template file under /etc/sudoers.d which will be more easier to manage multiple user privileges and it can me efficient in managing granular access.
Syntax - Who Where = (Runas-Who:group) What_Commands
Who - which user you want to give sudo rights/privilege.
where - In what server you want to grant the user access to execute mentioned commands.
Runas-Who:group - As which user will the user execute the granted commands.
What_commands - Finally the commands that you want to provide access to user for executing.
User Shiva is a normal user here and he is now allowed to list the repositories on the server without providing root password.
# visudo /etc/sudoers.d/shivadefaults !targetpwshiva ALL = (ALL:ALL) /usr/sbin/yum repolist
You can also enforce asking for root users password when elevating privilege.
"defaults targetpw"
Best practice:
Edit sudoers file with visudo which will validate the content when exiting and if anything wrong in the format it will show you error and you can edit the file to fix the issues.
While editing the sudoers template, ensure you have two session opened with root rights and let one session be running with TOP command. After implementing sudoers config make sure that sudo command is working without any problem on a new session and then you can terminate the top command and its session. It would be helpful if the sudoers went wrong and you are locked out of root.
This situation can occur when you have wrong sudo file and there is no root user login allowed directly.
To validate the sudoers configuration you created using visudo -vf %s if it is formatted correctly
