Debian superuser rights (sudo, visudo)

In Ubuntu OS, sudo is enabled by default, and in Debian, if the corresponding package was not selected during the installation process, the following picture will most likely be:

So, you need to install the missing package. Update repository information and install sudo:

We are waiting for the end of the process:

After a successful installation, you will need to configure sudo to determine which users or groups will be able to use privilege escalation and to what extent. All these settings are stored in the configuration file /etc/sudoers, however, it is strongly discouraged to directly make changes to it. For these purposes, a special command is used:

Accordingly, we have two main ways to grant the user account the right to use sudo:

Add a user account (e.g. user) to the sudo group on the server:

After changing the group membership, you will need to re-log into this account to apply the new configuration. This method is recommended in cases where the user must be granted full rights.

Create a new entry in the file, for example, for the user account. We add a line similar to root:

Now you can check the correct operation:

Thus, an ordinary user can run commands with the rights of the root account without knowing her password. This is very convenient, but it can be unsafe - is it possible to limit the range of commands that can be executed using sudo? Yes, and the same configuration file will help us with this. We start visudo again and we understand further. We are interested in the parameters specified after the username:

We will analyze them in more detail:

• ALL= (ALL: ALL) ALL - the first parameter determines which host the configuration is applied to. When using a dedicated server, the parameter can be left unchanged;
• ALL=(ALL: ALL)ALL - the parameters in brackets determine the authority of which user (first parameter) and/ or group (second parameter) the command will be executed. By default, sudo executes the command as root, but when starting with the –u switch, you can specify a different account, and with the –g switch you can specify another group whose privileges will be used at startup;
• ALL=(ALL: ALL)ALL- the third parameter determines which files and commands these settings belong to.

Based on the foregoing, if necessary, determine the list of allowed commands, replace the last parameter ALL with what we need, listing the commands separated by commas. For example, the line:

gives the user the right to use sudo to reboot the server with sudo /sbin/shutdown –r and view files using sudo /bin/cat. Other commands through sudo will not be executed. For example, when you try to shut down the server with the command sudo /sbin/shutdown –h, we get the answer:

You can see the list of privileges by running sudo –l (the list for the current user will be displayed), or sudo –l –U user (the list of user privileges will be displayed):

The composition of sudo includes the sudoedit command, which launches a text editor with the specified file immediately with elevated privileges, that is, instead of the command:

can run:

If you need to work in elevated privilege mode for a long time and it is inconvenient to enter sudo for each command, you can run an instance of the command interpreter through sudo:

and continue to work in it - all teams will be launched with elevated rights. Upon completion, exit the interpreter with the exit command.