08.10.2020

Differentiation of user access rights

Differentiation of user access rights in the operating system is a difficult theme, but indispensable. Depending on the operating system, there are different rules and standards. We will tell you about this on Ubuntu operating system.

Administrator rules

If you want to use privileged commands, the user must have rights as a system administrator at least. By default, the operating system disables the enhanced privilege level of any user. To upgrade this level, we will use this command:

usermod -a -G sudo username1

How to set a prohibition

In corporate information systems, most of the operating systems are multi-user. So, it is necessary to differentiate access rights for each owner. To do this, use chmod command, for example:

sudo chmod o-x $(which ls)>

This command means that only the root-user had a right to use ls command. For everyone else, access will be denied.

Now we will look at another situation. We had a user with «username1» as a name. He is needed to be restricted in using ls command. To do this, we will create a user group «usergroup1». In this group, we will transfer everyone except «username1».
sudo useradd -G usergroup1 <username2, username3>

sudo chown :group2 $(which ls)
sudo chmod 754 $(which ls)

Now user who is not in the usergroup1 can’t activate ls.

A little about file /etc/sudoers

Sudoers includes information about users, which can use sudo.To open the file, we will use special utility visudo.

visudo /etc/sudoers

The information which includes inside:

Screenshot №1. Content of sudoers.

Let’s speak more about this line:

Screenshot №2. Set rules.

%sudo means, that the following rule applies to the sudo group. We don’t need % if we set rules only for one individual user.

The first variable ALL explains how to apply the rule to all IP addresses. Second and third ALL is a specified user or group can use commands in the session of any user or group. Fourth ALL means, that this template applies to all commands.

For example, we need to set rules to use utility apt-get for the admin group.
%admin ALL=(ALL)NOPASSWD:/usr/bin/apt-get

Alias (nicknames)

Aliases are used for easy differentiation of access rights. They combine one or more values into a single argument. For example, let’s set a more convenient name for the cloud storage IP address.

Host_Alias CLOUD = 105.17.125.37

CLOUD – nickname, which specified in the arguments instead of the IP address.

If necessary, aliases are used to combine users into a single group.

User_Alias Name = user1,user2,...
, where Name – is a nickname, а user1, user2 – are user names. The Alias utility is also available for commands, so we combine the list of instructions into a single group.

Cmnd_Alias Name = cmd1,cmd2

  • name – arbitrary name for the list of commands;
  • cmd1, cmd2 – list of commands which are separated by commas.

For example,  let’s unite package updates into an alias:

cmnd_Alias APT = /usr/bin/apt-get update,/usr/bin/apt-get upgrade