How To Add, Delete, and Grant Sudo Privileges to Users on a FreeBSD Server

I

‘m setting up a new FreeBSD server. I do not want to use a default root user who has full system access. How can I setup and grant sudo privileges to users on a FreeBSD VPS or server?

 

The root account has full system level access and usually reserved for admin tasks only.

The sudo command allows a very small delegation of power to users other than the root user. This is good tool if you have many users, logging everything the users do with privileges, and you are granting certain privileges. Unless the user is specified, sudo will escalate the privilege to root.

In this quick tutorial I will show you:

How to create a new user on a FreeBSD server.

How too add users access to the sudo command.

How to delete users from the sudo command.

Install sudo app on a FreeBSD server/vps

Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to

give as few privileges as possible but still allow people to get their work done. You can install sudo using port, type:

# cd /usr/ports/security/sudo/ && make install clean

 

Or as a binary package, enter:

# pkg install security/sudo

Adding a new user on FreeBSD

The recommended command-line application for adding new users is called adduser. Just type the following command and it will walks through the steps for creating a new user account on a FreeBSD VPS or server:

# adduser

Grant users administrative privileges on FreeBSD

The configuration file is located in /etc/sudoers or /usr/local/etc/sudoers and is read-only by default. visudo command can be used to easily modify the sudoers

configuration file.

To add a username to sudoers

$ su –

# visudo

 

Append the following line and exit from a text editor:

alice All=(ALL) ALL

This will allow the user alice to issue sudo command and be root. It will first ask for her password. To skip asking for password when sudo command is issued, change the line to:

alice ALL=(ALL) NOPASSWD: ALL

If you want alice to only have sudo privileges on one server in a network and restrict her to /bin/ls command as user, you would add the following:

alice server1=(bob) /bin/ls  /home/bob

Every usage of sudo gets logged in /var/log/messages file.

A sudo user can escalate to root by using the sudo command:

[alice@hostname~]$ sudo su –

OR

[alice@hostname~]$ sudo -s

Or, to execute a command as root:

[alice@hostname ~]$ sudo whoami

Or, to execute a command as another user:

[alice@hostname ~]$ sudo -u bob ls /home/bob

Remove a username from sudoers

To remove the privileges, take the user off the sudoers configuration file i.e. delete following line from config file by running visudo command:

alice ALL=(ALL) NOPASSWD: ALL

OR

alice All=(ALL) ALL

To completely remove a user (say alice) from the system, run rmuser as the superuser:

# rmuser alice

 

For more usage patterns, see the man pages: sudo(8),sudoers(5),visudo(8)

This quick tutorial was contributed by Wendy Michele. You can too contribute to nixCraft.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *