0

I'm configuring our new Ubuntu 22.04 VPS to host our react app and REST API.
I followed this tuto that seems relatively advanced and complete :
https://gofoss.net/server-hardening-advanced/

I'm currently adjusting sudo access.
In this tuto, they write : "Privileged access should be limited to users of a specific group"
and provide steps to do it, as below:

  • Create a group called "mysudos":
    sudo groupadd sudousers
  • Add your "myadmacc" admin user to this group:
    sudo usermod -a -G mysudos myadmacc
  • Backup the "/etc/sudoers" configuration file:
    sudo cp --archive /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S")
  • Add the following line to "/etc/sudoers" file:
    %mysudos ALL=(ALL:ALL) ALL
  • Limit access to elevated privileges to the mysudos group:
    sudo dpkg-statoverride --update --add root mysudos 4750 /bin/su
  • Check permissions:
    ls -lh /bin/su

The terminal should display "mysudos".

However, the terminal displays:
-rwsr-x--- 1 root mysudos 55K Feb 21 2022 /bin/su

Additionaly, in "/etc/sudoers" file, i can see:

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d
%mysudos ALL=(ALL:ALL) ALL

It seems that my new specific group "mysudos" has been correctly granted to sudo privileges, but "admin" and "sudo" privileges have not been limited.

Question 1: is it really good practice to create a specific group with sudo privileges ?

Question 2: if we create this specific group, souldn't we remove access to sudo privileges to existing groups ("admin", "sudo"), if the purpose of this is to limit sudo privileges to default admin groups? How to do it?

Emmanuel FRANCOIS
  • 31
  • 1
  • 6

1 Answers1

0

Question 1: Yes, it is considered a good practice to create a specific group with sudo privileges, as it provides a more granular control over who has access to elevated privileges.

Question 2: Yes, if the purpose is to limit sudo privileges to only the new specific group, you would need to remove access to existing groups like "admin" and "sudo".

This can be done by commenting out or removing the corresponding lines in the "/etc/sudoers" file. For example, you can comment out the following lines:

Members of the admin group may gain root privileges

%admin ALL=(ALL) ALL

Allow members of group sudo to execute any command

%sudo ALL=(ALL:ALL) ALL

By doing this, only the new specific group "mysudos" will have access to sudo privileges.

Mohammed Chaaraoui
  • 116
  • 2
  • Many thanks for your quick answer! Should I also remove the previleges of "root" ? – Emmanuel FRANCOIS Feb 04 '23 at 13:34
  • It is recommended to not remove the privileges of the "root" user The recommendation is to not remove the privileges of the "root" user as it is the most powerful user in the system and it is essential for the proper functioning of the system. Additionally, it's possible that something may happen to your group "mysudos" and having the "root" group available can be a fallback in case of any issues. – Mohammed Chaaraoui Feb 04 '23 at 13:44
  • 1
    Indeed, it is a good idea to keep the root account priviliges in case of problems on my custom group. Thanks for your help. – Emmanuel FRANCOIS Feb 04 '23 at 18:26