How to Restrict Sudo Access to Specific Commands in Debian 12 Bookworm

Learn how to restrict sudo access to specific commands in Debian 12 Bookworm.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Sudo (short for “superuser do”) is a powerful command-line tool in Unix-based systems, including Debian 12 Bookworm, that allows users to execute commands with elevated privileges. While giving users full sudo access can be convenient, it also presents security risks. To mitigate these risks, administrators can restrict sudo access to only specific commands, reducing the chances of accidental system damage or malicious activity.

This guide will walk you through the process of restricting sudo access to specific commands in Debian 12 Bookworm. By the end of this article, you will understand how to configure sudo privileges to enhance system security while maintaining operational efficiency.

Prerequisites

Before proceeding, ensure you have the following:

  • A system running Debian 12 Bookworm.
  • Root or sudo access to modify sudoers configuration.
  • A basic understanding of Linux commands and permissions.

Understanding the Sudoers File

The /etc/sudoers file controls sudo access on a Debian system. It defines which users or groups have permission to execute commands as root or another user. Modifications to this file should always be done carefully using the visudo command to prevent syntax errors that could lock you out of the system.

Creating a Limited Sudo User

If you haven’t already created a user who needs restricted sudo access, you can do so with the following command:

sudo adduser limiteduser

Replace limiteduser with the desired username. Then, add this user to the sudo group:

sudo usermod -aG sudo limiteduser

Restricting Sudo Access to Specific Commands

To restrict sudo access to specific commands, follow these steps:

1. Edit the Sudoers File

Use visudo to safely edit the sudoers file:

sudo visudo

2. Define Command Restrictions

In the sudoers file, add a rule to restrict limiteduser to specific commands. For example, to allow limiteduser to restart Apache and check system logs but restrict access to other sudo commands, add the following line:

limiteduser ALL=(ALL) NOPASSWD: /bin/systemctl restart apache2, /bin/journalctl -xe

This means limiteduser can run:

sudo systemctl restart apache2
sudo journalctl -xe

But they cannot execute other commands as root.

3. Restrict Access to Multiple Users (Using a Group)

If multiple users need the same restricted sudo privileges, create a user group (e.g., limitedsudo) and assign users to it:

sudo groupadd limitedsudo
sudo usermod -aG limitedsudo limiteduser

Then, modify the sudoers file to apply restrictions to the group:

%limitedsudo ALL=(ALL) NOPASSWD: /bin/systemctl restart apache2, /bin/journalctl -xe

Now, any user in the limitedsudo group will have the same restricted sudo privileges.

Testing the Configuration

After modifying the sudoers file, test the restricted user’s access:

  1. Switch to the limiteduser account:

    su - limiteduser

  2. Try running an allowed command:

    sudo systemctl restart apache2

    It should execute without any issues.

  3. Try running a disallowed command:

    sudo apt update

    You should receive a permission error, confirming that the restrictions are working correctly.

Enhancing Security Further

1. Restricting Shell Access

To prevent a user from running arbitrary commands by gaining a shell, avoid allowing them to run /bin/bash or /bin/sh as root. Otherwise, they could elevate their privileges beyond the intended restrictions.

2. Logging and Monitoring

To keep track of sudo usage, enable logging by ensuring sudo logs activity to /var/log/auth.log. You can monitor this log using:

tail -f /var/log/auth.log

This allows administrators to track which commands users attempt to execute.

3. Using Defaults for Extra Security

To further tighten security, add extra restrictions in the sudoers file:

defaults:limiteduser !authenticate, timestamp_timeout=0
  • !authenticate ensures the user does not need to enter a password when using allowed commands.
  • timestamp_timeout=0 prevents privilege persistence after a command is executed.

Conclusion

Restricting sudo access to specific commands in Debian 12 Bookworm is a crucial security practice that limits user privileges while allowing necessary administrative tasks. By carefully configuring the sudoers file, you can enhance security, reduce risks, and maintain system integrity. Always test your configurations and monitor logs to ensure compliance with security policies.

By following this guide, you now have a solid understanding of how to manage restricted sudo access efficiently and securely.


< How to Set Up SSH Keys for User Authentication in Debian 12 BookwormHow to Lock and Unlock User Accounts in Debian 12 Bookworm >