Can someone help explain this alias part to me?

IRJ

I am looking at this tutorial and trying to figure out how I add my user to the alias group "SUDOER" as in the example. It seems like the sudoers file is missing at least one line.

Do I need to add something like this?

User_Alias SUDOER = accountname

I dont know what they are trying to accomplish with :

User_Alias SUDOER = higher_priveleged

Are they just saying that is where the username is supposed to go?

travisdh1

@IRJ That User_Alias is just another way to group users together within the sudoers file. Just ignore that part and use the standard system groups if you need to grant sudo permissions to multiple people. Typically wheel.

Within the sudoers file, uncomment or add

 %wheel        ALL=(ALL)       ALL

Then add users to the wheel group

usermod -aG wheel USERNAME

That should be it, unless you need to lock things down to only running certain programs. Which is still simple, but get tedious if you aren't managing servers with a state management system of some sort.

IRJ

@travisdh1 said in Can someone help explain this alias part to me?:

@IRJ That User_Alias is just another way to group users together within the sudoers file. Just ignore that part and use the standard system groups if you need to grant sudo permissions to multiple people. Typically wheel.

Within the sudoers file, uncomment or add

 %wheel        ALL=(ALL)       ALL

Then add users to the wheel group

usermod -aG wheel USERNAME

That should be it, unless you need to lock things down to only running certain programs. Which is still simple, but get tedious if you aren't managing servers with a state management system of some sort.

Yeah I am trying to use minimum permission on this account. I will use groups instead of the alias thing though. Good idea

IRJ

This is actually a decent explanation of what I am trying to do:

https://community.spiceworks.com/topic/108735-scanning-linux-devices-with-non-root-user

travisdh1

@IRJ said in Can someone help explain this alias part to me?:

This is actually a decent explanation of what I am trying to do:

https://community.spiceworks.com/topic/108735-scanning-linux-devices-with-non-root-user

That original one, while technically correct, seems purposely made more difficult to me.

Ugh, that thread, don't name your custom script the same thing as the program being run, FFS.

This is where I have to ask, what exactly are you trying to accomplish? Just grab system information with dmidecode, or something different?

IRJ

@travisdh1 said in Can someone help explain this alias part to me?:

@IRJ said in Can someone help explain this alias part to me?:

This is actually a decent explanation of what I am trying to do:

https://community.spiceworks.com/topic/108735-scanning-linux-devices-with-non-root-user

That original one, while technically correct, seems purposely made more difficult to me.

Ugh, that thread, don't name your custom script the same thing as the program being run, FFS.

This is where I have to ask, what exactly are you trying to accomplish? Just grab system information with dmidecode, or something different?

https://www.tenable.com/blog/configuring-least-privilege-ssh-scans-with-nessus

travisdh1

@IRJ said in Can someone help explain this alias part to me?:

@travisdh1 said in Can someone help explain this alias part to me?:

@IRJ said in Can someone help explain this alias part to me?:

This is actually a decent explanation of what I am trying to do:

https://community.spiceworks.com/topic/108735-scanning-linux-devices-with-non-root-user

That original one, while technically correct, seems purposely made more difficult to me.

Ugh, that thread, don't name your custom script the same thing as the program being run, FFS.

This is where I have to ask, what exactly are you trying to accomplish? Just grab system information with dmidecode, or something different?

https://www.tenable.com/blog/configuring-least-privilege-ssh-scans-with-nessus

All right, not the greatest tutorial/how-to ever. You should only need a single user to accomplish this, so the whole group and alias conversation is pointless.

Just follow the rest of that tutorial, adding only the needed programs to the sudoers file.

nessus_user ALL=NOPASSWD: /usr/bin/program1, /usr/bin/program2