I'm configuring our new Ubuntu 22.04 VPS to host our react app and REST API.
I followed this tuto that seems relatively advanced and complete :
https://gofoss.net/server-hardening-advanced/
I'm currently adjusting sudo access.
In this tuto, they write : "Privileged access should be limited to users of a specific group"
and provide steps to do it, as below:
- Create a group called "mysudos":
sudo groupadd sudousers
- Add your "myadmacc" admin user to this group:
sudo usermod -a -G mysudos myadmacc
- Backup the "/etc/sudoers" configuration file:
sudo cp --archive /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S")
- Add the following line to "/etc/sudoers" file:
%mysudos ALL=(ALL:ALL) ALL
- Limit access to elevated privileges to the mysudos group:
sudo dpkg-statoverride --update --add root mysudos 4750 /bin/su
- Check permissions:
ls -lh /bin/su
The terminal should display "mysudos".
However, the terminal displays:
-rwsr-x--- 1 root mysudos 55K Feb 21 2022 /bin/su
Additionaly, in "/etc/sudoers" file, i can see:
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
%mysudos ALL=(ALL:ALL) ALL
It seems that my new specific group "mysudos" has been correctly granted to sudo privileges, but "admin" and "sudo" privileges have not been limited.
Question 1: is it really good practice to create a specific group with sudo privileges ?
Question 2: if we create this specific group, souldn't we remove access to sudo privileges to existing groups ("admin", "sudo"), if the purpose of this is to limit sudo privileges to default admin groups? How to do it?
