2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@Tama79

Oracle Linuxユーザーにsudo特権を設定する

2
Last updated at Posted at 2026-05-05

前の記事

構築編

環境確認編

ユーザー追加編

特権ユーザー

1.ユーザsudo特権の設定方法

1.1.ユーザーsudo特権の設定方法

sudo特権とは、システム設定などOS管理などに重要な設定を変更できる特別な権限です。
コマンド実行時に"sudo"を負荷して実行します。

ユーザー単位、グループでの設定などがあります。

2.sudo特権ユーザの設定

2.1.sudo特権ユーザー状況の確認

sudo特権ユーザーの初期設定 /etc/sudoersで確認。 
[opc@test-server ~]$ sudo cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

2.2.sudo特権ユーザーの設定

visudoコマンドを実行 sudo visudoを実行。 ※/etc/sudoersファイルをメンテナンスします。 
[opc@test-server etc]$ sudo visudo
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/
## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

1)ファイルの末尾に移動(Shuft + G )

2)インサートモードに移行([i]キー)

3)Enterキーを押した後、(ユーザー名:oracle) ALL=(ALL) ALLを追加

[opc@test-server etc]$ sudo visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

## console user
oracle ALL=(ALL) ALL

※例はユーザー名:oracle

4)インサートモードから抜ける([ESC]キー)

5)コマンドモードに移行([:]キー)

6)書き込み([w][!][enter] )

7)終了([q][enter] )

3.sudo特権グループの設定

3.1.sudo特権グループ状況の確認

sudo特権ユーザーの初期設定 /etc/groupで確認。 
[opc@test-server etc]$ sudo cat /etc/group | grep wheel
wheel:x:10

※例はユーザー名:oracle

3.2.sudo特権グループへのユーザー追加

sudo特権ユーザーのusermodで追加 usermodで追加。 
[opc@test-server etc]$ sudo usermod -aG wheel oracle

※例はユーザー名:oracle

3.3.sudo特権グループ設定確認

sudo特権ユーザーの設定確認 cat /etc/groupで確認。 
[opc@test-server etc]$ sudo cat /etc/group | grep wheel
wheel:x:10:oracle

※例はユーザー名:oracle

4.opcユーザーと同じグループの設定

4.1.sopcユーザーと同じグループ状況の確認

opcユーザーと同じユーザーの初期設定 /etc/groupで確認。 
[opc@test-server etc]$ sudo cat /etc/group | grep opc
adm:x:4:oracle-cloud-agent,oracle-cloud-agent-updater,ocarun,opc
systemd-journal:x:190:opc
opc:x:1000:

※例はユーザー名:oracle

4.2.opcユーザーと同じグループへのユーザー追加

opcユーザーと同じユーザーのusermodで追加 usermodで追加。 
[opc@test-server etc]$ sudo usermod -aG adm oracle
[opc@test-server etc]$ sudo usermod -aG systemd-journal oracle
[opc@test-server etc]$ sudo usermod -aG opc oracle

※例はユーザー名:oracle

4.3.opcユーザーと同じグループ設定確認

opcユーザーと同じユーザーの設定確認 cat /etc/groupで確認。 
[opc@test-server etc]$ sudo cat /etc/group | grep opc
adm:x:4:oracle-cloud-agent,oracle-cloud-agent-updater,ocarun,opc,oracle
systemd-journal:x:190:opc,oracle
opc:x:1000:oracle

※例はユーザー名:oracle

5.外部からsudo特権を確認する

5.1.緊急対策対応用sudo特権グループ状況の確認

sudo特権ユーザーの動作確認 1)コンソール接続から[Cloud Shell接続の起動]を選択
2)特権設定したユーザーでログイン
3)sudoを使ったコマンドを実行

console-2001.png

最後に

記事の内容はCC BY-SA 4.0(著作者の情報とCCライセンス継承はお願いします。商用利用・改変・再配布は問題なし)です。

2
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?