Letting users run as other users

In the following line, (ALL) means that Sylvester can run the systemctl commands as any user:

sylvester     ALL=(ALL) /usr/bin/systemctl status sshd, /usr/bin/systemctl restart sshd

This effectively gives Sylvester root privileges for these commands because the root user is definitely any user. You could, if desired, change that (ALL) to (root) in order to specify that Sylvester can only run these commands as the root user:

sylvester     ALL=(root) /usr/bin/systemctl status sshd, /usr/bin/systemctl restart sshd

Okay, there's probably not much point in that because nothing changes. Sylvester had root privileges for these systemctl commands before, and he still has them now. But, there are more practical uses for this feature. Let's say that Vicky is a database admin, and you want her to run as the database user:

vicky    ALL=(database)    /usr/local/sbin/some_database_script.sh

Vicky could then run the command as the database user by entering the following code:

sudo -u database some_database_script.sh

This is one of those features that you might not use that often, but keep it in mind anyway. You never know when it might come in handy.

Okay, this wraps it up for our discussion of sudo. Let's now turn our attention to ensuring the security of our regular users.