7.2 Delegate Minimal Privileges as Appropriate

A privilege is a discrete right that can be granted to an application. With a privilege, a process can perform an operation that would otherwise be prohibited by the operating system. Oracle Linux, like traditional UNIX systems, follows a superuser-based model. Applications check the ID of the user (such as 0 for root) to test for the availability of specific privileges. The sudo command allows a user to execute a command as root or another specified user, provided that they have been granted permission in the /etc/sudoers file. If you want to grant certain users authority to be able to perform specific administrative tasks via sudo, you can use the visudo command to modify the contents of this file.

By default, an Oracle Linux system is configured so that you cannot log in directly as root. You must log in as a named user before using either su or sudo to perform tasks as root. This configuration allows system accounting to trace the original login name of any user who performs a privileged administrative action.

You can also configure SELinux to provide Role-Based Access Control (RBAC). Under this security model, a user's membership of an SELinux domain determines which processes and files he or she can run or access on the system.