Edit the sudoers file with visudo. Note that to execute many system commands, your PATH will need to include /sbin:/usr/sbin
See what access is allowed with "sudo -l".
The best example file I found was at http://www.gratisoft.us/sudo/sample.sudoers , except that is uses "!", which is pointless (commands can be copied).
## Sample sudoers file ##
# *** Host_Alias specifications ***
# Host_Alias seems not to be useful, unless you have a
# global sudoers file that is replicated across multiple hosts.
# make LOCAL mean localhost (probably a bad idea, as this will allow it to run on any machine that has the sudoers file)
Host_Alias LOCAL = 127.0.0.1
# Anywhere that "LAN" is specified, these hosts apply:
Host_Alias LAN = ahost.mycompany.com, anotherhost.mycompany.com
# *** User_Alias specifications ***
# User_Alias allows you to group users. (better to use AD/NIS groups, for global/central management?)
# MAILADMINS user alias refers to users dick and jane
User_Alias MAILADMINS = dick, jane
# *** Runas_Alias specifications ***
# This specifies an alias or grouping of whom a command can be run as.
Runas_Alias SOMEONE = larry, tom
# *** Cmd_Alias specifications ***
# alias or group commands with full paths, to make things easier to read later.
Cmnd_Alias SU = /bin/su
Cmnd_Alias SMTP = /sbin/service postfix stop, /sbin/service postfix start, /sbin/service postfix status
Cmnd_Alias REBOOT = /usr/bin/reboot, /sbin/shutdown -r now
# *** Defaults specification ***
# make user john.doe not have to enter a password to run commands as another user
# make user kate have no timeout, and add env variable "GOO" to the sudo environment, and run as linda by default, but always require the root password
Defaults:kate timestamp_timeout=-1, env_delete+="GOO", runas_default=linda, rootpw
# make user jim have to enter the password of whoever he's running a command as, every time, with 1 attempt allowed
Defaults:jim timestamp_timeout=0, runaspw, passwd_tries=1Defaults logfile=/var/log/sudo.log, log_year
# global defaults - log to a specific file.
# *** User Privilege specification ***
# This is where we actually say who and where (as whom) can do what
# user/%group hostname = (user) command
# by default, root can do all commands as all users
root ALL=(ALL) ALL
# users jake and jim, on localhost, can execute crond without entering a password. (probably a bad idea)
jake,jim LOCAL = NOPASSWD: /sbin/service crond restart
# allow MAILADMINS on hosts LAN to run as root the commands SMTP and REBOOT.
MAILADMINS LAN = (root) SMTP, (SOMEONE) REBOOT
# members of the group "wheel" can run, on all hosts, all commands as all users
%wheel ALL=(ALL) ALL