sudo access done the right way

sudo access done the right way

Vern Burton

3 minute read

Sudo is a very important thing to a System Administrator as it grants us to ability to do things that we usually can’t.

Sudo Sandwich

All rights registered to Randall Munroe.

I see many page that recommend that you add the user directly to /etc/sudoers. It is in my personal opinion that this creates too much management for an Administrator.

username ALL=(ALL) ALL

This might work from some users, but I will always stress the importance of using groups to ensure access rights. It is better to manage group rights and give users access through assigning them into the groups as a secondary group.

This is the same as giving access via a role in Windows, or User Group on IBM. This allows multiple users to be in a group and will simplify removing permissions as you only need to remove the user from the group.

It is important to remember that you must never directly edit /etc/sudoers. This file should only be edited via the visudo command.

CentOS – Linux

This command will help you ensure that the wheel user exists on the system and it will also show you any existing users. grep ^wheel /etc/group You’ll then have to change the following line in /etc/sudoers to reflect the following.

%wheel ALL=(ALL) ALL

This will allow anyone inside the wheel group access to the root shell. You will sometimes see people telling you that you should add the following:

%wheel ALL=(ALL) NOPASSWD:ALL

This should never be done to a user that is in the wheel group. This is allowing access to the root shell without any authentication and this is generally bad practice.

You should also edit /etc/pam.d/su file to limit access to the root shell. This will force only users in the wheel group access to root shell via a command like sudo bash or sudo su -. The file should be change so that the line in the file reflects the following.

auth required pam_wheel.so use_uid

Ubuntu – Linux

This is a little different in a system like Ubuntu where their is a sudo group that has already been set up to allow access to the root shell. In this system, you only need to add the user to the sudo group.

sudo adduser <username> sudo

This is how a Linux Systems Administrator will manage access to such important access on his/hers systems. These things can be taken to another level by creating virtual users that you can realize via Puppet, but that is a blog for another day.

References:

RHEL 5 GUIDE – NSA

Allowing other users access to run sudo