System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the
root user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as su and sudo. These programs allow specific users to perform tasks which would normally be available only to the
root user while maintaining a higher level of control and system security.
See the Red Hat Enterprise Linux 7 Security Guide for more information on administrative controls, potential dangers, and ways to prevent data loss resulting from improper use of privileged access.
When a user executes the su command, they are prompted for the
root password and, after authentication, are given a
root shell prompt.
Once logged in using the su command, the user is the
root user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become
root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as
~]# usermod -a -G wheel username
In the previous command, replace username with the user name you want to add to the
You can also use the Users settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.
Press the Super key to enter the Activities Overview, type Users and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.
To enable making changes, click the Unlock button, and enter a valid administrator password.
Click a user icon in the left column to display the user’s properties in the right-hand pane.
Change the Account Type from
Administrator. This will add the user to the
See Managing_Users_and_Groups.adoc#s1-users-configui for more information about the Users tool.
After you add the desired users to the
wheel group, it is advisable to only allow these specific users to use the su command. To do this, edit the PAM configuration file for su,
/etc/pam.d/su. Open this file in a text editor and uncomment the following line by removing the
#auth required pam_wheel.so use_uid
This change means that only members of the administrative group
wheel can switch to another user using the su command.
The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the
The basic format of the sudo command is as follows:
In the above example, command would be replaced by a command normally reserved for the
root user, such as mount.
The sudo command allows for a high degree of flexibility. For instance, only users listed in the
/etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user’s shell, not a
root shell. This means the
root shell can be completely disabled as shown in the Red Hat Enterprise Linux 7 Security Guide.
Each successful authentication using the sudo command is logged to the file
/var/log/messages and the command issued along with the issuer’s user name is logged to the file
/var/log/secure. If additional logging is required, use the
pam_tty_audit module to enable TTY auditing for specified users by adding the following line to your
session required pam_tty_audit.so disable=pattern enable=pattern
where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the
root user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs.
Administrators wanting to edit the sudo configuration file,
/etc/sudoers, should use the visudo command.
To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user,
juan, can use sudo from any host and execute any command.
The example below illustrates the granularity possible when configuring sudo:
%users localhost=/sbin/shutdown -h now
This example states that any member of the
users system group can issue the command /sbin/shutdown -h now as long as it is issued from the console.
The man page for
sudoers has a detailed listing of options for this file.
There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the
While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to the resources listed below for more information regarding security and privileged access.
su(1) — The manual page for su provides information regarding the options available with this command.
sudo(8) — The manual page for sudo includes a detailed description of this command and lists options available for customizing its behavior.
pam(8) — The manual page describing the use of Pluggable Authentication Modules (PAM) for Linux.
The Red Hat Enterprise Linux 7 Security Guide provides a more in-depth look at potential security issues pertaining to setuid programs as well as techniques used to alleviate these risks.
Managing_Users_and_Groups.adoc#ch-Managing_Users_and_Groups documents how to manage system users and groups in the graphical user interface and on the command line.