sudo access done the right way
sudo access done the right way
Sudo is a very important thing to a System Administrator as it grants us to ability to do things that we usually can’t.
I see many page that recommend that you add the user directly to /etc/sudoers
. It is in my personal opinion that this creates too much management for an Administrator.
username ALL=(ALL) ALL
This might work from some users, but I will always stress the importance of using groups to ensure access rights. It is better to manage group rights and give users access through assigning them into the groups as a secondary group.
This is the same as giving access via a role in Windows, or User Group on IBM. This allows multiple users to be in a group and will simplify removing permissions as you only need to remove the user from the group.
It is important to remember that you must never directly edit /etc/sudoers
. This file should only be edited via the visudo command.
CentOS – Linux
This command will help you ensure that the wheel user exists on the system and it will also show you any existing users.
grep ^wheel /etc/group
You’ll then have to change the following line in /etc/sudoers
to reflect the following.
%wheel ALL=(ALL) ALL
This will allow anyone inside the wheel group access to the root shell. You will sometimes see people telling you that you should add the following:
%wheel ALL=(ALL) NOPASSWD:ALL
This should never be done to a user that is in the wheel group. This is allowing access to the root shell without any authentication and this is generally bad practice.
You should also edit /etc/pam.d/su
file to limit access to the root shell. This will force only users in the wheel group access to root shell via a command like sudo bash
or sudo su -
. The file should be change so that the line in the file reflects the following.
auth required pam_wheel.so use_uid
Ubuntu – Linux
This is a little different in a system like Ubuntu where their is a sudo group that has already been set up to allow access to the root shell. In this system, you only need to add the user to the sudo group.
sudo adduser <username> sudo
This is how a Linux Systems Administrator will manage access to such important access on his/hers systems. These things can be taken to another level by creating virtual users that you can realize via Puppet, but that is a blog for another day.
References:
Share this post