- A Cloud Guru
Enabling su/sudo Access with Wheel Group
System Administrators rarely log into a system as `root`, due to a number of security risks. Some distributions even disable the `root` account to begin with. Restricting the ability to use `root` privileges to selected users is an important part of maintaining a secure system. In this activity, you will learn how to secure the `su` and `sudo` commands by restricting their use to members of the `wheel` group.
Table of Contents
Confirm Your User Is in the wheel Group and Set the /usr/bin/sudo and /usr/bin/su Files so They Can Be Executed by the root User and wheel Group
groupscommands to confirm your
sudoto become the root user:
chgrpto set the
wheelgroup as the owner of
chgrp wheel /usr/bin/sudo /usr/bin/su
chmodto set the most secure permissions, and allow the
wheelgroup to execute
chmod 4110 /usr/bin/sudo /usr/bin/su
ls -lon either of those to confirm.
Use visudo to Confirm, Create, or Uncomment Entry Allowing wheel Group to Use sudo
To modify or verify
/etc/sudoersallows the wheel group to use sudo, use the
We need a line that looks like this:
%wheel ALL=(ALL) ALL
It may already be there, or it may be there and commented out. It's usually down in the vicinity of the
rootline. Save changes to the file and exit. Use
grepto verify the line is there.
grep wheel /etc/sudoers
Uncomment or Create a Line in /etc/pam.d/su to Require wheel Group Membership for Using the su Command
Using the editor of your choice, uncomment or create an additional "auth" test below the line ending with
pam_rootok.so. The line should look like this:
auth required pam_wheel.so use_uid
Create a sysadmin User, Make Them a Member of the wheel Group, Set Their Password, and Verify sysadmin Is Able to Use sudo and su
sysadminuser and make them a member of the
useradd -G wheel sysadmin
Running it this way would work too:
useradd sysadmin usermod -aG wheel sysadmin
Now we can set the
su - sysadmin sudo tail -n1 /etc/shadow su -l cloud_user exit exit
Create a User, sysuser, Who Is Not a Member of the wheel Group, Set Their Password, and Verify That They Are Not Able to Use sudo and su
sysuseruser and do not make them a member of the
su --login sysuser sudo tail -n1 /etc/shadow su -l cloud_user exit exit
sucommands should have both failed.
What's a lab?
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.