The root user has all control rights in Linux. In Linux, root is the user with the highest authority and can perform arbitrary actions in the system.
If other users want to perform some behavior, you cannot give root access to all of them. Because if he or she does something wrong, there is no way to correct it.
Are there any solutions to solve this problem?
We can overcome this by issuing sudo permissions to the appropriate users.
The sudo command provides a mechanism to give trusted users administrative rights to the system without having to share root’s password.
They can perform most of the administrative operations, but do not have full permissions like root.
What is Sudo?
Sudo is a program that ordinary users can use to execute commands as superuser or other users, as specified by security policies.
Access to sudo users is controlled by the /etc/sudoers file.
What are the advantages of being a Sudo user?
On Linux, sudo is a safe way to run a command if you are unfamiliar with it.
- Linux system in
/var/log/secure和/var/log/auth.logLogs are kept in files, and you can verify what actions the Sudo user has taken. - Each time it prompts for a password for the current action. So, you’ll have time to verify that the action is what you want to do. If you find that it is incorrect behavior, you can safely exit without performing this operation.
There is a difference between RHEL based systems (such as Redhat (RHEL), CentOS, and Oracle Enterprise Linux (OEL)) and Debian based systems (such as Debian, Ubuntu, and LinuxMint).
We’ll show you how to do this in the two distributions mentioned in this article.
There are three approaches that can be applied to both distributions.
- Add a user to the corresponding group. For RHEL based systems, we need to add users to
wheelGroup. Based on Debain’s system, we add users tosudo或adminGroup. - Manually add users to
/etc/groupFile. - with
visudoCommand to add a user to/etc/sudoersFile.
How do I configure the sudo access permission on RHEL, CentOS, and OEL?
On rhel-based systems such as Redhat (RHEL), CentOS, and Oracle Enterprise Linux (OEL), you can do this using the following three methods.
Method 1: How do I use the wheel group to grant superuser access to a common user in Linux?
Wheel is a special group in RHEL-based systems that provides additional permissions to authorize users to perform restricted commands like superusers.
Note that the wheel group should be activated in the /etc/sudoers file to obtain this access.
# grep -i wheel /etc/sudoers
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# %wheel ALL=(ALL) NOPASSWD: ALL
Copy the codeSuppose we have created a user account to perform these operations. For this purpose, I will use the dayGeek account.
Add the user to the wheel group by executing the following command.
# usermod -aG wheel daygeek
Copy the codeWe can determine this by following the command.
# getent group wheel
wheel:x:10:daygeek
Copy the codeI’m going to check if the user dayGeek can access files belonging to root.
$ tail -5 /var/log/secure
tail: cannot open /var/log/secure for reading: Permission denied
Copy the codeAn error occurred when I tried to access the /var/log/secure file as a normal user. I’ll use sudo to access the same file, so let’s look at the magic.
$ sudo tail -5 /var/log/secure
[sudo] password for daygeek:
Mar 17 07:01:56 CentOS7 sudo: daygeek : TTY=pts/0 ; PWD=/home/daygeek ; USER=root ; COMMAND=/bin/tail -5 /var/log/secure
Mar 17 07:01:56 CentOS7 sudo: pam_unix(sudo:session): session opened for user root by daygeek(uid=0)
Mar 17 07:01:56 CentOS7 sudo: pam_unix(sudo:session): session closed for user root
Mar 17 07:05:10 CentOS7 sudo: daygeek : TTY=pts/0 ; PWD=/home/daygeek ; USER=root ; COMMAND=/bin/tail -5 /var/log/secure
Mar 17 07:05:10 CentOS7 sudo: pam_unix(sudo:session): session opened for user root by daygeek(uid=0)
Copy the codeMethod 2: In RHEL/CentOS/OEL, how can I use the /etc/group file to grant superuser access rights to a common user?
We can manually add users to the wheel group by editing the /etc/group file.
You can do this by simply opening the file and appending the appropriate user after the appropriate group.
$ grep -i wheel /etc/group
wheel:x:10:daygeek,user1
Copy the codeIn this example, I will use the user account user1.
I’ll check that user1 has sudo access by restarting the Apache HTTPD service on the system. Let’s look at this trick.
$ sudo systemctl restart httpd
[sudo] password for user1:
$ sudo grep -i user1 /var/log/secure
[sudo] password for user1:
Mar 17 07:09:47 CentOS7 sudo: user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/bin/systemctl restart httpd
Mar 17 07:10:40 CentOS7 sudo: user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/bin/systemctl restart httpd
Mar 17 07:12:35 CentOS7 sudo: user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/bin/grep -i httpd /var/log/secure
Copy the codeMethod 3: How do I grant superuser access to a common user using the /etc/sudoers file in Linux?
The sudo user access is controlled by the /etc/sudoers file. Therefore, simply add the user to the Wheel group in the sudoers file.
Simply append the desired user to the /etc/sudoers file with the Visudo command.
# grep -i user2 /etc/sudoers
user2 ALL=(ALL) ALL
Copy the codeIn this example, I will use the user account user2.
I’ll check if user2 has sudo access by restarting the MariaDB service on the system. Let’s look at this trick.
$ sudo systemctl restart mariadb
[sudo] password for user2:
$ sudo grep -i mariadb /var/log/secure
[sudo] password for user2:
Mar 17 07:23:10 CentOS7 sudo: user2 : TTY=pts/0 ; PWD=/home/user2 ; USER=root ; COMMAND=/bin/systemctl restart mariadb
Mar 17 07:26:52 CentOS7 sudo: user2 : TTY=pts/0 ; PWD=/home/user2 ; USER=root ; COMMAND=/bin/grep -i mariadb /var/log/secure
Copy the codeHow do I configure sudo access on Debian/Ubuntu?
On Debian based systems such as Debian, Ubuntu, and LinuxMint, this can be done using the following three methods.
Method 1: How do I use sudo or admin group in Linux to grant superuser access to ordinary users?
Sudo, or admin, is a special group in Debian-based systems that provides additional permissions to authorize users to perform restricted commands like superusers.
Note that sudo or the admin group should be activated in the /etc/sudoers file to obtain this access.
# grep -i 'sudo\|admin' /etc/sudoers
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
Copy the codeSuppose we have created a user account to perform these operations. For this purpose, I will use the user account 2gadmin.
Execute the following command to add the user to the sudo group.
# usermod -aG sudo 2gadmin
Copy the codeWe can determine this by following the command.
# getent group sudo
sudo:x:27:2gadmin
Copy the codeI’m going to test whether user 2gadmin can access files belonging to user root.
$ less /var/log/auth.log
/var/log/auth.log: Permission denied
Copy the codeAn error occurred when I tried to access the /var/log/auth.log file as a normal user. I’m going to access the same file using sudo, so let’s look at the magic.
$ sudo tail -5 /var/log/auth.log
[sudo] password for 2gadmin:
Mar 17 20:39:47 Ubuntu18 sudo: 2gadmin : TTY=pts/0 ; PWD=/home/2gadmin ; USER=root ; COMMAND=/bin/bash
Mar 17 20:39:47 Ubuntu18 sudo: pam_unix(sudo:session): session opened for user root by 2gadmin(uid=0)
Mar 17 20:40:23 Ubuntu18 sudo: pam_unix(sudo:session): session closed for user root
Mar 17 20:40:48 Ubuntu18 sudo: 2gadmin : TTY=pts/0 ; PWD=/home/2gadmin ; USER=root ; COMMAND=/usr/bin/tail -5 /var/log/auth.log
Mar 17 20:40:48 Ubuntu18 sudo: pam_unix(sudo:session): session opened for user root by 2gadmin(uid=0)
Copy the codeAlternatively, we can do the same by adding users to the Admin group.
Run the following command to add a user to the admin group.
# usermod -aG admin user1
Copy the codeWe can determine this by following the command.
# getent group admin
admin:x:1011:user1
Copy the codeLet’s look at the output.
$ sudo tail -2 /var/log/auth.log
[sudo] password for user1:
Mar 17 20:53:36 Ubuntu18 sudo: user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/usr/bin/tail -2 /var/log/auth.log
Mar 17 20:53:36 Ubuntu18 sudo: pam_unix(sudo:session): session opened for user root by user1(uid=0)
Copy the codeMethod 2: In Debian/Ubuntu, how to use the /etc/group file to grant superuser access to common users?
We can manually add users to sudo groups or admin groups by editing the /etc/group file.
You can do this by simply opening the file and appending the appropriate user after the appropriate group.
$ grep -i sudo /etc/group
sudo:x:27:2gadmin,user2
Copy the codeIn this example, I will use the user account user2.
I’ll check that user2 has sudo access by restarting the Apache HTTPD service on the system. Let’s look at this trick.
$ sudo systemctl restart apache2
[sudo] password for user2:
$ sudo tail -f /var/log/auth.log
[sudo] password for user2:
Mar 17 21:01:04 Ubuntu18 systemd-logind[559]: New session 22 of user user2.
Mar 17 21:01:04 Ubuntu18 systemd: pam_unix(systemd-user:session): session opened for user user2 by (uid=0)
Mar 17 21:01:33 Ubuntu18 sudo: user2 : TTY=pts/0 ; PWD=/home/user2 ; USER=root ; COMMAND=/bin/systemctl restart apache2
Copy the codeMethod 3: How do I grant superuser access to a common user using the /etc/sudoers file in Linux?
The sudo user access is controlled by the /etc/sudoers file. Therefore, simply add the user to the sudo or admin group in the sudoers file.
Simply append the desired user to the /etc/sudoers file with the Visudo command.
# grep -i user3 /etc/sudoers
user3 ALL=(ALL:ALL) ALL
Copy the codeIn this example, I will use the user account user3.
I’ll check if user3 has sudo access by restarting the MariaDB service on the system. Let’s look at this trick.
$ sudo systemctl restart mariadb
[sudo] password for user3:
$ sudo tail -f /var/log/auth.log
[sudo] password for user3:
Mar 17 21:12:32 Ubuntu18 systemd-logind[559]: New session 24 of user user3.
Mar 17 21:12:49 Ubuntu18 sudo: user3 : TTY=pts/0 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/systemctl restart mariadb
Mar 17 21:12:49 Ubuntu18 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)
Mar 17 21:12:53 Ubuntu18 sudo: pam_unix(sudo:session): session closed for user root
Mar 17 21:13:08 Ubuntu18 sudo: user3 : TTY=pts/0 ; PWD=/home/user3 ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/auth.log
Mar 17 21:13:08 Ubuntu18 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)
Copy the codeVia: www.2daygeek.com/how-to-conf…
Magesh Maruthamuthu is one of the most influential people in the world
This article is originally compiled by LCTT and released in Linux China