- 1 Introduction
- 2 Step 1: Ensure that you have sudo installed (and if not install it)
- 3 Step 2: Configure sudo
- 4 Step 3: Add users to the wheel group to allow them to have root privilege
- 5 Step 4: Newly added users to the wheel group may need to logout and login again
- 6 Using sudo
- 7 Tips
- 8 Links
This document shows a simple way to configure sudo on Mageia.
The benefits of using sudo are:
- Accountability and tracking of usage and commands executed: sudo access is logged.
- Simplifies management of privileged root access.
- You do not have to share the root password with all the admin users but can still allow privileged root access as needed.
Step 1: Ensure that you have sudo installed (and if not install it)
Check if the sudo RPM is installed:
$ rpm -q sudo > /dev/null && echo sudo is installed || echo sudo NOT installed sudo is installed
If you see the message "sudo is NOT installed" then you will need to install it (as root), for example:
# /usr/sbin/urpmi sudo
Step 2: Configure sudo
It is possible to configure sudo in many ways. You can, for example, enable specific commands for specific groups or users.
Here, we will simply configure sudo so that any user in the wheel group is allowed to use sudo to get root privilege.
When a user who is a member of the wheel group runs a sudo command, e.g. /bin/sudo -i, they will be prompted to type in their own password.
This improves security by ensuring a password is needed to gain root privilege.
The sudo configuration file can be edited using the visudo command.
However, we can avoid having to edit the long and complex sudo configuration file to enable the wheel group by simply (as root) running the following:
# Create file /etc/sudoers.d/01wheel to enable members of wheel group to access root via sudo # (copy & paste, run as root) echo "%wheel ALL=(ALL) ALL" > /etc/sudoers.d/01wheel chmod 440 /etc/sudoers.d/01wheel # end copy & paste
A detailed explanation of why files in the directory /etc/sudoers.d/ are named the way the are can be found in the manual page for the sudoers file:
$ man sudoers
In order to find the explanation, while running "man sudoers", search for "etc/sudoers.d" by typing: /etc/sudoers.d
Step 3: Add users to the wheel group to allow them to have root privilege
It is much simpler to manage the list of users allowed root access by simply adding or removing them from a group.
Historically, the wheel group has been used for this on Unix and Unix like systems.
You can add users to a group in (at least) two ways:
- Using the Mageia Control Center:
System -> Manage users on System -> select user -> Edit -> for each user, select groups and add a tick to the "wheel" group entry
- Using command-line interface:
Edit /etc/group and update the entry for wheel by adding the names of the users as a comma delimited list on the entry for wheel.
In the following example, we will add users: ken and dennis to the wheel group.
Step 4: Newly added users to the wheel group may need to logout and login again
If a user who was newly added to the wheel group was also logged in at the same time they were added to the wheel group then they need to logout and login again for their sudo access to function.
Having installed and configured sudo as shown here, users who are members of the wheel group can use sudo to run privileged root commands.
Example 1 - to install all pending updates:
[email@example.com ~] $ /bin/sudo /usr/sbin/urpmi --auto-update [sudo] password for ken:
Example 2 - start a root shell
[firstname.lastname@example.org ~] $ /bin/sudo -i [sudo] password for dennis: [email@example.com ~] #
Here, sudo's "-i" option causes the shell to start as if root had logged in (and has root's environment set).
Hence, the prompt is now a root prompt and if run in a Gnome Terminal, the tab will have "firstname.lastname@example.org".
tip 1: avoid using root
Avoid using the root account as much as possible.
If you really need root privilege then use it but it's more secure to avoid unnecessary use of the root account.
tip 2: with tabbed terminal, keep one tab for root
If you use a tabbed terminal (eg like Gnome Terminal) it's handy to open 1 tab as a root shell and other tabs as non-root.
This saves switching in and out of root because you can simply select which terminal tab you want to work in.
tip 3: always use full pathname for commands prompting for passwords
Instead of using the command sudo, make habit to use the command /bin/sudo. (This also applies to using /bin/su instead of just su.)
Why? For any command that causes a password prompt, using a full path is a more secure (than just the command name).
A technique used by hackers is to exploit your trust that when you type sudo you believe you are running the real sudo.
If a hacker can gain access to your account, then your $PATH can be modified to run a spoofed sudo which captures your typed password, prints an error message, and then execs the real sudo.
The user thinks "Oh, I miss-typed the password. I'll type it again".
tip 4: monitor sudo usage
The sudo logfile is /var/log/sudo.log.
Take a look at the logfile from time to time to understand what is "normal" sudo activity on your system. Notice the date/time and TTY values in the log. Pay attention to odd or unusual log entries. For example, sudo executed at a time when you were not using the machine or from a TTY not normally used.
|sudo in a nutshell||http://www.sudo.ws/sudo/intro.html|