From Mageia wiki
(Redirected from Sudo in Mageia)
Jump to: navigation, search


Drakconf multiflag.png
Other languages
Deutsch ; English ; Français
Synopsis:
How to configure sudo for Mageia Linux


Introduction

This document shows a simple way to configure the sudo command in Mageia.

If you want to know what sudo is, please see the man page: man sudo [6] . Also there is a description in Wikipedia [1] .


Benefits

The benefits of configuring sudo as shown on this page are:

  1. It is very simple to implement.
  2. Users can be granted sudo privilege just by adding them to the wheel group (or conversely have sudo privilege removed by removing from wheel group).
  3. There is no need to share the root password. So, the root password can be changed without impacting members of the wheel group from gaining sudo privilege.
  4. wheel group users must enter their password to be granted sudo privilege. No password access is not allowed thus improving security.


Step 1: Ensure that you have sudo installed (and if not install it)

Check if the sudo RPM is installed:

$ rpm -q sudo > /dev/null && echo sudo is installed || echo sudo NOT installed
sudo is installed

If you see the message "sudo is NOT installed" then you will need to install it (as root), for example:

# urpmi sudo
$MIRRORLIST: media/core/updates/sudo-1.9.5p2-2.1.mga8.x86_64.rpm installing sudo-1.9.5p2-2.1.mga8.x86_64.rpm depuis /var/cache/urpmi/rpms Preparing... ##################################################### 1/1: sudo #####################################################


Step 2: Configure sudo

It is possible to configure sudo in many ways. You can, for example, enable specific commands for specific groups or users. Also, sudo can be used to execute commands as any user or member of any group. It is not just for getting root access. Such configurations are beyond the scope of this wiki page. Please refer to the sudo man page [6] for more details.

Here, we will simply configure sudo so that any user in the wheel group is allowed to use sudo to get root privilege.
When a user who is a member of the wheel group runs a sudo command, e.g. /bin/sudo -i, they will be prompted to type in their own password. This improves security by ensuring a password is needed to gain root privilege.

This also means that the user who is a member of the wheel group does not need to know the root password at all. In fact, the root password can be changed by the system administrator and this does not stop members of the wheel group being able to use sudo to gain root privilege.

The sudo configuration file can be edited using the visudo command.

However, we can avoid having to edit the long and complex sudo configuration file (/etc/sudoers [7] ) to enable the wheel group by simply (as root) running the following:

  1. Create the file (the choice of the name is free and it can possibly be related to its content, e.g. 01wheel) to allow the members of the wheel group to access root via sudo.
  2. Run the following commands as root:
# echo "%wheel ALL=(ALL) ALL" > /etc/sudoers.d/01wheel && chmod 440 /etc/sudoers.d/01wheel


A detailed explanation of why files in the directory /etc/sudoers.d/ are named the way they are can be found in the manual page for the sudoers file:

$ man sudoers

Using the man command, search for "etc/sudoers.d" preceded by a "/" sign by typing: /etc/sudoers.d


Step 3: Add users to the wheel group to allow them to have root privilege

It is much simpler to manage the list of users allowed root access by simply adding or removing them from a group.
Historically, the wheel group has been used for this on Unix and Unix like systems.

You can add users to a group in three ways:

Method-1: Using the Mageia Control Center

System -> Manage users on System -> select user -> Edit -> for each user, select groups and add a tick to the "wheel" group entry


Method-2: Using the command line interface

Authenticated as root, edit the file /etc/group and update the entry for wheel by adding the names of the users as a comma delimited list on the entry for wheel.
In the following example, we will add the users ken [4] and dennis [5] to the wheel group.

Change:

wheel:x:10:

To:

wheel:x:10:ken,dennis

Method-3: add new user to wheel group when installing Mageia

When installing a new Mageia system there is a step during the install process when the root password is set and new users can be added to the system.

At that step when adding a new user, click on the Advanced section where you will have the opportunity to add the new user to the wheel group (or other groups as needed).
This will save time because once the newly installed Mageia system is rebooted the new user account can use sudo for root access on the first login.

Side-note:
Be aware that when setting root password during Mageia install the root password hash is recorded in /root/drakx/auto_inst.cfg.pl. See also: [8] This is done to enable auto-install clones of the completed install.
To improve security, it is wise to set a new root password on first login after install.

Step 4: Newly added users to the wheel group may need to log out and log in again

If a user who was newly added to the wheel group was also logged in at the same time then the user needs to log out and log in again for their sudo access to function. If sudo still does not work, then check carefully any error message displayed and review the system log to understand what is wrong and can be corrected.


Using sudo

Having installed and configured sudo as shown here (above), users who are members of the wheel group can use sudo to run privileged root commands.
So, following the example shown, there are two users who are enabled to use the sudo command: ken [4] and dennis [5] .

Note:
We use /bin/sudo rather than simply sudo to improve security (see tip 3 below)


Example 1 – to install all pending updates (here logged in as user ken [4] )

[ken@google.com ~] $ /bin/sudo urpmi --auto-update
[sudo] password for ken:


Example 2 – switch to a root shell (here logged in as dennis [5] )

[dennis@att.com ~] $ /bin/sudo -i
[sudo] password for dennis: [root@att.com ~] #

Note that using the -i option starts the root shell in root's home directory as if logged in as root with $PATH and shell environment configured for root.

To finish using the root shell (and return to the user prior to using sudo) just type exit:

[root@att.com ~] # exit
[dennis@att.com ~] $ _


Tips

tip 1: avoid using root

Avoid using the root account as much as possible.
If you really need root privilege then use it, but it's more secure to avoid unnecessary use of the root account.

Especially: avoid running a desktop environment (such as KDE, GNOME, XFCE, LXDE, MATE) as root.
There is no need to run desktop environment tasks as root. Each desktop environment will create lots of files and sub-directories in ${HOME}.
It is safer and better to keep root's ${HOME} to the minimal required.

When running Mageia Control Center (Drakconf): if root access is needed you will be prompted for it.


tip 2: with tabbed terminal, keep one tab for root

If you use a tabbed terminal (eg like mate-terminal) it's handy to open 1 tab as a root shell and other tabs as non-root.
This saves switching in and out of root because you can simply select which terminal tab you want to work in.


tip 3: always use full pathname for commands prompting for passwords

Instead of using the command sudo, make habit to use the command /bin/sudo. (This also applies to using /bin/su instead of just su.)

Why? For any command that causes a password prompt, using a full path is more secure (than just the command name).

A technique used by hackers is to exploit your trust that when you type sudo you believe you are running the real sudo.
If a hacker can gain access to your account, then your $PATH can be modified to run a spoofed sudo which captures your typed password, prints an error message, and then execs the real sudo.
The user thinks "Oh, I miss-typed the password. I'll type it again!!".


tip 4: monitor sudo usage

The sudo logfile is /var/log/sudo.log.

Take a look at the logfile from time to time to understand what is "normal" sudo activity on your system. Notice the date/time and TTY values in the log. Pay attention to odd or unusual log entries. For example, sudo executed at a time when you were not using the machine or from a TTY not normally used.

Appendix-1: References

ref# title link
[1] Wikipedia sudo page http://en.wikipedia.org/wiki/Sudo
[2] sudo in a nutshell http://www.sudo.ws/sudo/intro.html
[3] sudo sandwich http://xkcd.com/149/
[4] Ken Thomson http://en.wikipedia.org/wiki/Ken_Thompson
[5] Dennis Ritchie http://en.wikipedia.org/wiki/Dennis_Ritchie
[6] sudo man page https://man.archlinux.org/man/sudo.8
[7] /etc/sudoers file https://man.archlinux.org/man/sudoers.5
[8] Mageia bug 31397 https://bugs.mageia.org/show_bug.cgi?id=31397


Return to top

































Return to top