System administrators, and in some cases users, need to perform certain
tasks with administrative access. Accessing the system as the
root user is
potentially dangerous and can lead to widespread damage to the system and
data. This chapter covers ways to gain administrative privileges using
setuid programs such as su and sudo. These programs
allow specific users to perform tasks which would normally be available only
root user while maintaining a higher level of control and system
See the Red Hat Enterprise Linux 7 Security Guide for more information on administrative controls, potential dangers, and ways to prevent data loss resulting from improper use of privileged access.
When a user executes the su command, they are prompted for the
root password and, after authentication, are given a
root shell prompt.
Once logged in using the su command, the user is the
user and has absolute administrative access to the system. Note that this
access is still subject to the restrictions imposed by SELinux, if it is
enabled. In addition, once a user has become
root, it is possible for them
to use the su command to change to any other user on the system
without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special
administrative group called wheel. To do this, type the following command
~]# usermod -a -G wheel username
In the previous command, replace username with the user name you want to
add to the
You can also use the Users settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.
Press the Super key to enter the Activities Overview, type Users and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.
To enable making changes, click the Unlock button, and enter a valid administrator password.
Click a user icon in the left column to display the user’s properties in the right-hand pane.
Change the Account Type from
Administrator. This will add the user to the
See Managing Users in a Graphical Environment for more information about the Users tool.
After you add the desired users to the
wheel group, it is advisable to
only allow these specific users to use the su command. To do
this, edit the PAM configuration file for su,
/etc/pam.d/su. Open this file in a text editor and uncomment the following
line by removing the
#auth required pam_wheel.so use_uid
This change means that only members of the administrative group
switch to another user using the su command.
The sudo command offers another approach to giving users
administrative access. When trusted users precede an administrative command
with sudo, they are prompted for their own password. Then, when
they have been authenticated and assuming that the command is permitted, the
administrative command is executed as if they were the
The basic format of the sudo command is as follows:
In the above example, command would be replaced by a command normally
reserved for the
root user, such as mount.
The sudo command allows for a high degree of flexibility. For
instance, only users listed in the
/etc/sudoers configuration file are
allowed to use the sudo command and the command is executed in
the user’s shell, not a
root shell. This means the
root shell can be
completely disabled as shown in the
Enterprise Linux 7 Security Guide.
Each successful authentication using the sudo command is logged
to the file
/var/log/messages and the command issued along with the
issuer’s user name is logged to the file
/var/log/secure. If additional
logging is required, use the
pam_tty_audit module to enable TTY auditing
for specified users by adding the following line to your
session required pam_tty_audit.so disable=pattern enable=pattern
where pattern represents a comma-separated listing of users with an
optional use of globs. For example, the following configuration will enable
TTY auditing for the
root user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs.
Administrators wanting to edit the sudo configuration file,
/etc/sudoers, should use the visudo command.
To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user,
juan, can use sudo from any
host and execute any command.
The example below illustrates the granularity possible when configuring sudo:
%users localhost=/sbin/shutdown -h now
This example states that any member of the
users system group can issue
the command /sbin/shutdown -h now as long as it is issued from
The man page for
sudoers has a detailed listing of options for this file.
There are several potential risks to keep in mind when using the
sudo command. You can avoid them by editing the
While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to the resources listed below for more information regarding security and privileged access.
su(1) — The manual page for su provides information regarding the options available with this command.
sudo(8) — The manual page for sudo includes a detailed description of this command and lists options available for customizing its behavior.
pam(8) — The manual page describing the use of Pluggable Authentication Modules (PAM) for Linux.
The Red Hat Enterprise Linux 7 Security Guide provides a more in-depth look at potential security issues pertaining to setuid programs as well as techniques used to alleviate these risks.
Managing Users and Groups documents how to manage system users and groups in the graphical user interface and on the command line.