Limiting Root Access

The su Command

When a user executes the su command, they are prompted for the root password and, after authentication, is given a root shell prompt.

Once logged in via the su command, the user is the root user and has absolute administrative access to the system^[16]. In addition, once a user has become root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.

Because this program is so powerful, administrators within an organization may wish to limit who has access to the command.

One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:

usermod -G wheel <username>

In the previous command, replace <username> with the username you want to add to the wheel group.

You can also use the User Manager to modify group memberships, as follows. Note: you need Administrator privileges to perform this procedure.

• Click the Users tab, and select the required user in the list of users.

• Click Properties on the toolbar to display the User Properties dialog box (or choose Properties on the File menu).

• Click the Groups tab, select the check box for the wheel group, and then click OK. Refer to Figure 46.2, "Adding users to the "wheel" group.".

• Open the PAM configuration file for su (/etc/pam.d/su) in a text editor and remove the comment # from the following line:

  auth  required /lib/security/$ISA/pam_wheel.so use_uid

  This change means that only members of the administrative group wheel can use this program.

  

  Figure 46.2. Adding users to the "wheel" group.

  
  

  The root user is part of the wheel group by default.

The sudo Command

The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.

The basic format of the sudo command is as follows:

sudo <command>

In the above example, <command> would be replaced by a command normally reserved for the root user, such as mount.

Users of the sudo command should take extra care to log out before walking away from their machines since sudoers can use the command again without being asked for a password within a five minute period. This setting can be altered via the configuration file, /etc/sudoers.

The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user's shell, not a root shell. This means the root shell can be completely disabled, as shown in "Disallowing Root Access".

The sudo command also provides a comprehensive audit trail. Each successful authentication is logged to the file /var/log/messages and the command issued along with the issuer's user name is logged to the file /var/log/secure.

Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs.

Administrators wanting to edit the sudo configuration file, /etc/sudoers, should use the visudo command.

To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:

juan ALL=(ALL) ALL

This example states that the user, juan, can use sudo from any host and execute any command.

The example below illustrates the granularity possible when configuring sudo:

%users  localhost=/sbin/shutdown -h now

This example states that any user can issue the command /sbin/shutdown -h now as long as it is issued from the console.

The man page for sudoers has a detailed listing of options for this file.