Skip to main content

Enabling su/sudo Access with Wheel Group

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Intermediate

System Administrators rarely log into a system as root, due to a number of security risks. Some distributions even disable the root account to begin with. Restricting the ability to use root privileges to selected users is an important part of maintaining a secure system. In this activity, you will learn how to secure the su and sudo commands by restricting their use to members of the wheel group.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Enabling su/sudo Access with Wheel Group

Introduction

System Administrators rarely log into a system as root, due to a number of security risks. Some distributions even disable the root account to begin with. Restricting the ability to use root privileges to selected users is an important part of maintaining a secure system. One way to do that is utilizing sudo and the wheel group.

The Scenario

In order to make a system more secure, we have been asked to restrict access to the su and sudo commands. Only members of the wheel group should be allowed to run those commands.

We'll need to create /etc/sudoers.d/wheel.grp, which will allow wheel group members to use the sudo command.

In addition, only members of the wheel group should be allowed to use the su (switch user) command. Fixing this is a two-step process.

First, we'll need to set the permissions on /usr/bin/su so that only members of the wheel group can execute it.

Next, we have to modify /etc/pam.d/su (the Pluggable Authentication Module file) and require the user to be a member of the wheel group there as well.

Logging In

Use the credentials provided on the hands-on lab overview page, and log in as cloud_user.

Confirm Your User Is in the wheel Group and Set the /usr/bin/sudo and /usr/bin/su Files so They Can Be Executed by the root User and wheel Group

Use the id and groups commands to confirm your wheelgroup membership:

id
groups

Now we'll use sudo to become the root user:

sudo -i

We can run chgrp to set the wheel group as the owner of /usr/bin/sudo and /usr/bin/su:

chgrp wheel /usr/bin/sudo /usr/bin/su

Now we can use chmod to set the most secure permissions, and allow the root user and wheel group to execute sudo and su:

chmod 4110 /usr/bin/sudo /usr/bin/su

To confirm, run ls -l on either of those, and we should see permissions like this:

---s--x---. 1 root wheel 147320 Aug  8 22:58 /usr/bin/sudo

Use visudo to Confirm, Create, or Uncomment Entry Allowing wheel Group to Use sudo

To modify or verify /etc/sudoers allows the wheel group to use sudo, use the visudo command:

visudo

We need a line that looks like this:

%wheel  ALL=(ALL)       ALL

It may already be there, or it may be there and commented out. It's usually down in the vicinity of the root line. Save changes to the file and exit. Use grep to verify the line is there.

grep wheel /etc/sudoers

Uncomment or Create a Line in /etc/pam.d/su to Require wheel Group Membership for Using the su Command

Using the editor of your choice, uncomment or create an additional "auth" test below the line ending with pam_rootok.so. The line should look like this:

auth            required        pam_wheel.so use_uid

Create a sysadmin User, Make Them a Member of the wheel Group, Set Their Password, and Verify sysadmin Is Able to Use sudo and su

Create the sysadmin user and make them a member of the wheel group:

useradd -G wheel sysadmin

Running it this way would work too:

useradd sysadmin
usermod -aG wheel sysadmin

Now we can set the sysadmin user password:

passwd sysadmin

Verify sysadmin can execute su and sudo:

su - sysadmin
sudo tail -n1 /etc/shadow
su -l cloud_user
exit
exit

Create a User, sysuser, Who Is Not a Member of the wheel Group, Set Their Password, and Verify That They Are Not Able to Use sudo and su

Create the sysuser user and do not make them a member of the wheel group:

useradd sysuser

Set the sysuser user password.

passwd sysuser

Verify sysuser cannot execute su and sudo:

su --login sysuser
sudo tail -n1 /etc/shadow
su -l cloud_user
exit
exit

The sudo and following su commands should have both failed.

Conclusion

We had a system in need of some locking down and were able to address all of the concerns anyone had about which users and groups are allowed to perform administrative tasks. Congratulations!