Technical: Linux – User Administrator – Granting SysAdmin access
Access to running certain applications is restricted to the root user or users that are able to acquire administrative privileges.
Thus to successfully manage systems it is required to be able to login as the root account or one of the accounts that can act in its place.
Which processes can only be executed by “root” users?
These so called restricted modules have an s in the owner execute flag when viewed using ls -la.
--check /bin folder and list files that have the signature "-rws" ls -la /bin/* | grep -i "\-rws"
There are a couple of things you want to note:
- You need to escape the – symbol when identifying -rws; you escape – character by using the back-slash (\)
- Notice that we are looking at the first three letters; which signify permission set for the owner
- r — the owner is able to read the file
- w — the owner is able to write\over-write the file
- s — this usually have x to indicate that the owner can execute the file. When not x, but s it means whomever is executing this process takes on the role of the file’s owner
Taking on the root role via membership in the wheel group
By convention Linux uses a group name named wheel as a surrogate group that can take on the role of the Admin.
Where did the name wheel come from ?
In computing, the term wheel refers to a user account with a wheel bit, a system setting that provides additional special system privileges that empower a user to execute restricted commands that ordinary user accounts cannot access. The term is derived from the slang phrase big wheel, referring to a person with great power or influence.
What is the “Wheel Group”
Modern Unix systems use user groups to control access privileges. The wheel group is a special user group used on some Unix systems to control access to the su command, which allows a user to masquerade as another user (usually the super user).
Adding user to the wheel group
We can modify user accounts via the Graphical Interface or via the command shell’s utility such as usermod.
Command Shell – Utility – usermod
To modify user accounts, Linux relies on the usermod utility. Here are a few quick points:
- The file’s full name is /usr/sbin/usermod
- One can change the user’s home directory via the -d (–home) option
- One can change the user’s primary group via the -g ( –gid) option
- One can wholly replace the user’s group membership via the -G (–groups) option
- One can add to the user’s existing group by using the -a (–append) option
- One can change the user’s shell by using the -s (–shell) option
- One can unlock an account by using the -U (–unlock) option
Usermod – Add user to the wheel group
To add our user, myself, in this case to the wheel group, please do the following:
Syntax: usermod -g <group-name> <username> Sample: usermod -g wheel dadeniji
Thanks goodness, you get good nice, indicative messages when the group or user name is not actualized on the system:
- user does not exist
- group does not exist
When things are good, we get no feedback.
Groups – Review User Group Membership
Get user groups
Syntax: groups <username> Sample: groups dadeniji
Groups – List all users in a group
List all users in a group
Sample: grep :`grep ^wheel /etc/group | cut -d: -f3`: /etc/passwd
Explanation of Script:
- The surrounding ` means that the inner script be ran and the results internal preserved, and not displayed to the console
- What does the inner script do — grep ^wheel / etc/group — it says to get the line in /etc/group that starts with the wheel word. In its entirety that line reads “wheel:x:10:”
- The output of “grep ^wheel /etc/group” is piped “|” to the cut utility. The syntax “cut -d: -f3” says to get the third word using colon (:) as the delimiter So when we ask for the first word of “wheel:x:10:”, we get back 10. 10 is obviously the GroupID for wheel
- Please note that you need the colons (:) around the inner script, without it I got extraneous row; like the code and output pasted below:
Code (code and console output):
Command: grep -e "`grep ^wheel /etc/group | cut -d: -f3`" /etc/passwd Output: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin dadeniji:x:500:10:Daniel Adeniji:/home/dadeniji:/bin/bash ------------------------------------------------------------------------------- Command: grep -e :"`grep ^wheel /etc/group | cut -d: -f3`": /etc/passwd Output: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin dadeniji:x:500:10:Daniel Adeniji:/home/dadeniji:/bin/bash
Output (Screen shot):
- Without the colon (:), one will see the extra record for games. Games group id is not 10, but 100
Ensure that wheel has sudo access via customization of sudoers
Why bother with sudoers?
If an account tries to access sudo without membership in the wheel group or the wheel group is not fully configured for sudo access via the sudoers file, then the error message pasted below will come up:
<account> is not in the sudoers file. This incident will be reported.
Next time you, the root user, access uses your system, you will get a nice little notification telling you that you have a nice a little email waiting for you:
You have mail in /var/spool/mail/root
To view the email issue something like
The email sent by the gossip delegator is quite straight forward. The areas covered includes:
- To — root
- From — dadeniji (in our case)
- Auto-Submitted: auto-generated
- Subject: **SECURITY information for <hostname>
- Mesage-Id: ******
- Date: *****
rachel : May 12 17:41:27 : dadeniji : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/dadeniji ; USER=root ; COMMAND=/bin/ls
Look for the lines that reference the wheels group:
## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
- The statements are refreshingly well documented
- I will suggest that you un-comment the line references wheel, but does not make mention of NOPASSWD
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
sudo ls -la *
Now we issue sudo <command> and supply our account’s (dadeniji) password, we are good.
References – RHEL
- Red Hat Enterprise Linux -4 : Security Guide / Chapter 4 – Work Station Security / Administrative Controls
References – Files Permission
- Users File Permission
References – User Group Membership
- See which groups your Linux User belongs to
References – Managing Groups
- Linux Tutorial Managing Groups
References – Bash
- Unix Bash Shell
References – Grep Commands
- The Geek Stuff – 7 Linux Grep OR, Grep AND, Grep NOT Operator Examples
- Unix/Linux grep command examples
References – Piping Grep Commands
- Linux Pipe grep
- Linux Pipe Output to Grep
References – Cut Commands
- Cut Commands
References – List All Members in a Group
- How to list all members in a group
- Linux Pipe Output to Grep
References – /etc/group
- Understanding /etc/group file
References – usermod
- Understanding /etc/group file