In this process, we will learn how to provide nominated users or groups with the ability to execute a variety of commands with elevated privileges.
On CentOS Linux, many files, folders, or commands can only be accessed or executed by a user called root, which is the name of the user who can control everything on a Linux system. Having one root user per system may suit your needs, but for those who want a greater degree of flexibility, a solid audit trail, and the ability to provide a limited array of administrative capabilities to a select number of trusted users, you have come to the right place. It is the purpose of this process is to show you how to activate and configure the sudo (superuser do) command.
To Start With: What Do You Need?
To complete this process, you will require a minimal installation of the CentOS 7 operating system with root privileges. It is assumed that your server maintains one or more users (other than root) who qualify for this escalation in powers. If you did not create a system user account during installation, please do so by first before applying the process.
The Process
To start this process, we will first test the sudo command with a non-privileged user.
- To begin, log in to your system using a non-root user account, then type the following to verify that sudo is not enabled (use your user account’s password when asked):
sudo ls /var/log/audit
- This will print the following error output with <username>, which is the user you are currently logged in with:
<username> is not in the sudoers file. This incident will be reported.
- Now, log out the system user using the command:
logout
- Next, log in as root and use the following command to give the non-root user sudo power (change <username> appropriately):
usermod -G wheel <username>
- Now, you can test if sudo is working by logging out root again and re-logging in the user from step 1, and then trying again:
sudo ls /var/log/audit
- Congratulations, you’ve now set a normal user to have sudo powers and can view and execute files and directories restricted to the root user.
How it works...
Unlike some Linux distributions, CentOS does not provide sudo by default. Instead, you are typically allowed to access restricted parts of the system with the root user only. This offers a certain degree of security, but for a multi-user server, there is little to no flexibility unless you simply provide these individuals with full administrative root access permissions. This is not advisable, and for this reason, it was the purpose of this process is to show you how to provide one or more users with the right to execute commands with elevated privileges.
So, what did we learn from this experience?
We started by logging in to the system with a normal user account having no root privileges or sudo powers. With this user, we then tried to list a directory that normally only the root user is allowed to see, so we applied the sudo command on it. It failed, giving us the error that we are not in the sudoers list.
The sudo command provides nominated users or groups with the ability to execute a command as if they were the root user. All actions are recorded (in a file called /var/log/secure), so there will be a trace of all the commands and arguments used.
We then logged in as the true root user and added a group called wheel to the system user that we wanted sudo rights for. This group is used as a special administration group and every member of it is granted sudo rights automatically.
From now on, the nominated user can implement sudo in order to execute any command with elevated privileges. To do this, the user would be required to type the word sudo before any command, for example, they could run the following command:sudo yum update
They will be asked to confirm their user password (not the root password!), and after successful authentication, the program will be executed as the user root.
Finally, we can say that there are three ways to become root on a CentOS Linux system:
First, to log in as the true user root to the system. Second, you can use the command, su – root, while any normal system user is logged in, giving the root user’s password to switch to a root shell prompt permanently. Third, you can give a normal user sudo rights so that they can execute single commands using their own passwords as if they were the root user while staying logged in as themselves.
Note
sudo (superuser do) should not be confused with the su (substitute user) command, which allows you to switch to another user permanently instead of executing only single commands as you would do being the root user.
The sudo command allows great flexibility for servers that have a lot of users, where one administrator is not enough to manage the whole system.