Lab 17: Configure Superuser Access

Objective Focus

Manage users and groups: Configure superuser access

Completing tasks as root can be risky if you are not careful. Configuring superuser access to normal users is great for managing elevated privileges. We want to keep use of the root account to minimum for security reasons, software installations, and critical changes in actual real-world environments.

Superuser access is done with the sudo command

$ sudo <cmd>

The user who executes this command will enter their own password to complete, if asked.

Important File - /etc/sudoers

$ man 5 sudoers

We can cat this file to take peek at the current settings on the

 root ALL=(ALL)  ALL

root: This rule applies specifically to the root user.
1st - ALL: Applies on all hosts (useful in multi-host environments).
2nd - (ALL): The root user can execute commands as any user.
3rd - ALL: The root user can execute any command.

 %wheel ALL=(ALL) ALL

%wheel: The % sign in front specifies that this is group. The wheel group is typically used for administrative users.

Important Command - $ visudo

$ visudo

This command is how we edit the /etc/sudoers file

Disable Password Prompting

jose ALL=(ALL) NOPASSWD: ALL

This can also be applied to groups

Limit access to select commands

jose ALL=/usr/sbin/visudo

jose ALL=/usr/sbin/userdel, ! /usr/sbin/userdel reed

These can also be applied at the group level, see Man page for /etc/sudoers

Additional customization can be implemented to the sudoers file and I recommend reading the “EXAMPLES” section in the /etc/sudoers man page.

That is all for this lab!