Chapter 4. Gaining Privileges

System administrators (and in some cases users) will need to perform certain tasks with administrative access. Accessing the system as root is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using the su and sudo programs. These programs allow specific users to perform tasks which would normally be available only to the root user while maintaining a higher level of control and system security.
See the Red Hat Enterprise Linux 6 Security Guide for more information on administrative controls, potential dangers and ways to prevent data loss resulting from improper use of privileged access.

4.1. The su Command

When a user executes the su command, they are prompted for the root password and, after authentication, are given a root shell prompt.
Once logged in via the su command, the user is the root user and has absolute administrative access to the system[1]. In addition, once a user has become root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:
~]# usermod -a -G wheel username
In the previous command, replace username with the user name you want to add to the wheel group.
You can also use the User Manager to modify group memberships, as follows. Note: you need Administrator privileges to perform this procedure.
  1. Click the System menu on the Panel, point to Administration and then click Users and Groups to display the User Manager. Alternatively, type the command system-config-users at a shell prompt.
  2. Click the Users tab, and select the required user in the list of users.
  3. Click Properties on the toolbar to display the User Properties dialog box (or choose Properties on the File menu).
  4. Click the Groups tab, select the check box for the wheel group, and then click OK.
See Section 3.2, “Managing Users via the User Manager Application” for more information about the User Manager.
After you add the desired users to the wheel group, it is advisable to only allow these specific users to use the su command. To do this, you will need to edit the PAM configuration file for su: /etc/pam.d/su. Open this file in a text editor and remove the comment (#) from the following line:
#auth           required        pam_wheel.so use_uid
This change means that only members of the administrative group wheel can switch to another user using the su command.

Note

The root user is part of the wheel group by default.


[1] This access is still subject to the restrictions imposed by SELinux, if it is enabled.