Chapter 4. Gaining Privileges
System administrators (and in some cases users) will need to perform certain tasks with administrative access. Accessing the system as
rootis potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using the
sudoprograms. These programs allow specific users to perform tasks which would normally be available only to the root user while maintaining a higher level of control and system security.
See the Red Hat Enterprise Linux 6 Security Guide for more information on administrative controls, potential dangers and ways to prevent data loss resulting from improper use of privileged access.
When a user executes the
sucommand, they are prompted for the root password and, after authentication, are given a root shell prompt.
Once logged in via the
sucommand, the user is the root user and has absolute administrative access to the system. In addition, once a user has become root, it is possible for them to use the
sucommand to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:
usermod -a -G wheelusername
In the previous command, replace username with the user name you want to add to the
You can also use the User Manager to modify group memberships, as follows. Note: you need Administrator privileges to perform this procedure.
- Click the System menu on the Panel, point to Administration and then click Users and Groups to display the User Manager. Alternatively, type the command
system-config-usersat a shell prompt.
- Click the Users tab, and select the required user in the list of users.
- Click Properties on the toolbar to display the User Properties dialog box (or choose Properties on the File menu).
- Click the Groups tab, select the check box for the wheel group, and then click OK.
See Section 3.2, “Managing Users via the User Manager Application” for more information about the User Manager.
After you add the desired users to the
wheelgroup, it is advisable to only allow these specific users to use the
sucommand. To do this, you will need to edit the PAM configuration file for
/etc/pam.d/su. Open this file in a text editor and remove the comment (#) from the following line:
#auth required pam_wheel.so use_uid
This change means that only members of the administrative group
wheelcan switch to another user using the
rootuser is part of the
wheelgroup by default.