- October 30th, 2010
- Write comment
Using sudo as an alternative to regularly logging in as root to a system which you need to administer is a well known and quite popular security option. Not everyone believes that the security benefits are worth the additional effort that this entails but it continues to gain traction as a best practice and is very simple to implement. Using sudo in the RHEL world is far less popular but is standard practice in the Debian and Ubuntu camps and so its use has become very well known recently.
The dangers of going directly to root are generally pretty obvious. Logging in remotely to a root account means that root itself has to be exposed – obviously not an optimal situation. We can also assume that the root password is probably being shared between multiple admins – also very bad. Shared passwords mean that we can’t audit to know who is performing root level actions. Being logged in as root also means that we can forget ourselves and issue commands as root that we meant to issue as a non-root user. Accidents can happen and being proactive can mean the difference between a good day and a horrible weekend.
There are two steps necessary to get our admin users set up to work with sudo. The first step is adding the admin users to the wheel group. Wheel is an old concept in UNIX and has a lot of legacy behind it. Traditionally it was used with the su command and a shared root password. But that is not the way in which we want to use wheel as that is not secure.
In /etc/group, edit the wheel group to include all of your system admins. Everyone in this group will have access to root when we are done.
Now that our group is set up we can alter the behavior of sudo to use the wheel group in the manner which we expect. In case you don’t have sudo on your system, install it with:
yum install sudo
Sudo is configured by the /etc/sudoers file. By default, sudo is effectively disabled. The easiest way to our wheel options is to search for the word “wheel”. There are two lines about wheel, both of which are currently commented out. The first line, if uncommented, allows anyone in the wheel group to sudo to root but requires the user to re-enter their password for security. Great idea but this can be problematic for many management tasks. The second line, if uncommented, does the same but will not require the users to re-enter their password before performing an action as root. This second option is my preferred method – striking the right balance between security and ease of use to make the sudo system work for most users.
When you are done, the line will look like this:
%wheel ALL=(ALL) NOPASSWD: ALL
Now sudo should be working. As a user in the wheel group (the system administrator group) we can easily issue commands at root with only minimal additional effort.
sudo rpm -q sudo
Ta da! It’s really that easy. Now, there are times when working as root is just practical and always having to sudo before each and every command can be too cumbersome for the real world. Not a problem. When it is necessary to still become root like back in the “good old days” you can sneakily do so using this command:
sudo -i su
And again, ta da! Now you are root without needing a shared password. Now you can secure the root user to keep anyone from using it directly.