Adding user to sudo list on Centos

NotionCommotion · 10-17-2016, 09:06 AM

Please let me know what I am doing wrong. Thanks

Code:

[Michael@vps2 ~]$ su -
Password:
[root@vps2 ~]# usermod -aG wheel Michael
[root@vps2 ~]# exit
logout
[Michael@vps2 ~]$ sudo ls -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for Michael:
Michael is not in the sudoers file.  This incident will be reported.
[Michael@vps2 ~]$

Emerson · 10-17-2016, 09:16 AM

Wrong thread, sorry.

Bapun007 · 10-17-2016, 10:37 AM

I think you need to edit sudoers file and allow members of wheel group to run sudo.
Type this command as root

Code:

visudo

This opens sudoers file in vim, search for 'wheel' and remove the comment('#') before that.

DavidMcCann · 10-17-2016, 10:57 AM

You need to edit /etc/sudoers and do it using the visudo command, which checks that your edit is correct before saving it. If you don't like vi, choose an editor you do like this:

su
export EDITOR=nano
visudo

The file is fairly clear, with examples, but you could also checkout the man page for sudoers.

The wheel group is rather different. When used (not common these days, except in BSD) you have to belong to wheel to use su.

mark_alfred · 10-17-2016, 11:09 AM

Is group "wheel" enabled? See link. Note: the page uses "$" and "#" to indicate either normal user or root user, but that's not part of the commands. From it:

Quote:

Run the visudo to edit the /etc/sudoers file. This file defines the policies applied by the sudo command.

Code:

# visudo

Find the lines in the file that grant sudo access to users in the group wheel when enabled.

Code:

## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

Remove the comment character (#) at the start of the second line. This enables the configuration option.

Save your changes and exit the editor.

Add the user you created to the wheel group using the usermod command.

Code:

# usermod -aG wheel USERNAME

Test that the updated configuration allows the user you created to run commands using sudo.

Use the su to switch to the new user account that you created.

Code:

# su USERNAME -

Use the groups to verify that the user is in the wheel group.

Code:

$ groups
USERNAME wheel

Use the sudo command to run the whoami command. As this is the first time you have run a command using sudo from this user account the banner message will be displayed. You will be also be prompted to enter the password for the user account.

Code:

$ sudo whoami
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:

            #1) Respect the privacy of others.
            #2) Think before you type.
            #3) With great power comes great responsibility.

        [sudo] password for USERNAME:
        root

The last line of the output is the user name returned by the whoami command. If sudo is configured correctly this value will be root.

You have successfully configured a user with sudo access. You can now log in to this user account and use sudo to run commands as if you were logged in to the account of the root user.

pingu_penguin · 10-17-2016, 11:49 AM

you didnt use 'visudo' to add wheel group to sudoers file.

groups start with %

so adding this sudoers file would help you:

# Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL

for more control or options you may want to use , see 'man sudoers' or you could google for examples.

mark_alfred · 10-17-2016, 12:30 PM

Posts 3, 4, 5, and 6 have all cited the same issue surrounding the group "wheel" (with post 4 indicating it's a mostly passé method, but still plausible) . How many others will cite this? Time will tell.

lazydog · 10-17-2016, 12:40 PM

Quote:

Originally Posted by mark_alfred

How many others will cite this? Time will tell.

One can never say it enough.

NotionCommotion · 10-17-2016, 04:34 PM

Thank you all.

No, I didn't use use visudo first.

Before I un-comment the wheels group, should I? The only reason I thought I should was some initial searchs on how to allow sudo. The server is managed by me, and used by me plus a couple of people. Is there a better strategy?

Thanks

mark_alfred · 10-17-2016, 05:52 PM

I don't really know. This is the first I've heard of the wheel group. Generally if I've created a new user that I wanted to have sudo powers, I've added them to the sudo group. My /etc/sudoers file looks like this:

Code:

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

Currently no user on my system is a member of the admin group, though I, user mark, am a member of both sudo and adm (I'm not sure what the group "adm" is for). Anyway, it's just me using my laptop and it's an Ubuntu install. So, that's how mine is set up.

Here's some history on the wheel group (link). Seems Richard Stallman didn't like it (felt it lacked freedom) so it fell out of favour in Linux distros. Apparently to safeguard against the sharing of the root password, the extra condition of having to belong to the wheel group was added. Of course, given that root is often disabled now, and given that some users may or may not be part of the group sudo, I'm not sure what the difference is between group "sudo" and group "wheel".

Anyway, I don't really know, but I figure since you've got it set up, you may as well use it.

Doug G · 10-17-2016, 06:18 PM

wheel group is enabled in sudoers by default on centos7. If you are a group member of wheel you should be allowed to use sudo. You may need to log out and back on after changing your group memberships.

sundialsvcs · 10-17-2016, 06:21 PM

For what it's worth, on all of my Linux systems, only one user (sysmaint) is capable of sudo, and this user is used for no other purpose.

Therefore, it is almost never used. When software needs to be installed, or when operating-system updates from the distro vendor need to be applied, then this user is used.

This user does not own any files. It isn't used for application maintenance. (There's appmaint for that ...)

It doesn't own any of the deployed systems. (There's a third reserved user for that ...)

You get the idea.

Turbocapitalist · 10-18-2016, 01:36 AM

Quote:

Originally Posted by sundialsvcs

You get the idea.

Compartmentalization is a good idea. Taking advantage of sudoers properly goes far in that direction. And it would save a lot of trouble and work if distros had much better defaults for /etc/sudoers to point the right direction. There is so often misuse of "sudo" and "sudoers" by not taking advantage of the granularity it can offer in regards to access, and instead just using it as a longer way of writing "su", that I made a blog entry about it.

It would be great if the benefits of properly configuring sudoers were more obvious from the start. Better defaults would help with that. But until then, there is a lot of remedial action going on. One is to recommend reading Sudo Mastery: Access Control for Real People by Michael W. Lucas or checking out his presentation (slides or video) on "sudo: You're Doing it Wrong"

lazydog · 10-18-2016, 07:23 AM

Quote:

Originally Posted by mark_alfred

I don't really know. This is the first I've heard of the wheel group. Generally if I've created a new user that I wanted to have sudo powers, I've added them to the sudo group.

Your sudo and wheel are the same in regards to the setup

Quote:

Originally Posted by Turbocapitalist

And it would save a lot of trouble and work if distros had much better defaults for /etc/sudoers to point the right direction.

Really? How could you expect a distro to know how you are going to run your system? This is part of the Sys Admin's job. If he is going to go down this rabbit hole then he should have already mapped this out.

Turbocapitalist · 10-18-2016, 07:35 AM

Quote:

Originally Posted by lazydog

Really? How could you expect a distro to know how you are going to run your system?

They don't and can't know. But they can provide better examples rather than just setting "sudo" to be the functional equivalent equivalent of "su". Using %sudo ALL=(ALL:ALL) ALL as a default is not instructive. Here's a default that is a bit closer to a good compromise than that:

Code:

%sudo ALL=(root:root) /usr/sbin/visudo "",
        /usr/bin/yum

Maybe a third line is needed for something else common.

Quote:

Originally Posted by lazydog

This is part of the Sys Admin's job. If he is going to go down this rabbit hole then he should have already mapped this out.

Yep.