CentOS 7 add new user with root privileges
Solution 1
I am reading this tutorial, and trying to create a new user with root privileges and then block root access via ssh in a CentOS 7 server. The problem is that the new user is blocked from doing root actions like nano /etc/sudoers. Also, I seem unable to remove the block of root login. So my pre-existing open root session is the only access I have to root functionality until it terminates. How can I successfully add root permissions to the newuser? And how can I successfully turn on/off root login?
- Strictly speaking, the real use of
sudo
is to configure the execution of certain specific commands to certain specific users or groups. The waysudo
is distributed and configured in some distributions can be somewhat misleading because to become the root user, we can just typesu -
without involvingsudo
. This requires the entry of the password for the user, root, and not the user's password. So you could have used this. - Try to never use anything except
visudo
to directly edit/etc/sudoers
. Otherwise you could break authentication altogether until you change its permissions back to0400
(which you cannot do after you log out without utilizing a rescue system of some sort). (The editor used byvisudo
can be controlled by theVISUAL
environment variable. To use it withnano
, one option isVISUAL=nano visudo
.) - The new user already can become root (point 1), but to let this user become root though sudo, just add the user to the right group. On CentOS 7, the traditional group name of wheel was used to allow members of that group to become root via sudo:
usermod -a -G wheel codemedic
. Useman usermod
for more details. You can determine this group name by reading the configuration file:cat /etc/sudoers
. - To deny access to root via SSH, edit
/etc/ssh/sshd_config
and make sure that only one uncommented instance ofPermitRootLogin
is available and set it to a value of no:PermitRootLogin no
. Save the file and restart the Secure Shell daemon:systemctl restart sshd
.
Note that I edited /etc/sudoers because /usr/sbin/visudo did not work.
How does visudo
not work?
Solution 2
The way CentoOS grants root(all) privileges to a user is by putting them in the wheel
group. This is what happens when you make a user account and select the box that makes that user an Administrator.
You can put a user in a group with:
sudo usermod -aG wheel username
To disable an account from logging in, including the root
account
you can lock it by setting a non usable password.
sudo passwd -l username
Solution 3
These steps worked for me.
Add user:
useradd user
Add password:
passwd user
Add following line to the /etc/sudoers
file by using the command visudo
:
user ALL=(ALL) ALL
or, for becoming root without having to enter a password,
ALL ALL=(ALL) NOPASSWD:ALL
Then, switch to that user
su user
and ask for root privileges:
sudo su -
Enter password for new user:
[sudo] password for user:
Related videos on Youtube
RabT
Updated on September 18, 2022Comments
-
RabT over 1 year
I am reading this tutorial, and trying to create a new user with root privileges and then block root access via ssh in a CentOS 7 server. The problem is that the new user is blocked from doing root actions like
nano /etc/sudoers
. Also, I seem unable to remove the block of root login. So my pre-existing open root session is the only access I have to root functionality until it terminates. How can I successfully add root permissions to the newuser? And how can I successfully turn on/off root login?Here is what I have so far:
In
/etc/sudoers
, I have:## Allow root to run any commands anywhere root ALL=(ALL) ALL newusername ALL=(ALL) ALL
Note that I edited
/etc/sudoers
because/usr/sbin/visudo
did not work.In
/etc/ssh/sshd_config
I havePermitRootLogin yes
because I want to turn root login back on until I can get newusername to have root privileges. Also, the last line of the file isAllowUsers newusername
.I then typed
systemctl reload sshd.service
because/etc/init.d/sshd reload
threw an error onCentOS 7
.The problem is that currently
newusername
does not haveroot
privileges and yet I am not able to login asroot
either. So my pre-existing connection asroot
is my only way of controlling the machine.EDIT #1
I was able to give the new user
sudo
privileges withgpasswd -a newusername wheel
, but I still cannot log in as root even though I havePermitRootLogin yes
in/etc/ssh/sshd_config
. How can I getCentOS 7
to respect the settings in/etc/ssh/sshd_config
? I should be able to turn root login on and then off again at will, and have the settings actually work.-
text over 9 yearsAnytime you change the contents of sshd_config you will need to either reboot your system or restart the sshd daemon.
-
RabT over 9 years@mdpc the server is on a remote network. i am logging into it via
ssh
. Do I have to get someone at the physical location of the server to restart thesshd daemon
? I am concerned that runningsystemctl stop/start sshd.service
remotely viassh
would cause my connection to close after thestop
and before thestart
, thus locking me out. -
eyoung100 about 9 yearsFor that matter,
/etc/sudoers
should not be edited unless usingvisudo
-
-
RabT almost 9 yearsThank you and +1 for taking the time to write an informative answer.
-
RabT about 7 yearsYour response is similar to the
gpasswd -a newusername wheel
in the 2014 edit to the OP above. Technically,sudo
only lets users do someroot
operations. There are still certain commands which asudoer
cannot execute unless theysu -
to actually become root. I think a good answer would describe how to create thesomeuser
account privileges that would enable them to perform any command if another user elevates to that account viasu - someuser
. But I am giving this +1 because you took the time to respond to an old posting. Thank you.