sudo access vs wheel group

permissions sudo users group
50,783

When the wheel group membership gives an user full root access through sudo, it is normally configured like this in the /etc/sudoers file:

%wheel    ALL=(ALL) ALL

Meaning: "any members of group wheel on ALL hosts can sudo to ALL user accounts to run ALL commands." So it's exactly the same as your "bad" line:

bob      ALL=(ALL) ALL

If you want to give an user (or a group) full access to a specific other user account and nothing else, you can do it this way:

user     ALL=(targetuser) ALL
# or
%group   ALL=(targetuser) ALL

Then, the user(s) can do

$ sudo -u targetuser command

to quickly execute individual commands as the target user, or

$ sudo -iu targetuser

to get a shell as the target user, with the exact same environment the target user would get when logging in directly.

For historical reasons, some people reflexively use

sudo su - targetuser

for the second purpose. This would require giving the user(s) in question at least access to run the `

su - targetuser

command as root, and it will be more difficult to piece together from the logs what the user actually did. This command was useful back when sudo did not have the -i option, but I think that option has been there for about 15 years by now.

Share:
50,783

Related videos on Youtube

Mohamed Medhat Sallam
Author by

Mohamed Medhat Sallam

Linux for me is a to enjoy life. Not just a kernel. echo "Thank you Linus trovalds"

Updated on September 18, 2022

Comments

  • Mohamed Medhat Sallam
    Mohamed Medhat Sallam over 1 year

    I am just a little bit confused here. When you are asked to give a user sudo access to the machine. Should I just add the user to the wheel group.

    # usermod -aG wheel bob

    Or let's say there is no wheel group or it is deleted for some reason.

    then how can I grant bob sudo access to the machine.When I did 

    # which sudo

    I get the result: /usr/bin/sudo

    So can I do the following line then:

    bob     ALL=/usr/bin/sudo

    But then I changed to user bob after and tried to execute

    # sudo iptables -L

    and then it gives me that error message:

    Sorry, user bob is not allowed to execute '/sbin/iptables -L' as root

    And so am not sure how to give sudo access to the machine to a user if the group wheel is not there. And according to my knowledge

    bob       ALL=ALL    ALL

    Basically makes bob have the same power like root which is not good right.

    Another question I have is how to make all users on the system able to execute the last command. Do I have to create a group and then add all users to this group or is there another way?

    • Admin
      Admin over 6 years
      bob ALL = /sbin/iptables -L. See man sudoers.
    • Admin
      Admin over 6 years
      I know that but I want to give bob sudo access not just iptables -L
    • Admin
      Admin over 6 years
      If you "want to give bob sudo access", that means that bob will have the "same power like root". What exactly do you want? You want bob to have sudo access, but restrict certain root powers?
    • Admin
      Admin over 5 years
      Please note this should be bob ALL=(ALL) ALL, you're missing a set of parens in there... Check if your sudoers file has an entry for %wheel, sometimes it's commented out...
  • roaima
    roaima almost 4 years
    Your sudoers line is wrong. Adding /etc/shadow like that means the user can run /etc/shadow as a program. It's also wrong because ordinary users should not be allowed to read /etc/shadow; you're breaking the authentication security here.
  • J. Doe
    J. Doe almost 4 years
    @roaima angry user, hi there again. I mentioned in parentheses that you don't have to read /etc/shadow. Just drink a glass of water and calm down. Thanks for -1, by the way. Appreciate it. Everything I posted above is correct. Wanna check, go ahead.
  • roaima
    roaima almost 4 years
    J.Doe, I'm not angry. I've read your complaint and taken time to recheck carefully whether your sudoers line works as I've warned or as you've described. Here are my findings. As written, your line permits both /bin/cat and /etc/shadow to be run (as any user) by user1. (1) This means no file is secure from user1 as they can read - and therefore copy - every file on the system (2) /etc/shadow isn't a program so although you've listed it as a possible executable it cannot be run.
  • roaima
    roaima almost 4 years
    In order for the command to work as you've described, I think you probably shouldn't have included the comma after /bin/cat. But it's still a massive security issue

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Allow chown command to www-data user
Sudo is not asking for password on Ubuntu 16.04
How to add my user account to admin group (13.10 desktop)
How can user mount an encrypted file container in VeraCrypt?
How to add flags and/or arguments to a command in the 'sudoers' file
What is "root" and how can I become it?
How do I allow a user to only run the apt-get update command with sudo?
adding local content in /etc/sudoers.d/ instead of directly modifying sodoers file via visudo
View list of sudoers with no sudo privileges
What has priority - owner/user vs group permission?