## Introduction

Access to running certain applications is restricted to the root user or users that are able to acquire administrative privileges.

Thus to successfully manage systems it is required to be able to login as the root account or one of the accounts that can act in its place.

## Which processes can only be executed by “root” users?

These so called restricted modules have an s in the owner execute flag when viewed using ls -la.


--check /bin folder and list files that have the signature "-rws"
ls -la /bin/* | grep -i "\-rws"



There are a couple of things you want to note:

• You need to escape the – symbol when identifying -rws; you escape – character by using the back-slash (\)
• Notice that we are looking at the first three letters; which signify permission set for the owner
• r — the owner is able to read the file
• w — the owner is able to write\over-write the file
• s — this usually have x to indicate that the owner can execute the file.  When not x, but s it means whomever is executing this process takes on the role of the file’s owner

## Taking on the root role via membership in the wheel group

By convention Linux uses a group name named wheel as a surrogate group that can take on the role of the Admin.

### Where did the name wheel come from ?

http://en.wikipedia.org/wiki/Wheel_%28Unix_term%29

In computing, the term wheel refers to a user account with a wheel bit, a system setting that provides additional special system privileges that empower a user to execute restricted commands that ordinary user accounts cannot access.  The term is derived from the slang phrase big wheel, referring to a person with great power or influence.

### What is the “Wheel Group”

http://en.wikipedia.org/wiki/Wheel_%28Unix_term%29

Modern Unix systems use user groups to control access privileges. The wheel group is a special user group used on some Unix systems to control access to the su command, which allows a user to masquerade as another user (usually the super user).

### Adding user to the wheel group

#### Command Shell – Utility – usermod

To modify user accounts, Linux relies on the usermod utility.  Here are a few quick points:

• The file’s full name is /usr/sbin/usermod
• One can change the user’s home directory via the -d (–home) option
• One can change the user’s primary group via the -g ( –gid) option
• One can wholly replace the user’s group membership via the -G (–groups) option
• One can add to the user’s existing group by using the -a (–append) option
• One can change the user’s shell by using the -s (–shell) option
• One can unlock an account by using the -U (–unlock) option
##### Usermod – Add user to the wheel group

To add our user, myself, in this case to the wheel group, please do the following:


Syntax:

Sample:



Thanks goodness, you get good nice, indicative messages when the group or user name is not actualized on the system:

• user does not exist
• group does not exist

When things are good, we get no feedback.

##### Groups – Review User Group Membership

Get user groups


Syntax:

Sample:



Output:

##### Groups – List all users in a group

List all users in a group


Sample:

grep :grep ^wheel /etc/group | cut -d: -f3: /etc/passwd



## Output:

Explanation of Script:

• The surrounding  means that the inner script be ran and the results internal preserved, and not displayed to the console
• What does the inner script do — grep ^wheel / etc/group — it says to get the line in /etc/group that starts with the wheel word.  In  its entirety that line reads “wheel:x:10:”
• The output of “grep ^wheel /etc/group” is piped “|” to the cut utility.  The syntax “cut -d: -f3” says to get the third word using colon (:) as the delimiter   So when we ask for the first word of “wheel:x:10:”, we get back 10.  10 is obviously the GroupID for wheel
• Please note that you need the colons (:) around the inner script, without it I got extraneous row; like the code and output pasted below:

Code (code and console output):


Command:
grep -e  "grep ^wheel /etc/group | cut -d: -f3"  /etc/passwd

Output:

-------------------------------------------------------------------------------
Command:
grep -e  :"grep ^wheel /etc/group | cut -d: -f3":  /etc/passwd

Output:



Output (Screen shot):

Explanation:

• Without the colon (:), one will see the extra record for games.  Games group id is not 10, but 100

## Ensure that wheel has sudo access via customization of sudoers

### Why bother with sudoers?

If an account tries to access sudo without membership in the wheel group or the wheel group is not fully configured for sudo access via the sudoers file, then the error message pasted below will come up:

Output (Text):

<account> is not in the sudoers file.  This incident will be reported.


Output (Screenshot):

### Email

Next time you, the root user, access uses your system, you will get a nice little notification telling you that you have a nice a little email waiting for you:

You have mail in /var/spool/mail/root


To view the email issue something like

tail /var/spool/mail/root


Screen shot:

The email sent by the gossip delegator is quite straight forward.  The areas covered includes:

• To — root
• From — dadeniji (in our case)
• Auto-Submitted: auto-generated
• Subject: **SECURITY information for <hostname>
• Mesage-Id: ******
• Date: *****
tail /var/spool/mail/root


Email Contents:



rachel : May 12 17:41:27 : dadeniji : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/dadeniji ; USER=root ; COMMAND=/bin/ls



### Using visudo

Launch visudo:

visudo


Look for the lines that reference the wheels group:

Shipped:



## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL


• The  statements are refreshingly well documented
• I will suggest that you un-comment the line references wheel, but does not make mention of NOPASSWD

Revised:



## Allows people in group wheel to run all commands
%wheel        ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL



Corrected:

### Validation


sudo ls -la *`

Output:

Now we issue sudo <command> and supply our account’s (dadeniji) password, we are good.

## References

### References – Bash

References – Grep Commands