Technical: Linux – User Administrator – Granting SysAdmin access

Technical: Linux – User Administrator – Granting SysAdmin access

Introduction

Access to running certain applications is restricted to the root user or users that are able to acquire administrative privileges.

Thus to successfully manage systems it is required to be able to login as the root account or one of the accounts that can act in its place.

Which processes can only be executed by “root” users?

These so called restricted modules have an s in the owner execute flag when viewed using ls -la.


  --check /bin folder and list files that have the signature "-rws"
  ls -la /bin/* | grep -i "\-rws"

There are a couple of things you want to note:

  • You need to escape the – symbol when identifying -rws; you escape – character by using the back-slash (\)
  • Notice that we are looking at the first three letters; which signify permission set for the owner
  • r — the owner is able to read the file
  • w — the owner is able to write\over-write the file
  • s — this usually have x to indicate that the owner can execute the file.  When not x, but s it means whomever is executing this process takes on the role of the file’s owner

Taking on the root role via membership in the wheel group

By convention Linux uses a group name named wheel as a surrogate group that can take on the role of the Admin.

Where did the name wheel come from ?

http://en.wikipedia.org/wiki/Wheel_%28Unix_term%29

In computing, the term wheel refers to a user account with a wheel bit, a system setting that provides additional special system privileges that empower a user to execute restricted commands that ordinary user accounts cannot access.  The term is derived from the slang phrase big wheel, referring to a person with great power or influence.

What is the “Wheel Group”

http://en.wikipedia.org/wiki/Wheel_%28Unix_term%29

Modern Unix systems use user groups to control access privileges. The wheel group is a special user group used on some Unix systems to control access to the su command, which allows a user to masquerade as another user (usually the super user).

Adding user to the wheel group

We can modify user accounts via the Graphical Interface or via the command shell’s utility such as usermod.

Command Shell – Utility – usermod

To modify user accounts, Linux relies on the usermod utility.  Here are a few quick points:

  • The file’s full name is /usr/sbin/usermod
  • One can change the user’s home directory via the -d (–home) option
  • One can change the user’s primary group via the -g ( –gid) option
  • One can wholly replace the user’s group membership via the -G (–groups) option
  • One can add to the user’s existing group by using the -a (–append) option
  • One can change the user’s shell by using the -s (–shell) option
  • One can unlock an account by using the -U (–unlock) option
Usermod – Add user to the wheel group

To add our user, myself, in this case to the wheel group, please do the following:
 


Syntax:

   usermod -g <group-name> <username>

Sample:

   usermod -g wheel dadeniji

Thanks goodness, you get good nice, indicative messages when the group or user name is not actualized on the system:

  • user does not exist
  • group does not exist

usermod

When things are good, we get no feedback.

usermodGood

Groups – Review User Group Membership

Get user groups


Syntax:

   groups <username>

Sample:

   groups dadeniji

Output:

listUserGroups

Groups – List all users in a group

List all users in a group


Sample:

   grep :`grep ^wheel /etc/group | cut -d: -f3`: /etc/passwd

Output:

listAllUsersInAGroup

Explanation of Script:

  • The surrounding ` means that the inner script be ran and the results internal preserved, and not displayed to the console
  • What does the inner script do — grep ^wheel / etc/group — it says to get the line in /etc/group that starts with the wheel word.  In  its entirety that line reads “wheel:x:10:”
  • The output of “grep ^wheel /etc/group” is piped “|” to the cut utility.  The syntax “cut -d: -f3” says to get the third word using colon (:) as the delimiter   So when we ask for the first word of “wheel:x:10:”, we get back 10.  10 is obviously the GroupID for wheel
  • Please note that you need the colons (:) around the inner script, without it I got extraneous row; like the code and output pasted below:

Code (code and console output):


Command:
    grep -e  "`grep ^wheel /etc/group | cut -d: -f3`"  /etc/passwd

Output:
    uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
    games:x:12:100:games:/usr/games:/sbin/nologin
    dadeniji:x:500:10:Daniel Adeniji:/home/dadeniji:/bin/bash

-------------------------------------------------------------------------------
Command:
    grep -e  :"`grep ^wheel /etc/group | cut -d: -f3`":  /etc/passwd

Output:
   uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
   dadeniji:x:500:10:Daniel Adeniji:/home/dadeniji:/bin/bash

Output (Screen shot):

listAllUsersInAGroupCorrection

Explanation:

  • Without the colon (:), one will see the extra record for games.  Games group id is not 10, but 100

Ensure that wheel has sudo access via customization of sudoers

Why bother with sudoers?

If an account tries to access sudo without membership in the wheel group or the wheel group is not fully configured for sudo access via the sudoers file, then the error message pasted below will come up:

Output (Text):

<account> is not in the sudoers file.  This incident will be reported.


Output (Screenshot):

no-sudo-access

Email

Next time you, the root user, access uses your system, you will get a nice little notification telling you that you have a nice a little email waiting for you:

You have mail in /var/spool/mail/root

 

To view the email issue something like

tail /var/spool/mail/root

  

Screen shot:

EmailNotification

The email sent by the gossip delegator is quite straight forward.  The areas covered includes:

Email Header:

  • To — root
  • From — dadeniji (in our case)
  • Auto-Submitted: auto-generated
  • Subject: **SECURITY information for <hostname>
  • Mesage-Id: ******
  • Date: *****
tail /var/spool/mail/root

 

Email Contents:



rachel : May 12 17:41:27 : dadeniji : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/dadeniji ; USER=root ; COMMAND=/bin/ls

Using visudo

Launch visudo:

visudo

Look for the lines that reference the wheels group:

Shipped:



## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

  • The  statements are refreshingly well documented
  • I will suggest that you un-comment the line references wheel, but does not make mention of NOPASSWD

Revised:



## Allows people in group wheel to run all commands
%wheel        ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

Corrected:

visudo - wheels (corrected)

Validation


sudo ls -la *

Output:

sudo (corrected)

Now we issue sudo <command> and supply our account’s (dadeniji) password, we are good.

References

References – RHEL

References – Files Permission

References – User Group Membership

References – Managing Groups

References – Bash

References – Grep Commands

References – Piping Grep Commands

References – Cut Commands

References – List All Members in a Group

References – /etc/group

 

References – usermod

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s