About this Hands-on Lab
System Administrators rarely log into a system as `root`, due to a number of security risks. Some distributions even disable the `root` account to begin with. Restricting the ability to use `root` privileges to selected users is an important part of maintaining a secure system. In this activity, you will learn how to secure the `su` and `sudo` commands by restricting their use to members of the `wheel` group.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
Confirm Your User Is in the wheel Group and Set the /usr/bin/sudo and /usr/bin/su Files so They Can Be Executed by the root User and wheel GroupUse the id and groups commands to confirm your wheelgroup membership:
id groupsUse sudo to become the root user:
sudo -iRun chgrp to set the wheel group as the owner of /usr/bin/sudo and /usr/bin/su:
chgrp wheel /usr/bin/sudo /usr/bin/suUse chmod to set the most secure permissions, and allow the root user and wheel group to execute sudo and su:
Run ls -l on either of those to confirm.
Use visudo to Confirm, Create, or Uncomment Entry Allowing wheel Group to Use sudoTo modify or verify /etc/sudoers allows the wheel group to use sudo, use the visudo command:
visudoWe need a line that looks like this:
%wheel ALL=(ALL) ALLIt may already be there, or it may be there and commented out. It’s usually down in the vicinity of the root line. Save changes to the file and exit. Use grep to verify the line is there.
grep wheel /etc/sudoersUncomment or Create a Line in /etc/pam.d/su to Require wheel Group Membership for Using the su CommandUsing the editor of your choice, uncomment or create an additional "auth" test below the line ending with pam_rootok.so. The line should look like this:
auth required pam_wheel.so use_uidCreate a sysadmin User, Make Them a Member of the wheel Group, Set Their Password, and Verify sysadmin Is Able to Use sudo and suCreate the sysadmin user and make them a member of the wheel group:
useradd -G wheel sysadminRunning it this way would work too:
useradd sysadmin usermod -aG wheel sysadminNow we can set the sysadmin user password:
passwd sysadminVerify sysadmin can execute su and sudo:
Create the sysuser user and do not make them a member of the wheel group:
useradd sysuserSet the sysuser user password.
passwd sysuserVerify sysuser cannot execute su and sudo:
su --login sysuser sudo tail -n1 /etc/shadow su -l cloud_user exit exitThe sudo and following su commands should have both failed.
In order to make a system more secure, we have been asked to restrict access to
the su and sudo commands. Only members of the wheel group should be allowed to run those commands. We'll need to create /etc/sudoers.d/wheel.grp, which will allow wheel group members to use the sudo command.Additional Resources
In addition, only members of the wheel group should be allowed to use the su (switch user) command. Fixing this is a two-step process.
First, we'll need to set the permissions on /usr/bin/su so that only members of the wheel group can execute it.
Next, we have to modify /etc/pam.d/su (the Pluggable Authentication Module file) and require the user to be a member of the wheel group there as well.
What are Hands-on Labs
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.