Chapter 4. Gaining Privileges
System administrators (and in some cases users) will need to perform certain tasks with administrative access. Accessing the system as
root
is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using the su
and sudo
programs. These programs allow specific users to perform tasks which would normally be available only to the root user while maintaining a higher level of control and system security.
See the Red Hat Enterprise Linux 6 Security Guide for more information on administrative controls, potential dangers and ways to prevent data loss resulting from improper use of privileged access.
4.1. The su
Command
When a user executes the
su
command, they are prompted for the root password and, after authentication, are given a root shell prompt.
Once logged in via the
su
command, the user is the root user and has absolute administrative access to the system[1]. In addition, once a user has become root, it is possible for them to use the su
command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:
~]# usermod -a -G wheel
username
In the previous command, replace username with the user name you want to add to the
wheel
group.
You can also use the User Manager to modify group memberships, as follows. Note: you need Administrator privileges to perform this procedure.
- Click themenu on the Panel, point to and then click to display the User Manager. Alternatively, type the command
system-config-users
at a shell prompt. - Click the Users tab, and select the required user in the list of users.
- Clickon the toolbar to display the User Properties dialog box (or choose on the menu).
- Click the Groups tab, select the check box for the wheel group, and then click .
See Section 3.2, “Managing Users via the User Manager Application” for more information about the User Manager.
After you add the desired users to the
wheel
group, it is advisable to only allow these specific users to use the su
command. To do this, you will need to edit the PAM configuration file for su
: /etc/pam.d/su
. Open this file in a text editor and remove the comment (#) from the following line:
#auth required pam_wheel.so use_uid
This change means that only members of the administrative group
wheel
can switch to another user using the su
command.
Note
The
root
user is part of the wheel
group by default.