Chapter 6. Gaining Privileges
System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the root
user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using the setuid
programs such as su
and sudo
. These programs allow specific users to perform tasks which would normally be available only to the root
user while maintaining a higher level of control and system security.
See the Red Hat Enterprise Linux 7 Security Guide for more information on administrative controls, potential dangers and ways to prevent data loss resulting from improper use of privileged access.
6.1. Configuring Administrative Access Using the su Utility
When a user executes the su
command, they are prompted for the root
password and, after authentication, are given a root
shell prompt.
Once logged in using the su
command, the user is the root
user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become root
, it is possible for them to use the su
command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root
:
~]# usermod -a -G wheel username
In the previous command, replace username with the user name you want to add to the wheel
group.
You can also use the Users settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.
-
Press the Super key to enter the Activities Overview, type
Users
and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar. - To enable making changes, click the button, and enter a valid administrator password.
- Click a user icon in the left column to display the user’s properties in the right pane.
-
Change the Account Type from
Standard
toAdministrator
. This will add the user to thewheel
group.
See Section 4.2, “Managing Users in a Graphical Environment” for more information about the Users tool.
After you add the desired users to the wheel
group, it is advisable to only allow these specific users to use the su
command. To do this, edit the Pluggable Authentication Module (PAM) configuration file for su
, /etc/pam.d/su
. Open this file in a text editor and uncomment the following line by removing the #
character:
#auth required pam_wheel.so use_uid
This change means that only members of the administrative group wheel
can switch to another user using the su
command.
6.2. Configuring Administrative Access Using the sudo Utility
The sudo
command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo
, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root
user.
The basic format of the sudo
command is as follows:
sudo
command
In the above example, command would be replaced by a command normally reserved for the root
user, such as mount
.
The sudo
command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers
configuration file are allowed to use the sudo
command and the command is executed in the user’s shell, not a root
shell. This means the root
shell can be completely disabled as shown in the Red Hat Enterprise Linux 7 Security Guide.
Each successful authentication using the sudo
command is logged to the file /var/log/messages
and the command issued along with the issuer’s user name is logged to the file /var/log/secure
. If additional logging is required, use the pam_tty_audit
module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth
file:
session required pam_tty_audit.so disable=pattern enable=pattern
where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root
user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Configuring the pam_tty_audit
PAM module for TTY auditing records only TTY input. This means that, when the audited user logs in, pam_tty_audit
records the exact keystrokes the user makes into the /var/log/audit/audit.log
file. For more information, see the pam_tty_audit(8) manual page.
Another advantage of the sudo
command is that an administrator can allow different users access to specific commands based on their needs.
Administrators wanting to edit the sudo
configuration file, /etc/sudoers
, should use the visudo
command.
To give someone full administrative privileges, type visudo
and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user, juan
, can use sudo
from any host and execute any command.
The example below illustrates the granularity possible when configuring sudo
:
%users localhost=/usr/sbin/shutdown -h now
This example states that any member of the users
system group can issue the command /sbin/shutdown -h now
as long as it is issued from the console.
The man page for sudoers
has a detailed listing of options for this file.
You can also configure sudo users who do not need to provide any password by using the NOPASSWD
option in the /etc/sudoers
file:
user_name ALL=(ALL) NOPASSWD: ALL
However, even for such users, sudo
runs Pluggable Authentication Module (PAM) account management modules, which enables checking for restrictions imposed by PAM modules outside of the authentication phase. This ensures that PAM modules work properly. For example, in case of the pam_time
module, the time-based account restriction does not fail.
Always include sudo
in the list of allowed services in all PAM-based access control rules. Otherwise, users will receive a "permission denied" error message when they try to access sudo
but access is forbidden based on current access control rules.
For more information, see the Red Hat Knowledgebase article After patching to Red Hat Enterprise Linux 7.6, sudo gives a permission denied error..
There are several potential risks to keep in mind when using the sudo
command. You can avoid them by editing the /etc/sudoers
configuration file using visudo
as described above. Leaving the /etc/sudoers
file in its default state gives every user in the wheel
group unlimited root
access.
By default,
sudo
stores the password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves his workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the/etc/sudoers
file:Defaults timestamp_timeout=value
where value is the desired timeout length in minutes. Setting the value to 0 causes
sudo
to require a password every time.If an account is compromised, an attacker can use
sudo
to open a new shell with administrative privileges:sudo /bin/bash
Opening a new shell as
root
in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the/etc/sudoers
file and never requiring the attacker to input a password forsudo
again until the newly opened session is closed.
6.3. Additional Resources
While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to the resources listed below for more information regarding security and privileged access.
Installed Documentation
-
su
(1) — The manual page forsu
provides information regarding the options available with this command. -
sudo
(8) — The manual page forsudo
includes a detailed description of this command and lists options available for customizing its behavior. -
pam
(8) — The manual page describing the use of Pluggable Authentication Modules (PAM) for Linux.
Online Documentation
-
Red Hat Enterprise Linux 7 Security Guide — The Security Guide for Red Hat Enterprise Linux 7 provides a more detailed look at potential security issues pertaining to the
setuid
programs as well as techniques used to alleviate these risks.
See Also
- Chapter 4, Managing Users and Groups documents how to manage system users and groups in the graphical user interface and on the command line.