Enabling su/sudo Access with Wheel Group

About this Hands-on Lab

System Administrators rarely log into a system as `root`, due to a number of security risks. Some distributions even disable the `root` account to begin with. Restricting the ability to use `root` privileges to selected users is an important part of maintaining a secure system. In this activity, you will learn how to secure the `su` and `sudo` commands by restricting their use to members of the `wheel` group.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Confirm Your User Is in the wheel Group and Set the /usr/bin/sudo and /usr/bin/su Files so They Can Be Executed by the root User and wheel Group
Use the id and groups commands to confirm your wheelgroup membership:

id
groups

Use sudo to become the root user:

sudo -i

Run chgrp to set the wheel group as the owner of /usr/bin/sudo and /usr/bin/su:

chgrp wheel /usr/bin/sudo /usr/bin/su

Use chmod to set the most secure permissions, and allow the root user and wheel group to execute sudo and su:

chmod 4110 /usr/bin/sudo /usr/bin/su

Run ls -l on either of those to confirm.

Use visudo to Confirm, Create, or Uncomment Entry Allowing wheel Group to Use sudo
To modify or verify /etc/sudoers allows the wheel group to use sudo, use the visudo command:

visudo

We need a line that looks like this:

%wheel  ALL=(ALL)       ALL

It may already be there, or it may be there and commented out. It’s usually down in the vicinity of the root line. Save changes to the file and exit. Use grep to verify the line is there.

grep wheel /etc/sudoers
Uncomment or Create a Line in /etc/pam.d/su to Require wheel Group Membership for Using the su Command
Using the editor of your choice, uncomment or create an additional “auth” test below the line ending with pam_rootok.so. The line should look like this:

auth            required        pam_wheel.so use_uid
Create a sysadmin User, Make Them a Member of the wheel Group, Set Their Password, and Verify sysadmin Is Able to Use sudo and su
Create the sysadmin user and make them a member of the wheel group:

useradd -G wheel sysadmin

Running it this way would work too:

useradd sysadmin
usermod -aG wheel sysadmin

Now we can set the sysadmin user password:

passwd sysadmin

Verify sysadmin can execute su and sudo:

su - sysadmin
sudo tail -n1 /etc/shadow
su -l cloud_user
exit
exit
Create a User, sysuser, Who Is Not a Member of the wheel Group, Set Their Password, and Verify That They Are Not Able to Use sudo and su
Create the sysuser user and do not make them a member of the wheel group:

useradd sysuser

Set the sysuser user password.

passwd sysuser

Verify sysuser cannot execute su and sudo:

su --login sysuser
sudo tail -n1 /etc/shadow
su -l cloud_user
exit
exit

The sudo and following su commands should have both failed.