Mastering Linux Security and Hardening
上QQ阅读APP看书,第一时间看更新

Adding users to a predefined admin group

The first method, which is the simplest, is to add users to a predefined administrators group and then, if it hasn't already been done, to configure the sudo policy to allow that group to do its job. It's simple enough to do except that different Linux distribution families use different admin groups.

On Unix, BSD, and most Linux systems, you would add users to the wheel group. (Members of the Red Hat family, including CentOS, fall into this category.) When I do the groups command on either of my CentOS machines, I get this:

[donnie@localhost ~]$ groups
donnie wheel
[donnie@localhost ~]$

This shows that I'm a member of the wheel group. By doing sudo visudo, I'll open the sudo policy file. Scrolling down, we'll see the line that gives the wheel group its awesome power:

## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL

The percent sign indicates that we're working with a group. The three appearances of ALL means that members of that group can perform any command, as any user, on any machine in the network on which this policy is deployed. The only slight catch is that group members will be prompted to enter their own normal user account passwords in order to perform a sudo task. Scroll down a bit more and you'll see the following:

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

If we were to comment out the %wheel line in the former snippet and remove the comment symbol from in front of the %wheel line in this snippet, then members of the wheel group would be able to perform all of their sudo tasks without ever having to enter any password. That's something that I really don't recommend, even for home use. In a business setting, allowing people to have password-less sudo privileges is a definite no-no.


To add an existing user to the wheel group, use usermod with the -G option. You might also want to use the -a option, in order to prevent removing the user from other groups to which he or she belongs. For our example, let's add Maggie:

sudo usermod -a -G wheel maggie

You can also add a user account to the wheel group as you create it. Let's do that now for Frank:

sudo useradd -G wheel frank
Note that, with my usage of useradd, I'm assuming that we're working with a member of the Red Hat family, which comes with predefined default settings to create user accounts. For non-Red Hat-type distributions that use the wheel group, you'd need to either reconfigure the default settings or use extra option switches in order to create the user's home directory and to assign the correct shell. Your command then would look something like this:

sudo useradd -G wheel -m -d /home/frank -s /bin/bash frank

For members of the Debian family, including Ubuntu, the procedure is the same, except that you would use the sudo group instead of the wheel group. (This kind of figures, considering that the Debian folk have pretty much always marched to the beat of a different drum.)

One way in which this technique would come in handy is whenever you need to create a virtual private server on a cloud service, such as Rackspace, DigitalOcean, or Vultr. When you log in to one of those services and initially create your virtual machine, the cloud service will have you log in to that virtual machine as the root user. (This even happens with Ubuntu, even though the root user account is disabled whenever you do a local installation of Ubuntu.)

The first thing that you'll want to do in this scenario is to create a normal user account for yourself and give it full sudo privileges. Then, log out of the root account and log back in with your normal user account. You'll then want to disable the root account with this command:

sudo passwd -l root

You'll also want to do some additional configuration to lock down Secure Shell access, but we'll cover that in Chapter 6, SSH Hardening.