My post on the importance and methods of wheel groups remains popular. I though I would go into various UNIX variants and detail specifically how to activate wheel groups.
Today, the discussion is around Red Hat Linux (speaking generally). The test system was running Fedora Core 5; however, this area of Red Hat has not changed in quite some time, so it is likely to be the same in Fedora 7 and so forth.
First, make sure there is a wheel group in the /etc/group file. On Fedora Core 5, there is:
wheel:x:10:root
If this line does not exist, add it.
Of course, you must put users that you want to be admins into the wheel group. To do this, add the user to the end of the wheel group line. This will make the wheel group a secondary group; I don’t know if that will make a difference today, but it might somewhere.
Second, change into the /etc/pam.d directory, and edit the file su. This file controls the access to the program su and modifies its behaviors during the authentication process. The change will modify the access so that only those in the wheel group have access to the program su.
Find these lines in /etc/pam.d/su:
# Uncomment the following line to require a user to be in the “wheel” group.
#auth required pam_wheel.so use_uid
And change them (as suggested) to this:
# Uncomment the following line to require a user to be in the “wheel” group.
auth required pam_wheel.so use_uid
This access change is not necessarily limited to the su command, but no other command has normally been included in the past. If there are other commands that only those in the wheel group should be able to access, then this line could be put into their PAM configuration (in the right place).
Note that editing PAM files could very easily lock you out of your machine completely; thus do not take editing PAM files (in /etc/pam.d) lightly. The Red Hat authored wheel group modification is simple and easy; other changes you make may not be.
Then, expand the permissions in sudo to account for those with wheel permissions. Edit the configuration file with visudo and change these lines:
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
To this (as recommended):
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
This will allow anyone in the wheel group to execute commands using sudo (rather than having to add each person one by one). It would also allow anyone this sort of access on any machine that they have wheel group membership.
Today I am running Fedora 11 and am wondering if the above method you give here is still a good way to do things as opposed to simply doing the following:
su –
echo ‘ ALL=(ALL) ALL’ >> /etc/sudoers
Still works. I’m running CentOS 5 now. If you look at the sudoers file – with visudo – you’ll find a line for the wheel group. Uncomment it and voila.
If you want to, you can then also go into /etc/pam.d and edit the su file, activating the proper line for restricting su access to the wheel group.
You don’t have to use the “wheel” group. You can use any group you want by adding “group=” in the line in /etc/pam.d/su. Assuming your admins are all part of the “admin_group”, this would be the syntax:
auth required pam_wheel.so use_uid group=admin_group
Also, if you have users who need to su to other non-root users, but you don’t want them to be able to su to root at all, you can accomplish this by adding the “root_only” argument in the the same file above.
auth required pam_wheel.so use_uid group=admin_group root_only
We have generic users for applications that others need to use but we don’t want them to even be able to access root even if they wanted to. We have been using the config with both “group=” and “root_only” for quite some time now. I’ve successfully tested this in both SuSE and RedHat.