I am just a little bit confused here. When you are asked to give a user sudo access to the machine. Should I just add the user to the wheel group.
# usermod -aG wheel bob
Or let's say there is no wheel group or it is deleted for some reason.
then how can I grant bob sudo access to the machine.When I did
# which sudo
I get the result: /usr/bin/sudo
So can I do the following line then:
bob ALL=/usr/bin/sudo
But then I changed to user bob after and tried to execute
# sudo iptables -L
and then it gives me that error message:
Sorry, user bob is not allowed to execute '/sbin/iptables -L' as root
And so am not sure how to give sudo access to the machine to a user if the group wheel is not there. And according to my knowledge
bob ALL=ALL ALL
Basically makes bob have the same power like root which is not good right.
Another question I have is how to make all users on the system able to execute the last command. Do I have to create a group and then add all users to this group or is there another way?
Best Answer
When the wheel group membership gives an user full root access through sudo, it is normally configured like this in the
/etc/sudoers
file:Meaning: "any members of group
wheel
onALL
hosts can sudo toALL
user accounts to runALL
commands." So it's exactly the same as your "bad" line:If you want to give an user (or a group) full access to a specific other user account and nothing else, you can do it this way:
Then, the user(s) can do
to quickly execute individual commands as the target user, or
to get a shell as the target user, with the exact same environment the target user would get when logging in directly.
For historical reasons, some people reflexively use
for the second purpose. This would require giving the user(s) in question at least access to run the `
command as root, and it will be more difficult to piece together from the logs what the user actually did. This command was useful back when
sudo
did not have the-i
option, but I think that option has been there for about 15 years by now.