Sudo access vs wheel group

grouppermissionssudousers

I am just a little bit confused here. When you are asked to give a user sudo access to the machine. Should I just add the user to the wheel group.

# usermod -aG wheel bob

Or let's say there is no wheel group or it is deleted for some reason.

then how can I grant bob sudo access to the machine.When I did 

# which sudo

I get the result: /usr/bin/sudo

So can I do the following line then:

bob     ALL=/usr/bin/sudo

But then I changed to user bob after and tried to execute

# sudo iptables -L

and then it gives me that error message:

Sorry, user bob is not allowed to execute '/sbin/iptables -L' as root

And so am not sure how to give sudo access to the machine to a user if the group wheel is not there. And according to my knowledge

bob       ALL=ALL    ALL

Basically makes bob have the same power like root which is not good right.

Another question I have is how to make all users on the system able to execute the last command. Do I have to create a group and then add all users to this group or is there another way?

Best Answer

When the wheel group membership gives an user full root access through sudo, it is normally configured like this in the /etc/sudoers file:

%wheel    ALL=(ALL) ALL

Meaning: "any members of group wheel on ALL hosts can sudo to ALL user accounts to run ALL commands." So it's exactly the same as your "bad" line:

bob      ALL=(ALL) ALL

If you want to give an user (or a group) full access to a specific other user account and nothing else, you can do it this way:

user     ALL=(targetuser) ALL
# or
%group   ALL=(targetuser) ALL

Then, the user(s) can do

$ sudo -u targetuser command

to quickly execute individual commands as the target user, or

$ sudo -iu targetuser

to get a shell as the target user, with the exact same environment the target user would get when logging in directly.

For historical reasons, some people reflexively use

sudo su - targetuser

for the second purpose. This would require giving the user(s) in question at least access to run the `

su - targetuser

command as root, and it will be more difficult to piece together from the logs what the user actually did. This command was useful back when sudo did not have the -i option, but I think that option has been there for about 15 years by now.

Related Question