I am working on standardizing the sudo access in our environment. To begin with, I am understanding the current setup.
Currently, we use sudo bash to get into the root shell without typing any passwords. I understand that giving sudo access on individual commands is recommended but at least for now, I wanted a mechanism where we type our password and then get a root shell.
To re-iterate, sudo bash or sudo -s works fine but when I typed sudo su -, it prompted for my password and once I typed it, it gave me a message '*Sorry, user <username> is not allowed to execute '/bin/su -' as root on lt;server name>'. This got me curious to see how is sudo bash working.
In /etc/sudoers file, I see two lines relevant in this context:
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
And I am not part of the %wheel group. admin is my default group in /etc/passwd and admin group isn't part of wheel group in /etc/group. So, to make sudo su - to work, I added below line to the sudoers file and it worked.
%admin ALL=(ALL) ALL
But I am not able to understand:
- How is
sudo bashworking for everyone? - Is everyone part of the
wheelgroup by default?
Please let me know if I am missing something here. Also, if there are better ways to do things.
OS: CentOS 7.2 (Red Hat family)
It turns out there are certain files in /etc/sudoers.d and that's how sudo bash was working but i thought it was commented out... Thanks.
#includedir /etc/sudoers.d
sudoersfile? – Kusalananda Aug 25 '17 at 11:50#includedir /etc/sudoers.d From the sudoers man page:
– Ram Kumar Aug 25 '17 at 11:51