Notes about Administrator Users in CentOS/RHEL 7
1. To prevent users from logging in directly as root, including yourself!, you can set the root's shell in /etc/passwd file to /sbin/nologin.
2. To limit access of users to run su command is adding administrators to an admin group entitled "wheel":
# usermod -G wheel behnamThen we need to only allow these admin users to run su. So edit the PAM config file for su which is located at /etc/pam.d/su. You should open /etc/pam.d/su file and uncomment the following line by removing the hash mark:
auth required pam_wheel.so use_uid
3. Only the users listed in /etc/sudoers file can to use the sudo command.
Note: Each successful authentication by sudo will be logged to /var/log/messages and the command issued by the user will be logged logged to /var/log/secure logfile.
The main advantage of the sudo is that different users can access to only specific commands based on their permissions. You can edit /etc/sudoers by using visudo command to do this.
For example to give a user full privileges, enter visudo and add the following line in the user privilege section:
behnam ALL=(ALL) ALL
It means now behnam can use sudo command from any host and can execute any command.
Or by adding the following line to sudoers file in /etc
%users localhost=/sbin/systemctl shutdown -r now
Any user can run /sbin/systemctl shutdown -r now as long as it is entered through the console.
In CentOS, sudo stores the sudoer's password for just 5 minutes. If you use it during this period. it will not prompt for a password. This setting can be changed by adding the following line to the sudoers file in /etc:
Defaults timestamp_timeout=value
Setting the value to 0 causes sudo to require a password every time.
Very important: If a user account with sudoer's privilege is compromised, the attacker/cracker can use sudo to open a new shell with full rights by typing the following command:
# sudo /bin/bash
Opening such a shell as root in such cases gives the attacker/cracker administrative access for ever!
Labels: Administrator Users, CentOS, Linux, RedHat, RHEL
posted by Ben Pournader @ May 11, 2015
<< Home