By Philip Knerr
Some tasks for system administration of an Amazon EC2 instance require superuser privileges. Superuser privileges bypass all authorization checks, thus allowing the user to perform any task which is possible on the system.
Superuser privileges are available when authenticated as the special user named
root. However, each individual who needs access to an Amazon EC2 instance should ideally have their own account. Sharing access to the
root account is suboptimal because if multiple people sign in directly as
root, it is difficult to know which of them performed a given action. In fact, Linux systems usually disallow signing in directly to the
Instead, the Linux operating system provides a way to grant superuser privileges to individual accounts. It also provides a way for the specified accounts to execute some or all commands with superuser privileges.
The context and caveats in the Foreword apply to this article.
This information is current as of July 13, 2017.
This article assumes you have already instantiated an Amazon EC2 instance. It also assumes you have already created one or more users who should be granted superuser privileges.
Granting superuser privileges to the wheel group
Users in a Linux system generally belong to one or more groups. Groups allow creating categories of users who have a similar role in the system. It is possible to grant privileges to an entire group so that the privileges are applied to all users in the group.
The Linux operating system has a special group named
wheel group is intended for all users who should be granted superuser privileges upon request. The
wheel group will normally exist upon installing Linux. You normally will not need to create this group, although you may if the group does not already exist.
However, the Sudoers configuration needs to be updated for this access to actually be granted to the
wheel group and its users. The Sudoers configuration is specified in the file,
/etc/sudoers. However, this file should not be edited directly. Instead, edit the Sudoers configuration by executing the following command:
By default, this command will edit the Sudoers configuration using the
vi text editor.
vi is relatively difficult to use. You can optionally specify another text editor by executing the following command instead, where
<editor-command> is the command which would normally open your preferred editor:
sudo VISUAL=<editor-command> visudo
For example, to edit the Sudoers configuration using the
nano text editor, you could execute the following command:
sudo VISUAL=nano visudo
In this file, find the following line:
# %wheel ALL=(ALL) NOPASSWD: ALL
Uncomment this line by removing the
# symbol and subsequent space character.
N.B. There is a similar line which requires a password. If all accounts which should have superuser privileges also have passwords, you can uncomment that line instead. Otherwise, uncommenting that line is not useful. This is because users would be required to enter their passwords upon requesting superuser privileges, and that is an impossibility for users without passwords.
Then, save the file as usual.
Now, any user who belongs to the
wheel group can request superuser privileges.
This step only needs to be completed once per system.
Adding users to the wheel group
To add a new user to the
wheel group, execute the following command, where
<username> is the username of the user to add:
sudo usermod -G wheel <username>
For example, to add the user
bob to the
wheel group, you could execute the following command:
sudo usermod -G wheel bob
Now, this user can request superuser privileges.
Warning: If the
usermod command is run later to add the user to another group, that command also needs to include the
wheel group. This is because the new list of groups will replace (not add to) the old list of groups. For example, if the user
bob also needs to belong to the
git group, you could execute the following command:
sudo usermod -G wheel,git bob
A similar command is needed if an existing user who already belongs to one or more groups needs to be added to the
N.B. In the Linux operating system, each user usually automatically belongs to a group named after the user. For example, the user named
bob would usually automatically belong to a group named
usermod -G command will leave the user in this group. No special precautions are required to prevent the user from being removed from this group.
This step needs to be completed for each user who may request superuser privileges.
Executing commands with superuser privileges
The users who you added to the
wheel group can now execute any command as a superuser simply by prefixing it with
sudo. For example, one of these users could execute the command,
build-website, with superuser privileges by executing the following command:
Conversely, even if a user belongs to the
wheel group, they do not receive superuser privileges unless they use the
sudo prefix. This is actually a good thing. If a command does not require superuser privileges, it is safer to execute the command without them. This limits the amount of damage the command can do if something unexpected happens.
The users you just specified can now request superuser privileges. Use wisely!