By Philip Knerr
Introduction
Some tasks for system administration of an Amazon EC2 instance require superuser privileges. Superuser privileges bypass all authorization checks, thus allowing the user to perform any task which is possible on the system.
Superuser privileges are available when authenticated as the special user named root
. However, each individual who needs access to an Amazon EC2 instance should ideally have their own account. Sharing access to the root
account is suboptimal because if multiple people sign in directly as root
, it is difficult to know which of them performed a given action. In fact, Linux systems usually disallow signing in directly to the root
account.
Instead, the Linux operating system provides a way to grant superuser privileges to individual accounts. It also provides a way for the specified accounts to execute some or all commands with superuser privileges.
The context and caveats in the Foreword apply to this article.
This information is current as of July 13, 2017.
Requirements
This article assumes you have already instantiated an Amazon EC2 instance. It also assumes you have already created one or more users who should be granted superuser privileges.
Granting superuser privileges to the wheel group
Users in a Linux system generally belong to one or more groups. Groups allow creating categories of users who have a similar role in the system. It is possible to grant privileges to an entire group so that the privileges are applied to all users in the group.
The Linux operating system has a special group named wheel
. The wheel
group is intended for all users who should be granted superuser privileges upon request. The wheel
group will normally exist upon installing Linux. You normally will not need to create this group, although you may if the group does not already exist.
However, the Sudoers configuration needs to be updated for this access to actually be granted to the wheel
group and its users. The Sudoers configuration is specified in the file, /etc/sudoers
. However, this file should not be edited directly. Instead, edit the Sudoers configuration by executing the following command:
sudo visudo
By default, this command will edit the Sudoers configuration using the vi
text editor. vi
is relatively difficult to use. You can optionally specify another text editor by executing the following command instead, where <editor-command>
is the command which would normally open your preferred editor:
sudo VISUAL=<editor-command> visudo
For example, to edit the Sudoers configuration using the nano
text editor, you could execute the following command:
sudo VISUAL=nano visudo
In this file, find the following line:
# %wheel ALL=(ALL) NOPASSWD: ALL
Uncomment this line by removing the #
symbol and subsequent space character.
N.B. There is a similar line which requires a password. If all accounts which should have superuser privileges also have passwords, you can uncomment that line instead. Otherwise, uncommenting that line is not useful. This is because users would be required to enter their passwords upon requesting superuser privileges, and that is an impossibility for users without passwords.
Then, save the file as usual.
Now, any user who belongs to the wheel
group can request superuser privileges.
This step only needs to be completed once per system.
Adding users to the wheel group
To add a new user to the wheel
group, execute the following command, where <username>
is the username of the user to add:
sudo usermod -G wheel <username>
For example, to add the user bob
to the wheel
group, you could execute the following command:
sudo usermod -G wheel bob
Now, this user can request superuser privileges.
Warning: If the usermod
command is run later to add the user to another group, that command also needs to include the wheel
group. This is because the new list of groups will replace (not add to) the old list of groups. For example, if the user bob
also needs to belong to the git
group, you could execute the following command:
sudo usermod -G wheel,git bob
A similar command is needed if an existing user who already belongs to one or more groups needs to be added to the wheel
group.
N.B. In the Linux operating system, each user usually automatically belongs to a group named after the user. For example, the user named bob
would usually automatically belong to a group named bob
. The usermod -G
command will leave the user in this group. No special precautions are required to prevent the user from being removed from this group.
This step needs to be completed for each user who may request superuser privileges.
Executing commands with superuser privileges
The users who you added to the wheel
group can now execute any command as a superuser simply by prefixing it with sudo
. For example, one of these users could execute the command, build-website
, with superuser privileges by executing the following command:
sudo build-website
Conversely, even if a user belongs to the wheel
group, they do not receive superuser privileges unless they use the sudo
prefix. This is actually a good thing. If a command does not require superuser privileges, it is safer to execute the command without them. This limits the amount of damage the command can do if something unexpected happens.
Conclusion
The users you just specified can now request superuser privileges. Use wisely!
–Phil Knerr