Granting superuser access on an Amazon EC2 instance

By Philip Knerr

Introduction

Some tasks for system administration of an Amazon EC2 instance require superuser privileges. Superuser privileges bypass all authorization checks, thus allowing the user to perform any task which is possible on the system.

Superuser privileges are available when authenticated as the special user named root. However, each individual who needs access to an Amazon EC2 instance should ideally have their own account. Sharing access to the root account is suboptimal because if multiple people sign in directly as root, it is difficult to know which of them performed a given action. In fact, Linux systems usually disallow signing in directly to the root account.

Instead, the Linux operating system provides a way to grant superuser privileges to individual accounts. It also provides a way for the specified accounts to execute some or all commands with superuser privileges.

The context and caveats in the Foreword apply to this article.

This information is current as of July 13, 2017.

Requirements

This article assumes you have already instantiated an Amazon EC2 instance. It also assumes you have already created one or more users who should be granted superuser privileges.

Granting superuser privileges to the wheel group

Users in a Linux system generally belong to one or more groups. Groups allow creating categories of users who have a similar role in the system. It is possible to grant privileges to an entire group so that the privileges are applied to all users in the group.

The Linux operating system has a special group named wheel. The wheel group is intended for all users who should be granted superuser privileges upon request. The wheel group will normally exist upon installing Linux. You normally will not need to create this group, although you may if the group does not already exist.

However, the Sudoers configuration needs to be updated for this access to actually be granted to the wheel group and its users. The Sudoers configuration is specified in the file, /etc/sudoers. However, this file should not be edited directly. Instead, edit the Sudoers configuration by executing the following command:

sudo visudo

By default, this command will edit the Sudoers configuration using the vi text editor. vi is relatively difficult to use. You can optionally specify another text editor by executing the following command instead, where <editor-command> is the command which would normally open your preferred editor:

sudo VISUAL=<editor-command> visudo

For example, to edit the Sudoers configuration using the nano text editor, you could execute the following command:

sudo VISUAL=nano visudo

In this file, find the following line:

# %wheel  ALL=(ALL)       NOPASSWD: ALL

Uncomment this line by removing the # symbol and subsequent space character.

N.B. There is a similar line which requires a password. If all accounts which should have superuser privileges also have passwords, you can uncomment that line instead. Otherwise, uncommenting that line is not useful. This is because users would be required to enter their passwords upon requesting superuser privileges, and that is an impossibility for users without passwords.

Then, save the file as usual.

Now, any user who belongs to the wheel group can request superuser privileges.

This step only needs to be completed once per system.

Adding users to the wheel group

To add a new user to the wheel group, execute the following command, where <username> is the username of the user to add:

sudo usermod -G wheel <username>

For example, to add the user bob to the wheel group, you could execute the following command:

sudo usermod -G wheel bob

Now, this user can request superuser privileges.

Warning: If the usermod command is run later to add the user to another group, that command also needs to include the wheel group. This is because the new list of groups will replace (not add to) the old list of groups. For example, if the user bob also needs to belong to the git group, you could execute the following command:

sudo usermod -G wheel,git bob

A similar command is needed if an existing user who already belongs to one or more groups needs to be added to the wheel group.

N.B. In the Linux operating system, each user usually automatically belongs to a group named after the user. For example, the user named bob would usually automatically belong to a group named bob. The usermod -G command will leave the user in this group. No special precautions are required to prevent the user from being removed from this group.

This step needs to be completed for each user who may request superuser privileges.

Executing commands with superuser privileges

The users who you added to the wheel group can now execute any command as a superuser simply by prefixing it with sudo. For example, one of these users could execute the command, build-website, with superuser privileges by executing the following command:

sudo build-website

Conversely, even if a user belongs to the wheel group, they do not receive superuser privileges unless they use the sudo prefix. This is actually a good thing. If a command does not require superuser privileges, it is safer to execute the command without them. This limits the amount of damage the command can do if something unexpected happens.

Conclusion

The users you just specified can now request superuser privileges. Use wisely!

–Phil Knerr