SDB:Administer with sudo

Jump to: navigation, search
openSUSE Support Database
Portal - SDB Categories - How to write an article


Instead of using the root user, administering a system with sudo is safer. This will also log all commands run via sudo to /var/log/messages (can be changed with Sudo logging). Sudo is installed by default.

Preparation

sudo may not be installed by default. The simplest way to manage sudo from the command line is using the yast command, which requires YaST2 and the yast2-sudo package to be installed.

Install sudo: 

zypper in sudo

Configuring Sudo

To enable sudo access for a user account, do the following. 

sudo /usr/sbin/visudo

or when using GNOME 

EDITOR=gedit gnomesu visudo

or when using KDE 

EDITOR=kate kdesu visudo

Any user in the default 'users' group can run sudo if they know the root password. This will change later. Answer the password prompt with the root password.

Setting group access

Find the entry for %wheel. This is the wheel group. The '%' tells sudo to match vs a group name in /etc/groups. Uncomment the line. 

%wheel        ALL=(ALL)       ALL

Save and exit with :wq (not necessary when using gedit or kate)

Add the desired username to the wheel group.The new group is effective for given user after new login. 

sudo /usr/sbin/usermod -aG wheel username

Edit the sudoers file again. This time remove the ability for every user to run sudo. Comment out these lines, save and exit. 

#Defaults targetpw    # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

Now when running sudo, use username's login password instead of the root password.

Running applications with root permissions in X

If you want to run X windows programs such as kate for editing, the recommended method is to use 

 su -

to become the root user. Or you can use graphical su commands, for example 

xdg-su -c

. But they behavior as su instead of sudo. Local installations is doable with sudo by editing with /usr/sbin/visudo, adding the DISPLAY and XAUTHORITY variable in the line. 

 Defaults env_keep = "LANG..."

Additionally the X server must be set to allow access for other users with the xhost program, see manpage for xhost. All that lowers the security level for the machine, please be aware of that.

Using User's own password to authenticate in GNOME

To use the password of users belonging to the wheel group to authenticate in GNOME instead of the root password, the polkit rules need to be edited.

First create a copy of the default rules file: 

sudo cp /usr/share/polkit-1/rules.d/50-default.rules /etc/polkit-1/rules.d/40-wheel.rules

Then modify the file with the lower number to have it have precedence over the default. Find the line that has: 

return ["unix-user:0"];

And change it to: 

return ["unix-group:wheel"];

After fixing the file's permissions: 

sudo chmod +r /etc/polkit-1/rules.d/40-wheel.rules

And rebooting the machine, GNOME will ask for the user's password to autheticate if that user is a part of the wheel group.

Retrieved from "https://en.opensuse.org/index.php?title=SDB:Administer_with_sudo&oldid=167995"