Configuring sudo privs for user in CentOS

On home CentOS 7 Server, I created an account and now need to add sudo privs:

Note: What I’m really wanting it to have sudo access from my own account

/usr/sbin/visudo (which came back with error of — visudo: /etc/sudoers: Permission denied)
su – (followed by the pswd for root) — changes prompt from $ to #)
/usr/sbin/visudo (which now allowed me to edit /etc/sudoers file)
Then, find the following line: root ALL=(ALL) ALL — found it
Add your login so it looks like (for login “jdoe”): jdoe ALL=(ALL) ALL
Note: While in visudo — You have two “modes”
• Command mode – Press ‘ESC’ to access.
• Insert mode – Press ‘I’ to access. — I pressed “i” in order to insert a line
You’re always in one or the other.
To save and quit — :wq ; Escape; :q
Note: This was useful for the editor commands — https://maeks84.wordpress.com/2008/05/29/how-to-use-visudo/
Logout (to get out of root and back to my own account — which should now be root privs)
Tried /usr/sbin/visudo — that didn’t work and got same error as above
Completely logged out and back in again — same thing…
Note: Trying to figure out if change to give my account root privs was conclusive:
sudo -l (which should tell me if I have any sudoers privileges
It returned with: User paul may run the following commands on this host: (ALL) ALL

When trying to resolve with running visudo, it mentions a temporary file still out there:
(1) Another program may be editing the same file. If this is the case,
be careful not to end up with two different instances of the same
file when making changes. Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use “:recover” or “vim -r /etc/sudoers.tmp”
to recover the changes (see “:help recovery”).
If you did this already, delete the swap file “/etc/.sudoers.tmp.swp”
to avoid this message.
“/etc/sudoers.tmp” 115L, 3895C
Logged in as paul and went to /etc to do an: ls .sudeoers.tmp.* — found the file (.sudoers.tmp.swp)
del .sudoers.tmp.swp (which isn’t correct command)
Note: This website shows how remove (rm) a swapfile — https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-swap-removing-file.html
Tried rm .sudoers.tmp.swp (as paul)
Couldn’t do it — permission denied. This tells me that my account (paul) doesn’t have root privs yet.
su – and logged into root
cd /etc and then ls .sudoers.tmp.swp to confirm file is still there
Tried rm .sudoers.tmp.swp (as root) — that worked…
Logged out and back into paul
[paul@localhost etc]$ /usr/sbin/visudo
visudo: /etc/sudoers: Permission denied

Logged back into root and visudo works with no msg about swap file now
Interesting — the file I opened doesn’t show a reference to paul — have to start over again.
Probably what happened is that I didn’t originally save the file correctly

Entered “i” to go into Insert Mode; then added a line; then:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
paul ALL=(ALL) ALL
:wq — which saves the changes
Confirmed by doing visudo again — saw change and no error
:q — which quits out without saving

logout — back to paul account
visudo — same error re: privs

For purposes of this exercise, I think paul does have sudo access because:
sudo -l -U paul — returns with:
User paul may run the following commands on this host:
(ALL) ALL

Note: this is specifically for editing the sudo file. Protects you from making a mistake in this file which could cause root not to be able to log in.

This site had an entry that was a very good summary — http://forums.fedoraforum.org/showthread.php?t=223742

There are the following ways that user jdoe, acting as a normal user, can execute commands requiring superuser privileges:

Log out of the desktop session, and log back in as user root, which is a VERY bad idea.
Enter “su -” and entering the superuser password.
Requires that you know the superuser’s password.
Will allow user jdoe to switch to the user root account. Once switched to user root’s account, user jdoe can execute any command as the superuser until the “exit” command is executed. Convenient when user jdoe needs to enter more than one command as the superuser.
su -c {command}
Requires that you know the superuser’s password.
Will allow user jdoe to execute the single {command} as the superuser. This sequence needs to be entered each time a command requiring superuser privileges is typed, so it is not very convenient if more than one command requiring superuser privileges needs to be executed.
sudo {command}
Requires that user jdoe be configured in the /etc/sudoers file, which can only be done by someone with superuser privileges (one of the things that justifies System Administrators, at least until we know what they know).
The /etc/sudoers file can be configured (using the visudo command) to limit the commands that user jdoe can execute using sudo, for security purposes.
Ask the System Administrator to modify the /etc/sudoers file to add privileged commands that you run often. The idea is to keep user root’s (a.k.a., the superuser) password from all but the System Administrator.
Once configured, user jdoe enters jdoe’s password (NOT the superuser password). For a period of about 5 minutes, user jdoe may execute commands normally requiring superuser privileges without being prompted for a password.

In the event that user root’s password does get out, it will not do a user any good, as we are going to lock down the use of the su command, forcing users to be in the “wheel” group before they may execute the su command. Only trusted users will be placed in the wheel group.

Each time the user issues a sudo command, this is logged. Each time a sudo command request fails, an e-mail is sent to the System Administrator. So, if a user attempts to execute commands with sudo that the user is not configured to execute, the System Administrator will know about it.

Trying now to be conclusive:

Logged in as paul
sudo /usr/sbin/visudo
Went down to the entry I had edited and rem’d it out with a #:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## paul ALL=(ALL) ALL
:wq — which save and quits out of the file

sudo /usr/sbin/visudo
[paul@localhost ~]$ sudo /usr/sbin/visudo
paul is not in the sudoers file. This incident will be reported.
Note: This is now conclusive that my entry before (when logged into root) entered me into the sudoers list

su – (logged in as root)
/usr/sbin/visudo
i (for insert)
Went down file and removed the ## that I had added before paul
Escape Key — to get out of Insert Mode
:wq (save and quit)
logout (back to paul)

[paul@localhost ~]$ /usr/sbin/visudo
visudo: /etc/sudoers: Permission denied
Note: This makes sense — only root can do this command

[paul@localhost ~]$ sudo /usr/sbin/visudo
[sudo] password for paul:
Note: By asking and accepting the password, tells me that paul is part of sudoers and can edit file

Here’s an interesting FAQ on visudo:
http://manpages.ubuntu.com/manpages/precise/en/man8/visudo.8.html

About Paul

CERT Coordinator, Ham Radio Operator, GTD Fan; Photographer; Domino/Notes Administrator
This entry was posted in CentOS. Bookmark the permalink.