I am working on standardizing the sudo access in our environment. To begin with, I am understanding the current setup.
Currently, we use 'sudo bash'sudo bash to get into the root shell without typing any passwords. I understand that giving sudo access on individual commands is recommended but at least for now, I wanted a mechanism where we type our password and then get a root shell.
To re-iterate, 'sudo bash'sudo bash or 'sudo -s'sudo -s works fine but when I typed 'sudo su -'sudo su -, it prompted for my password and once I typed it, it gave me a message '*Sorry, user <username> is not allowed to execute '/bin/su -' as root on Sorry, user is not allowed to execute '/bin/su -' as root on 'lt;server name>'. This got me curious to see how is 'sudo bash'sudo bash working.
In /etc/sudoers/etc/sudoers file, I see two lines relevant in this context:
root ALL=(ALL) ALL %wheel ALL=(ALL) ALL And I am not part of the %wheel%wheel group. 'admin'admin is my default group in /etc/passwd/etc/passwd and 'admin'admin group isn't part of wheelwheel group in /etc/group/etc/group. So, to make 'sudo su -'sudo su - to work, I added below line to sudoersthe sudoers file and it worked.
%admin ALL=(ALL) ALL But I am not able to understand:
- How is 'sudo bash'
sudo bashworking for everyone? - Is everyone part of wheelthe
wheelgroup by default?
Please let me know if I am missing something here. Also, if there are better ways to do things.
OS -: CentOS 7.2 (RedhatRed Hat family)
-Ram Kumar It turns out there are certain files in /etc/sudoers.d and that's how sudo bash was working but i thought it was commented out... Thanks.
#includedir /etc/sudoers.d 
