Centos – Setting up Sudo in CentOS-7

centossshsudo

In CentOS 6.5, i would do the following to setup sudo for users –

useradd -G wheel -c "John Smith" jsmith
visudo
uncomment this line – %wheel ALL=(ALL) ALL
usermod -G wheel -a jsmith
restart sshd – /etc/init.d/sshd restart
ssh login as jsmith and type 'sudo bash'

When i try the same thing in CentOS 7, i see the following in /var/log/secure –

Oct  8 05:20:00 localhost sudo: jsmith : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/jsmith ; USER=root ; COMMAND=/bin/bash

Is this procedure not valid for CentOS-7 anymore?

More info –

file /etc/group has this –

wheel:x:10:randomperson,cartman,jsmith

visudo shows this –

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
wheel   ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

output of sudo -l command –

[jsmith@localhost ~]$ sudo -l
[sudo] password for jsmith:
Sorry, user jsmith may not run sudo on localhost.
[jsmith@localhost ~]$

Best Answer

You are missing a '%' in the example posted.

It's supposed to be

%wheel   ALL=(ALL)       ALL

not

wheel   ALL=(ALL)       ALL

Related Solutions

Linux – sudo denied – what is missing

This leads me to believe that 'visudo' is not really in the group that you think it is (NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS). Have you checked to ensure that /usr/sbin/visudo is a real file (not a symlink)?

I'm on CentOS 5, but the configuration should be very similar. My configuration for DELEGATING is:

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

If this is Fedora Core 10, as the tag suggests, try changing the user to group 'wheel' and un-commenting the line that says:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

If that works, then sudo is working properly. As another user recommends, when logged in as 'liveuser', you still need to run:

sudo visudo

Ubuntu – Permission Denied for User with Sudo Privileges

Could you run

sudo -s
id

And post the output? I want to see if it's actually making you the user you think.

Also, try

sudo cat /etc/sudoers

The output of id here is quite enlightening. When you ran sudo -s, you were given a UID of 1, while the only UID that the kernel will recognize as having root privileges is UID 0.

Try running

getent passwd | grep ':0:'

and see if any entries have that 0 in their first numeric field, the UID. Whatever account that is is the real superuser on the system, while root is a fake. Once you know the name, you can try

sudo -s -u username

to get a shell as that user.

You should also post the output of

getent passwd root

The bigger issue here is how such a condition came to pass.

Is this machine offering any network services? If so, someone may have broken into it and taken it over. In that case, you should probably back up the data, do a clean re-install, and audit anything that goes back on it.

If it's more of a personal machine, might there be a knowledgeable prankster who's had access to it recently?

Edit: your comment to another answer suggests that this is a server. I would highly recommend taking it offline ASAP and imaging its disks for forensic purposes. Unless you can identify a benign cause for this in short order, you've probably had your server cracked.

Best Answer

Related Solutions

Linux – sudo denied – what is missing

Ubuntu – Permission Denied for User with Sudo Privileges

Related Topic