6.3 Initial provided User accounts and Groups



In order to be able to use Linux immediately after installation, there exist some users and the groups which these users belong to.

You can add one or more users and groups if needed.

6.3.1 General User Account and Group

Account is required to log in to Linux. When account is created, the group of the same name as the user name will be made, and it will be registered that its user belongs to its group.

There is a group in order to treat two or more users collectively. You can group users by each departments, for example.

By setting an access right to some directories, you can allow only specific group users to access them. You can also allow only other specific group users to become root user.



6.3.2 root User

The root user is the special user who can change system setting. The root user does not have restriction in use, so that it can install and delete some programs, and also create and delete user accounts.

The root user differs from a general user entirely.

Since one who can login as the root user can do everything, it is necessary to manage the root user's account strictly.

6.3.3 su Command

The su command is a command for turning into other users temporarily.

When executing the su command without user name option, the shell runs as the root user. When the su command is executed without attaching an option, it logs in by the root user, without changing its current directory.

If you want to move root's home directory, you have to perform "su -" or "su - root". If you can login as the root user, you can execute commands for system managements. If the Linux system is managed by two or more persons by logging in as root user directly, the command history is recorded for root user, so we cannot identify who really did those commands.

If we become the root user from a general user, we can find who became the root and when he became.

Considering safety and management, probably, it will be desirable to acquire and carry out system work of the root user's authority, after logging in by a general user.

Format

su [user]


Since you can become a specified user, then you can work in its users environment and authority.

In case of some Linux distributions, you can prevent general users from becoming root user by using su command.

Options


-
Read and execute the user’s start up file

Become the root user
In case of not specifying user, you can become the root user, if certification succeeded

Become a specified user
In case of specifying user, you can become specified user, if certification succeeded


The su command lets you become specified user.

If the password's certification succeeded, you can work in its users environment and authority.


Practice: Execute su command which becomes root user


Then, let's become the root user from a user.

Let's check that root user can look at an log file which can not be seen by a general user.


$ su - ↵                               Move to the root user
# cat /var/log/messages ↵       Display an administrative file
(/var/log/message)
Mar 20 08:51:46 localhost syslogd 1.4.1: restart.
Mar 20 08:51:46 localhost kernel: klogd 1.4.1, log source = /proc/kmsg started.
            :
            :
            :
# exit ↵                               Move from root user to a general user
$ cat /var/log/messages ↵       You can’t read the administrative file
cat: /var/log/messages: Permission denied.       Error occurs


In case of some Linux distribution, the user who wants to be the root user by using su command needs to belong to the wheel group.


6.3.4 sudo Command which executes by root authority

By using sudo command, we can execute commands by superuser (root) authority. Though you usually do your work as general user, you can execute root authority commands by using sudo command only when necessary. You don't need to become root user.

If you use sudo command with -u option, you can execute a command by its user's authority. When the sudo command is executed without option, a command is executed by root authority.

At CentOS, the sudo command cannot be used with initial setting. You have to register the user as a member of wheel group which has the superuser(root) authority.

To allow user to use sudo command, the sudo setup is done by editing /etc/sudoers file. The /etc/sudoers file can be edited by visudo command.

Format

sudo command


Execute a specified command with root authority.

Options


-u user
Execute a command as specified user.




Practice: Execute management command from a general user


Because the penguin user wants to use sudo, let him belong to wheel group.

By editing /etc/sudoers file with visudo command, validate the definition of wheel group. Please try the sudo command after shifting to a penguin user by the su command.


# vigr ↵             Add penguin user to wheel group


wheel:x:10:root

wheel:x:10:root,penguin



# visudo ↵             Set wheel group validate


# %wheel     ALL=(ALL)     ALL

%wheel     ALL=(ALL)     ALL



# su - penguin ↵             Move to a general user without password certification
$ sudo visudo ↵             Even if general user can execute visudo command.


When the root user enters su command, password is not required. Since User penguin is a user who belongs to a management group, he can execute visudo.

When the following option in the /etc/sudoers file was validated, the user who belongs to the wheel group can execute the sudo command without entering password.

By deleting '#' from the line, we can make the wheel group validated.


# %wheel      ALL=(ALL) NOPASSWD:      ALL



Previous Next