Something I wish I had fully understood, long ago, when setting up admin privileges with any Linux or specifically openSUSE systems is how to make it work in a more slick, usable and friendly manner. I specifically like the default Ubuntu approach to managing sudo behavior. When you “sudo” you enter your user password to do root or admin privilege tasks. In contrast, on openSUSE the default is to enter the root password. For a single user setup, this is not a problem but on a multi-user deployment this behavior is not very convenient. I just don’t think it is a a good approach to give the various users root password to do administrative functions. Although I did some cursory searching, I didn’t find an answer that was clear enough for me to implement so I did the shameful thing and just provide the root credentials to the small team of individuals I am working with, but that is no more!
This is my solution for making root / admin tasks much cleaner and easier to accomplish for those that are tasked to do so in this environment. I don’t claim to be a security expert and there are potentially even better ways to manage this but for my small team, I am taking advantage of the “wheel” group by adding the users to that group and modifying the sudoer file to allow any user with that group administrative privileges. It is much easier to remove a user from the group than to change the root password. I also don’t particularly like the whole root user thing to do system tasks. Feel free to comment and criticize on this and maybe I’ll change my ways.
Wheel Group
I have always been puzzled by the wheel group, why was it there, what is its purpose and the like but now I know. After digging into the /etc/visudo file, I see, near the end there is a User privilege specification. Here you can manually enter who gets root, but you can also set a group that any user that is a part of the group will have the root permissions.
Add the wheel group to a user. This can be done in several ways, the most universal way would be in the terminal. As root user you would run the following:
usermod -aG GROUP USERTo explain this command because it is not a good idea to run any command without understanding what it is:
-a, append the user tot he supplemental GROUPS mentioned by the -G option without removing the user from any other groups
-G, list of supplementary GROUPS, which means you can add multiple groups separated by commas. Example: wheel,dialout,lock USER would add the USER to the listed groups.
To add the wheel group to the user cubiclenate, I would run the following as root:
usermod -aG wheel cubiclenateI also want to note that you can separate out the options, so this would yield the same result:
usermod -a -G wheel cubiclenateFor a graphical interface, you can utilize YAST on the openSUSE family of distributions and add them through a rather comfortable interface.
Edit sudoer file
There are a couple ways to go about doing this. The most traditional way is to run this in the terminal:
sudo visudoWhich will open up a VI session of sudo which allows you to make any changes to the sudoers file. Alternatively, you can use your favorite editor to make the changes, like micro or nano:
sudo nano /etc/sudoersHere is where you make the sudo magic happen. Scroll down, near the bottom of the text file and look for:
%wheel ALL=(ALL:ALL) NOPASSWD: ALL
Uncomment the leading #, save and quit out of the editor.
Testing it Out
If you have not already logged out after adding the wheel group to your user, do so now, come back into your session (graphical or terminal) and test out the changes. Now, when you go to do updates on your system or run any other command that requires root, just do as you have been doing but now you won’t have to enter your root password.
In this case, I ran the command to do updates in openSUSE Tumbleweed
sudo zypper dup
There was nothing to do this time but other tasks that I hop in the terminal to do is quickly switching Tailnets between home and work.
sudo tailscale switch homeConveniently, I don’t have to enter my password now and I just get that immediate switch to the my home Tailnet. This is incredibly convenient for this particular task.
Another task that I need root access is for mounting and unmounting my NFS share.
sudo mount -t nfs optimus:/home/wolfnf/ /mnt/optimus/wolfnf/ -o nofail,x-systemd.automount,x-systemd.mount-timeout=10,x-systemd.idle-timeout=5minThen unmounting as necessary
sudo umount /mnt/optimus/wolfnfSuffice to say, this is an incredible “quality of life” improvement on my Linux desktop.
Final Thoughts
Security, there are so many opinions out there about what is more or less secure in how you manage administrative level tasks on your machines. Does this make your user account less secure? Perhaps yes, I could argue that it does indeed make your user account less secure. For a server that multiple people are accessing, however, using other enhanced security features like pre-shared ssh keys, I would argue that this is far more secure than sharing the root password around on a server. You will have to evaluate your risks and determine what is more or less secure for your use case.
Keep in mind that security is a funny thing. A machine that is not accessible is the most secure but also the least productive. A machine with no security may be incredibly productive but becomes vulnerable. You will have to determine what is the most secure way to administer your machines that doesn’t significantly compromise productivity. Not everyone needs access to everything and your weakest link in the security chain will always be the end user.
References
https://www.howtogeek.com/50787/add-a-user-to-a-group-or-second-group-on-linux/
Pre-shared SSH Key
NFS and FS-Cache | Faster Performance with Distributed Storage
Leave a Reply