Using root Privileges

Nov 1, 2025
rhcsa

Becoming root

The root user operates in kernel space, which why it is best practice to not set a root password. If root is able to log in to a graphical environment, everything running in that environment has root privileges.

sudo -i

Login as Another User

su - {user}

The - starts the shell as a login shell. This is useful for testing the configuration of a user account.

Managing sudo Configuration

Add user to wheel group.

usermod -aG wheel {user}

Set global authentication timeout.

Defaults timestamp_type=global,timestamp_timeout=60

Set the authentication timeout to 60 minutes for user, somebody, only.

Defaults:somebody timestamp_timeout=60

Always require a password from user, somebody, only.

Defaults:somebody timestamp_timeout=0

Infinite timeout for user, somebody, only.

Defaults:somebody timestamp_timeout=-1

Set the authentication timeout to 240 minutes for group, wheel, only.

Defaults:%wheel timestamp_timeout=240

Do not require a password for user, somebody.

Defaults:somebody !authenticate

Provide user, lisa, admin access to specific commands.

lisa ALL=/sbin/useradd,/usr/bin/passwd

Allow group, users, to mount and unmount only the /dev/sdb device.

%users ALL=/bin/mount /dev/sdb,/bin/umount /dev/sdb

Allow user, somebody, to set any user’s password except root.

somebody ALL=/usr/bin/passwd, ! /usr/bin/passwd root

Lab Exercise

  1. Create a new user issac
  2. Allow issac to perform the following user management tasks
    • create, modify, and delete users
    • change passwords for all users except root
  3. Ensure that issac only needs to enter a password for admin operations every 60 minutes
  4. Ensure that the default authentication timeout for all users with sudo privileges is 30 minutes
  5. Ensure that the default authentication timeout for members of group wheel is 240 minutes
Solution
  1. useradd issac
  2. /etc/sudoers.d/issac 
    issac ALL=/sbin/useradd,/sbin/userdel,/sbin/usermod
issac ALL=/bin/passwd,!/bin/passwd root
  3. /etc/sudoers.d/issac 
    Defaults:issac timestamp_timeout=60
  4. /etc/sudoers.d/defaults 
    Defaults timestamp_timeout=30
  5. /etc/sudoers.d/wheel 
    Defaults timestamp_timeout=240

- Clint Jordan