How do I make CentOS/RHEL prompt me for my password (and not roots) when I run a privileged command. I have found many guides that detail how to do this for the command line but I want it to work for X windows applications as well.
Or in other words: How do I make RHEL/CentOS behave like Ubuntu.
Terminal Setup
As root, we need to edit the
/etc/sudoersfile by runningvisudo(NOTE: You canexport EDITOR=vimto get syntax highlighting, or use the editor of your choice).Around lines 83,86 you should see two lines that are similar (in vim you can run
:set numberto show line numbers):The difference is that line #83 will require the user to enter their password to authenticate, whereas line #86 will allow the user to
sudowithout re-prompting them for their password. Best security practices state that #83 is more secure; however depending on your situation #86 can be appropriate (for example I generally use #86 while setting up a server then switch to #83).Exit and save that file.
Now we need to tell the system which users are allowed to escalate their permissions via
sudo. This is done by adding them to thewheelgroup, that is what the%wheelindicated in thesudoersfile we edited earlier. Seeman sudoersfor more information on that file format.That command will add the user
erebusbatto the wheel group, combined with our earlier change would all them to run any command as root:X / GNOME Setup
In CentOS/RHEL 5 and below the X authentication is handled by a set of programs called
consolehelperanduserhelper. Basically what happens is this: when a user executes a program (saypirut) it checks to see if there is a files calledpirutin the folder/etc/security/console.apps/if we look at one of those files it looks like:This tells
consolehelper/userhelperto allow the user to authenticate and run the program as root. If weman userhelperwe see that we can add aUGROUPS=directive so that if a user were in that group they would be allowed to authenticate as themselves, but run the application as the user specified in theUSER=directive. So outpirutfile needs to look like:As soon as we make that change whenever we attempt to run
pirutas a normal user (Add/Remove Programs from the GNOME Menu) one of two things will happen:root.root's password if the current user is not in thewheelgroup.However changing all those files by hand can be a PIA, so we work smarted and not harder:
The
sudo su -command is not needed if you are currentlyroot. The command will not 'double fix' any file so it can bechroned or set to run on startup to make sure your files are ok. Updates and installs can overwrite them or create new ones that do not have theUGROUPS=directive.Disabling root User
Once that is all setup and tested you should disable the root user:
That is a lowercase L, as in LOCK.
Then you should set or change
PermitRootLogin noin your/etc/ssh/sshd_configfile. This is useful even if you lock the root account, in case anyone enables it in the future.sudo su -will still work even if you set this, see below, so there really is no reason to not set it.If you decide to not lock the root account it is not ideal as anyone can login to the text/X/GNOME console as
rootand that is when bad things happen (the console stays logged in or you accidentaly delete a bunch of OS files [ask me how I know], best to lock the account.Running as root for extended periods
Sometimes, such as software installs, it is necessary to run many commands as
rootand not desirable to have to prefix each withsudo. You have two options in this case:rootaccount:$ sudo su -That command will give you the same command shell as if you had logged into the account as root.$ sudo passwd rootThis will allow you to set a password and unlock the account; however it is not temporary and you must remember to lock the user account after you are done.