Manage users and groups

  • Configure superuser access

  1. A similar and basic doc about this topic from RedHat Openstack Platform
    Configure sudo access
    1) login as the root
    2) Create a normal user account using the useradd command

    useradd USERNAME

    3) Set the password for the new user

    passwd USERNAME

        Changing password for user USERNAME.
        New password: 
        Retype new password: 
        passwd: all authentication tokens updated successfully.

    4) Run the visudo to edit the /etc/sudoers file.

    visudo

    5) Find the lines in the file that grant sudo access to users in the group wheel when enabled.
    6) Remove the comment character (#) at the start of the second line and save it.

    Allows people in group wheel to run all commands

         # %wheel        ALL=(ALL)       ALL

    7) Add the user you created to the wheel group using the usermod command.

    usermod -aG wheel USERNAME

    8) Test it

    su USERNAME -

        $ groups
        USERNAME wheel
        $ sudo whoami
        We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
    
                        #1) Respect the privacy of others.
                        #2) Think before you type.
                        #3) With great power comes great responsibility.
    
        [sudo] password for USERNAME:
        root

    9) The last line of the output is the user name returned by the whoami command. If sudo is configured correctly this value will be root.

  2. No password configuration for wheel group
    You can configure the sudo not asking the password.
    1) Run the visudo to edit the /etc/sudoers file.

    visudo

    2) Remove the comment character (#) at the start of the second line and save it.

    Same thing without

                 # %wheel        ALL=(ALL)      NOPASSWD: ALL
  3. No password configuration for a specific user
    Sometimes you want enable a specific user for sudo without asking password. For this, after you add a new user, you can have a specific rule file for the new user under the /etc/sudoers.d directory. /etc/sudoer file will include this file at the ending of itself.

    Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

    #includedir /etc/sudoers.d
    
    /etc/sudoers.d/xxxxx
       # User rules for USERNAME
    USERNAME ALL=(ALL) NOPASSWD:ALL
  4. There is another way to do it without touching the sudoers file.
    1) Edit /etc/pam.d/sudo and add the line below:

    auth           sufficient      pam_wheel.so trust use_uid

    2) Add the user to the wheel group.


Note: Tested on the rhel8