CentOS 7 add new user with root privileges
The way CentoOS grants root(all) privileges to a user is by putting them in the wheel
group. This is what happens when you make a user account and select the box that makes that user an Administrator.
You can put a user in a group with:
sudo usermod -aG wheel username
To disable an account from logging in, including the root
account
you can lock it by setting a non usable password.
sudo passwd -l username
I am reading this tutorial, and trying to create a new user with root privileges and then block root access via ssh in a CentOS 7 server. The problem is that the new user is blocked from doing root actions like nano /etc/sudoers. Also, I seem unable to remove the block of root login. So my pre-existing open root session is the only access I have to root functionality until it terminates. How can I successfully add root permissions to the newuser? And how can I successfully turn on/off root login?
- Strictly speaking, the real use of
sudo
is to configure the execution of certain specific commands to certain specific users or groups. The waysudo
is distributed and configured in some distributions can be somewhat misleading because to become the root user, we can just typesu -
without involvingsudo
. This requires the entry of the password for the user, root, and not the user's password. So you could have used this. - Try to never use anything except
visudo
to directly edit/etc/sudoers
. Otherwise you could break authentication altogether until you change its permissions back to0400
(which you cannot do after you log out without utilizing a rescue system of some sort). (The editor used byvisudo
can be controlled by theVISUAL
environment variable. To use it withnano
, one option isVISUAL=nano visudo
.) - The new user already can become root (point 1), but to let this user become root though sudo, just add the user to the right group. On CentOS 7, the traditional group name of wheel was used to allow members of that group to become root via sudo:
usermod -a -G wheel codemedic
. Useman usermod
for more details. You can determine this group name by reading the configuration file:cat /etc/sudoers
. - To deny access to root via SSH, edit
/etc/ssh/sshd_config
and make sure that only one uncommented instance ofPermitRootLogin
is available and set it to a value of no:PermitRootLogin no
. Save the file and restart the Secure Shell daemon:systemctl restart sshd
.
Note that I edited /etc/sudoers because /usr/sbin/visudo did not work.
How does visudo
not work?
These steps worked for me.
Add user:
useradd user
Add password:
passwd user
Add following line to the /etc/sudoers
file by using the command visudo
:
user ALL=(ALL) ALL
or, for becoming root without having to enter a password,
ALL ALL=(ALL) NOPASSWD:ALL
Then, switch to that user
su user
and ask for root privileges:
sudo su -
Enter password for new user:
[sudo] password for user: