The translation is temporarily closed for contributions due to maintenance, please come back later.
English Spanish
Gaining Privileges
System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the `root` user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as [command]#su# and [command]#sudo#. These programs allow specific users to perform tasks which would normally be available only to the `root` user while maintaining a higher level of control and system security.
See the link:++[Red{nbsp}Hat Enterprise{nbsp}Linux{nbsp}7 Security Guide] for more information on administrative controls, potential dangers, and ways to prevent data loss resulting from improper use of privileged access.
The su Command
When a user executes the [command]#su# command, they are prompted for the `root` password and, after authentication, are given a `root` shell prompt.
Once logged in using the [command]#su# command, the user *is* the `root` user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become `root`, it is possible for them to use the [command]#su# command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called _wheel_. To do this, type the following command as `root`:
~]# usermod -a -G wheel pass:quotes[_username_]
In the previous command, replace _username_ with the user name you want to add to the `wheel` group.
You can also use the [application]*Users* settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.
Press the kbd:[Super] key to enter the Activities Overview, type [command]#Users# and then press kbd:[Enter]. The [application]*Users* settings tool appears. The kbd:[Super] key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the kbd:[Spacebar].
To enable making changes, click the btn:[Unlock] button, and enter a valid administrator password.
The sudo Command
The [command]#sudo# command offers another approach to giving users administrative access. When trusted users precede an administrative command with [command]#sudo#, they are prompted for *their own* password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the `root` user.
By default, [command]#sudo# stores the sudoer's password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves their workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the `/etc/sudoers` file:
where _value_ is the desired timeout length in minutes. Setting the _value_ to 0 causes [command]#sudo# to require a password every time.
If a sudoer's account is compromised, an attacker can use [command]#sudo# to open a new shell with administrative privileges: