The translation is temporarily closed for contributions due to maintenance, please come back later.
English Spanish
Gaining Privileges
System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the `root` user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as [command]#su# and [command]#sudo#. These programs allow specific users to perform tasks which would normally be available only to the `root` user while maintaining a higher level of control and system security.
See the link:++[Red{nbsp}Hat Enterprise{nbsp}Linux{nbsp}7 Security Guide] for more information on administrative controls, potential dangers, and ways to prevent data loss resulting from improper use of privileged access.
The su Command
When a user executes the [command]#su# command, they are prompted for the `root` password and, after authentication, are given a `root` shell prompt.
Once logged in using the [command]#su# command, the user *is* the `root` user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become `root`, it is possible for them to use the [command]#su# command to change to any other user on the system without being prompted for a password.
Because this program is so powerful, administrators within an organization may want to limit who has access to the command.
One of the simplest ways to do this is to add users to the special administrative group called _wheel_. To do this, type the following command as `root`:
~]# usermod -a -G wheel pass:quotes[_username_]
In the previous command, replace _username_ with the user name you want to add to the `wheel` group.
You can also use the [application]*Users* settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.
Press the kbd:[Super] key to enter the Activities Overview, type [command]#Users# and then press kbd:[Enter]. The [application]*Users* settings tool appears. The kbd:[Super] key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the kbd:[Spacebar].
To enable making changes, click the btn:[Unlock] button, and enter a valid administrator password.
Click a user icon in the left column to display the user's properties in the right-hand pane.
Change the Account Type from `Standard` to `Administrator`. This will add the user to the `wheel` group.
See xref:basic-system-configuration/Managing_Users_and_Groups.adoc#s1-users-configui[Managing Users in a Graphical Environment] for more information about the [application]*Users* tool.
After you add the desired users to the `wheel` group, it is advisable to only allow these specific users to use the [command]#su# command. To do this, edit the PAM configuration file for [command]#su#, `/etc/pam.d/su`. Open this file in a text editor and uncomment the following line by removing the `#` character:
#auth required use_uid
This change means that only members of the administrative group `wheel` can switch to another user using the [command]#su# command.