Configure
Privileged Access

Configure privileged access

CIS126RH | RHEL System Administration 1
Mesa Community College

Privileged access control is a foundational security requirement — regular users need to run administrative commands without knowing the root password and without switching to a fully privileged root shell. On RHEL 9, sudo (superuser do) is the standard mechanism. It grants selected users and groups the ability to run specific commands as root (or as other users), logs every privileged action, and is configured through the /etc/sudoers file and drop-in files in /etc/sudoers.d/. sudo configuration is tested on the RHCSA exam.

Learning Objectives

Explain how sudo works and why it is preferred over direct root access — Describe the authentication, logging, and delegation model that makes sudo the enterprise standard for privileged access
Grant full sudo access using the wheel group — Use usermod -aG wheel to add users to the pre-configured wheel group and verify sudo access
Write custom sudoers rules — Use visudo to create precise rules granting specific users or groups access to specific commands with or without a password
Use drop-in files and test sudo configuration — Create rules in /etc/sudoers.d/ and use sudo -l to verify what a user is allowed to run

Why sudo? The Privileged Access Model

Logging in as root or using su - to switch to root has serious disadvantages that sudo is designed to address.

Concern	Direct root login	sudo
Authentication	Requires sharing the root password	Users authenticate with their own password
Audit trail	All actions look like "root" — no individual accountability	Every command logged with the real username in `/var/log/secure`
Scope of access	Root can do anything — all or nothing	Users can be limited to specific commands only
Risk surface	Full root shell — one mistake destroys the system	Minimum required privilege per command
Session persistence	Root login persists until explicitly exited	Cached credential expires (default 5 minutes)

sudo logs to /var/log/secure

Every sudo command is recorded: the user who ran it, the command, the timestamp, and whether it was allowed or denied. This creates a complete audit trail of privileged activity.

The wheel Group: Full sudo Access

On RHEL 9, the wheel group is pre-configured in /etc/sudoers to allow members to run any command as root. This is the simplest way to grant full administrative access.

# The wheel group rule in /etc/sudoers (pre-configured on RHEL 9)
%wheel  ALL=(ALL)  ALL
# % = group; ALL = any host; (ALL) = as any user; ALL = any command

# Grant full sudo access: add a user to the wheel group
$ sudo usermod -aG wheel alice

# Verify alice is in wheel
$ id alice
uid=1001(alice) gid=1001(alice) groups=1001(alice),10(wheel)

# Test: alice can now run sudo commands
$ sudo -u alice sudo whoami
root

# Or switch to alice and test directly
$ su - alice
$ sudo whoami
[sudo] password for alice:
root

RHCSA exam pattern: wheel group for full admin access

When the exam says "grant USER full administrative access" or "allow USER to run all commands with sudo", the answer is sudo usermod -aG wheel USER. No sudoers file editing is needed — the wheel group rule is already present.

/etc/sudoers: The Configuration File

The /etc/sudoers file defines all sudo rules. It must always be edited with visudo — never directly with a text editor.

# Open /etc/sudoers safely with visudo
$ sudo visudo

# Key sections in the default /etc/sudoers
## Allows root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without password requirement
# %wheel  ALL=(ALL)   NOPASSWD: ALL

## Read drop-in files from /etc/sudoers.d/
#includedir /etc/sudoers.d

Always use visudo — never edit /etc/sudoers directly

visudo opens the file in an editor and validates the syntax before saving. A syntax error in /etc/sudoers disables all sudo access on the system — potentially locking out all administrative access. Direct editing with vi or nano provides no validation.

The sudoers Rule Format

Every sudoers rule follows a precise syntax. Understanding each field allows precise control over what is permitted.

# Format: WHO  WHERE=(AS_WHOM)  WHAT
#
alice       ALL=(ALL)       ALL
# alice can run ANY command as ANY user on ANY host
#
%developers ALL=(ALL)       /usr/bin/systemctl
# developers group can run systemctl as root on any host
#
bob         ALL=(root)      NOPASSWD: /usr/bin/dnf
# bob can run dnf as root without a password
#
carol       servera=(root)  /sbin/reboot, /sbin/halt
# carol can reboot or halt only on servera

Field	Meaning	Examples
WHO	User (`alice`) or group (`%wheel`)	`alice`, `%developers`
WHERE	Hostname where the rule applies	`ALL`, `servera`
(AS_WHOM)	The user to run as (usually root)	`(ALL)`, `(root)`
WHAT	Commands allowed; `ALL` or full paths	`ALL`, `/usr/bin/dnf`

Writing Custom sudoers Rules

Custom rules grant a user or group access to specific commands — more secure than granting full sudo access.

# Open visudo to add custom rules
$ sudo visudo

# Allow alice to run systemctl commands as root
alice  ALL=(root)  /usr/bin/systemctl

# Allow the operators group to restart specific services only
%operators  ALL=(root)  /usr/bin/systemctl restart httpd, /usr/bin/systemctl restart sshd

# Allow bob to run dnf without entering a password
bob  ALL=(root)  NOPASSWD: /usr/bin/dnf

# Allow carol to run ALL commands without a password (less secure)
carol  ALL=(ALL)  NOPASSWD: ALL

# Verify: list what a user can run with sudo
$ sudo -l -U alice
Matching Defaults entries for alice on servera:
    ...
User alice may run the following commands on servera:
    (root) /usr/bin/systemctl

Drop-in Files: /etc/sudoers.d/

The preferred way to add custom rules is in separate files under /etc/sudoers.d/ — keeping the main /etc/sudoers clean and making rules easy to manage and remove.

# Create a drop-in rule file for alice
$ sudo visudo -f /etc/sudoers.d/alice
# Add inside the file:
alice  ALL=(root)  /usr/bin/systemctl

# Create a rule file for the devops group
$ sudo visudo -f /etc/sudoers.d/devops
%devops  ALL=(root)  NOPASSWD: /usr/bin/dnf, /usr/bin/systemctl

# List all drop-in files
$ ls /etc/sudoers.d/
alice  devops  README

# Verify with visudo --check (syntax check all files)
$ sudo visudo --check
/etc/sudoers: parsed OK
/etc/sudoers.d/alice: parsed OK
/etc/sudoers.d/devops: parsed OK

Use visudo -f for drop-in files too

sudo visudo -f /etc/sudoers.d/FILENAME creates or edits a drop-in file with the same syntax validation as editing the main sudoers file. Never use a plain text editor on any sudoers file — always use visudo.

NOPASSWD and Other sudoers Tags

Tags modify how sudo applies a rule. They appear before the command list in the WHAT field.

# NOPASSWD: run commands without being prompted for a password
alice  ALL=(root)  NOPASSWD: /usr/bin/systemctl restart httpd

# PASSWD: override a NOPASSWD inherited from a group (require password)
bob    ALL=(root)  PASSWD: /usr/bin/dnf, NOPASSWD: /usr/bin/systemctl

# NOEXEC: prevent sudo from running subshells or other programs
carol  ALL=(root)  NOEXEC: /usr/bin/less

# ! (negation): explicitly deny a specific command
%developers  ALL=(root)  ALL, !/bin/bash, !/bin/sh
# Above: allow all commands EXCEPT bash and sh (shell access blocked)
# Note: negation is not foolproof — avoid relying on it for security

Negation (!) is not a reliable security boundary

Denying /bin/bash does not prevent shell access — a user with sudo access to many commands can still escape to a shell through editors, pagers, or other programs. Limit sudo to specific, audited commands rather than relying on negation.

Testing sudo Configuration

# List all commands the current user can run with sudo
$ sudo -l
Matching Defaults entries for alice on servera:
    env_reset, mail_badpass, ...

User alice may run the following commands on servera:
    (root) /usr/bin/systemctl

# List commands a specific user can run (run as root)
$ sudo -l -U bob
User bob may run the following commands on servera:
    (root) NOPASSWD: /usr/bin/dnf

# Test running a command as alice without switching to her
$ sudo -u alice id
uid=1001(alice) gid=1001(alice) groups=1001(alice)

# Check the sudo log for recent activity
$ sudo grep sudo /var/log/secure | tail -10
May 25 10:00:01 servera sudo: alice : TTY=pts/0 ; PWD=/home/alice ;
    USER=root ; COMMAND=/usr/bin/systemctl restart httpd

sudo -l is the exam verification command

After configuring sudo rules, always run sudo -l -U USERNAME to confirm that the user can (or cannot) run the expected commands. This is the same check the exam grader uses.

Aliases: Organising Complex Rules

Aliases allow groups of users, hosts, or commands to be named and reused — making large sudoers configurations easier to manage.

# In /etc/sudoers or a drop-in file:

# User_Alias — named group of users
User_Alias  WEBADMINS = alice, bob, carol

# Cmnd_Alias — named group of commands
Cmnd_Alias  WEBSERVICES = /usr/bin/systemctl restart httpd, \
                           /usr/bin/systemctl reload httpd, \
                           /usr/bin/systemctl status httpd

# Runas_Alias — named group of users to run as
Runas_Alias WEBRUNNERS = root, apache

# Use aliases in rules
WEBADMINS  ALL=(WEBRUNNERS)  WEBSERVICES
# All WEBADMINS can run WEBSERVICES as root or apache

# This is equivalent to listing all combinations individually
# but much more maintainable at scale

sudo Defaults and Configuration

The Defaults section in /etc/sudoers controls system-wide sudo behaviour.

# Common Defaults entries in /etc/sudoers
Defaults    env_reset           # reset environment when running sudo
Defaults    mail_badpass        # email root on failed sudo attempts
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Defaults    timestamp_timeout=5 # credential cache: 5 minutes (default)

# Increase the credential cache timeout
Defaults    timestamp_timeout=15

# Require password every time (no caching)
Defaults    timestamp_timeout=0

# Enable sudo logging to a file
Defaults    logfile=/var/log/sudo.log

# Apply a Default to a specific user only
Defaults:alice  timestamp_timeout=30

# Run sudo without a TTY (useful for scripts)
Defaults    !requiretty

Switching to Root: su and sudo -i

Sometimes full root shell access is needed. Two methods exist — both require appropriate privileges, but only one requires knowing the root password.

# su - : switch to root with full environment (requires root password)
$ su -
Password:
[root@servera ~]#

# sudo -i : open a root login shell (requires sudo ALL access)
$ sudo -i
[sudo] password for alice:
[root@servera ~]#

# sudo -s : open a root shell without login environment
$ sudo -s

# sudo su - : another common pattern (uses sudo then su)
$ sudo su -

# Run a single command as root
$ sudo systemctl restart httpd

# Switch to another user (not root)
$ sudo -u bob whoami
bob

Privileged Access Quick Reference

Task	Command or configuration
Grant full sudo access	`sudo usermod -aG wheel USERNAME`
Edit sudoers safely	`sudo visudo`
Edit a drop-in file safely	`sudo visudo -f /etc/sudoers.d/FILENAME`
Validate all sudoers files	`sudo visudo --check`
Allow user to run any command	`USERNAME ALL=(ALL) ALL`
Allow user without password	`USERNAME ALL=(ALL) NOPASSWD: ALL`
Allow user to run specific command	`USERNAME ALL=(root) /full/path/to/command`
Allow a group sudo access	`%GROUPNAME ALL=(ALL) ALL`
List current user's sudo permissions	`sudo -l`
List another user's sudo permissions	`sudo -l -U USERNAME`
Open a root shell via sudo	`sudo -i`
Run a command as a different user	`sudo -u USERNAME COMMAND`
View sudo audit log	`sudo grep sudo /var/log/secure`

Common Mistakes

Mistake	What goes wrong	Correct approach
Editing `/etc/sudoers` with vi/nano instead of visudo	Syntax errors disable all sudo access — potential administrative lockout	Always use `sudo visudo` or `sudo visudo -f /etc/sudoers.d/FILE`
Using a relative command path in a sudoers rule	Rule does not apply or can be exploited with a malicious command in PATH	Always use full absolute paths: `/usr/bin/systemctl` not `systemctl`
Forgetting `-aG` when adding to wheel (using `-G` alone)	User loses all other supplementary group memberships	`sudo usermod -aG wheel USERNAME` — the `-a` is mandatory
Expecting sudo access to work immediately after usermod -aG wheel	User's current session does not have the new wheel membership yet	User must log out and back in, or use `newgrp wheel`
Creating a drop-in file with a dot in the name	Files with dots in the name are ignored by `#includedir`	Name drop-in files without dots: `alice` or `90-alice` not `alice.conf`
Using negation (!) to deny commands instead of allowlisting	Many alternative paths to shell access remain; security boundary is unreliable	Grant only the specific commands needed — do not try to block everything else

Complete Configuration Workflow

Two exam scenarios: (A) grant full admin access; (B) grant limited command access.

Scenario A: Full sudo access for alice

$ sudo usermod -aG wheel alice
$ sudo -l -U alice   # verify
    (ALL) ALL

Scenario B: bob can restart httpd without a password

$ sudo visudo -f /etc/sudoers.d/bob
# Add this line:
bob  ALL=(root)  NOPASSWD: /usr/bin/systemctl restart httpd

# Verify syntax
$ sudo visudo --check

# Verify bob's permissions
$ sudo -l -U bob
    (root) NOPASSWD: /usr/bin/systemctl restart httpd

# Test as bob
$ su - bob -c "sudo systemctl restart httpd"
      ← no password prompt, command succeeds

Knowledge Check

Answer these before moving to the next slide.

Write the command to grant user carol full sudo access on RHEL 9. Why does this work without editing /etc/sudoers?
Write the sudoers rule to allow user dave to run /usr/bin/dnf as root without being prompted for a password.
You need to add this rule for dave using a drop-in file. Write the full command to create it safely, and what must the filename NOT contain?
Write the command to verify what sudo commands dave is allowed to run. What command would an administrator use to check dave's permissions without switching to his account?
Why should you always use visudo instead of a plain text editor to modify sudoers files?
A sudoers rule contains !/bin/bash. What does this mean, and why is it not a reliable security boundary?

Knowledge Check — Answers

sudo usermod -aG wheel carol. This works without editing sudoers because RHEL 9 ships with the pre-configured rule %wheel ALL=(ALL) ALL in /etc/sudoers — any member of the wheel group automatically has full sudo access.
dave ALL=(root) NOPASSWD: /usr/bin/dnf
This goes in /etc/sudoers (via visudo) or in a drop-in file.
sudo visudo -f /etc/sudoers.d/dave
The filename must NOT contain a dot (.) — files with dots in the name are silently ignored by the #includedir directive. So dave is valid; dave.conf is not.
As dave: sudo -l
As root checking dave: sudo -l -U dave
Both show the matching sudoers rules and which commands dave is permitted to run.
visudo validates the file's syntax before saving. A syntax error in /etc/sudoers disables all sudo access on the system. If sudo is the only way to gain root access (root password not set), a broken sudoers file causes a complete administrative lockout. visudo prevents this by refusing to save a file with syntax errors.
!/bin/bash explicitly denies running /bin/bash via sudo. It is not reliable because there are many other ways to obtain a shell — through editors (vim's :!bash), pagers (less's !bash), or other programs. The correct approach is to allow only specific, audited commands (allowlist) rather than trying to deny known shells (denylist).

Key Takeaways

Grant full sudo access by adding to the wheel group. sudo usermod -aG wheel USERNAME — the pre-configured %wheel ALL=(ALL) ALL rule in /etc/sudoers does the rest. The user must log out and back in for the new membership to take effect.
Always use visudo — never a plain text editor. sudo visudo for the main file; sudo visudo -f /etc/sudoers.d/NAME for drop-in files. Syntax errors disable all sudo access. Drop-in filenames must not contain dots.
Rule format: WHO ALL=(root) [NOPASSWD:] /full/path/command. Use %GROUPNAME for groups. Always use absolute command paths. NOPASSWD: removes the password prompt for automation. ALL in the WHAT position grants full sudo access.
Verify with sudo -l -U USERNAME and test by switching users. sudo --check validates syntax. sudo -l -U USER shows what a user is permitted to run. Every sudo action is logged in /var/log/secure with the real username.

Graded Lab

Create user labadmin. Add them to the wheel group with usermod -aG wheel. Verify with id labadmin. Switch to labadmin and confirm they can run sudo whoami and get the response root.
Create user labops. Use visudo -f /etc/sudoers.d/labops to create a drop-in rule allowing labops to run /usr/bin/systemctl as root without a password. Run visudo --check to validate syntax.
Verify labops's permissions with sudo -l -U labops. Switch to labops and run sudo systemctl status sshd — confirm it succeeds without a password prompt. Attempt sudo dnf list — confirm it is denied.
Create a drop-in file /etc/sudoers.d/labops.conf (note the dot). Confirm with sudo -l -U labops that the rules in the dotted file are NOT loaded. Delete the dotted file and recreate it as labops-extra — confirm it IS loaded.
Check /var/log/secure for the sudo audit entries generated during the lab. Identify the log entries for labadmin's sudo whoami and labops's systemctl command. Note the username, timestamp, and command recorded.
Remove labops from the sudoers drop-in by deleting /etc/sudoers.d/labops. Verify with sudo -l -U labops that they no longer have any sudo permissions. Attempt a sudo command as labops and confirm it is denied.

RHCSA Objective

"Configure privileged access." Grant full access: usermod -aG wheel USER. Custom rules: visudo -f /etc/sudoers.d/NAME with USER ALL=(root) [NOPASSWD:] /path. Verify: sudo -l -U USER.

Next: Getting Help from Local Documentation

ConfigurePrivileged Access