Configuring sudo
The next step in setting up a file server on the slug is an easy one: Install sudo rights for my normal user.
I use sudo as a matter of convenience; If I don’t have it installed I’m much more likely to do stuff as root (that doesn’t have to be made as root). The security aspects of sudo, where you can limit what each user (or group) can do with sudo, doesn’t really matter to me since I am the sole administrator of these boxen and I want absolute power. This means that our sudo set up will be a real simple on (you’ll see later).
But first things first; Let’s start with installing sudo to the slug.
If you haven’t logged in to the box yet, do so now:
ssh habrok@192.168.1.6
Of course you should exchange habrok for the login of the user created with the Debian installer, and the IP with the IP of your slug. Now we install sudo with apt, starting with an update of the local package list (it is always good to do an update at the start of a session, though nothing bad will happen if you forget; The packages will fail to download, that’s all):
su -
apt-get update
apt-get install sudo
Next we will configure sudo access, by editing the /etc/sudoers file. We won’t do this with the normal editor though, but run the special editor visudo instead. Visudo is used to prevent syntax errors in the /etc/sudoers file, which might otherwise lock everyone out of doing sudos. You might think that visudo has something to do with the infamous vi editor, but don’t worry, it will actually use nano for your editing session. So go ahead and type:
visudo
We will make just one change in this file. Below the “user privilege specification” comment add a line:
%wheel ALL = (root) ALL
This line means that members of the “wheel” system group (the percent sign means a group) on any host (the first “ALL”) will be able to execute any command (the second “ALL”) as root (this is the default, so it isn’t really necessary to write it out, but it is clearer this way). The reason I didn’t allow the wheel users to run command as any user (which is done by putting “ALL” within the parentheses) is that I honestly don’t know why I would ever need this (security 101: Don’t enable things you don’t know you will need).
Now save (ctrl+O) and exit (ctrl+X). Visudo will tell you if there is any syntax errors, if so press ‘e’ to correct them.
Now we need to add the users we want to run sudo to the wheel group*. First check that there isn’t already a wheel group:
cat /etc/group | grep wheel
This should return nothing (at least if you’re running a new installation of Debian like me), so go on and create this group:
addgroup --system --gid 23 wheel
The group id doesn’t have to be 23, I just find it easy to remember (you actually don’t have to specify a group id at all, if you don’t the system will assign one for you).
Now add our normal user and root (for good measure) to the wheel group:
adduser habrok wheel
adduser root wheel
Now, we have to log out and in again for our group membership to be updated, so do that now:
exit
exit
ssh habrok@192.168.1.6
groups
Now “wheel” should be listed among the groups you are member of (if not you have to su again and try to find where things went wrong), so go on and try to sudo something:
sudo apt-get update
Type your password (your password, not the root password) and see if it starts updating the package list. If it works (and it should) then you can go on lock your root account, if not you have to su to root account again and correct any errors you’ve made first.
Locking out the root user is a bit scary, you might not be able to correct mistakes if do something stupid (now or later). With the slug I can’t even use the usual recovery procedure (booting from a CD), so instead of really locking out root, I will just set a very long, random password, which I write down and keep in a secret place.
First generate a random password with your favourite password generator (I use apg, which can be found in Ubuntu’s universe). Then set the root password for the slug with:
sudo passwd root
Your slug should now be properly set up with sudo, so go on and get yourself some coffee or something.
* At this point, you may wonder why the group is called wheel (and not admins or sysops or something). This is just a tradition; The wheel group was used to restrict which users could run the “su” command (I think Berkeley might have been first with this). Now we use it to restrict sudo.
