# add user to sudo ?

## cwc

I edited the sudouesr file using visudo and uncommented :

%sudo ALL=(ALL) ALL

When I issue a :

usermod -a -G sudo me

I get a message sudo does not exist.  Do I need to make this group?

----------

## John R. Graham

Do you have app-admin/sudo installed?

- John

----------

## cwc

 *John R. Graham wrote:*   

> Do you have app-admin/sudo installed?
> 
> - John

 

yes

 app-admin/sudo

      Latest version available: 1.8.12

      Latest version installed: 1.8.12

----------

## John R. Graham

The normal group for giving the ability to sudo is wheel. If you want to use a sudo group, you'll have to create it.

- John

----------

## Buffoon

You sure about that? Being in wheel group permits su, if I remember correctly sudo command usage is configured in sudoers file.

----------

## John R. Graham

Yes, I'm sure that it is at least a normal way. There's even commented out example of this in the default /etc/sudoers file. Adding an additional group provides additional granularity without any security value, because if you have permission to run sudo, then you can run su with that.

- John

----------

## Buffoon

 *John R. Graham wrote:*   

> The normal group for giving the ability to sudo is wheel. 

 

I still disagree with this statement. Anyone can sudo if they are in sudoers file. Often there is just one single command I want a non-wheel user to be able to issue. So I allow this in sudoers file.

----------

## John R. Graham

Well, I'm still sure. If wheel isn't the normal group, what group would you say is?

- John

----------

## cwc

 *John R. Graham wrote:*   

> The normal group for giving the ability to sudo is wheel. If you want to use a sudo group, you'll have to create it.
> 
> - John

 

I am part of the wheel group:

 $ groups

root tty wheel uucp audio cdrom dialout ftp video cdrw apache users wireshark plugdev polkituser vboxguest cwc

----------

## Buffoon

There is no membership of any group required to sudo. You can create a shutdown group for instance and allow shutdown group members to run sudo halt -p if you like.

----------

## John R. Graham

 *cwc wrote:*   

> I am part of the wheel group:
> 
>  $ groups
> 
> root tty wheel uucp audio cdrom dialout ftp video cdrw apache users wireshark plugdev polkituser vboxguest cwc

 If it's acceptable to you to use wheel group membership to bestow sudo privlege, then uncomment this line in /etc/sudoers:

```
## Uncomment to allow members of group wheel to execute any command

# %wheel ALL=(ALL) ALL
```

and you should be all set.

- John

----------

## limn

cwc

```
grep sudo /etc/group || emerge sudo
```

----------

## John R. Graham

 *Buffoon wrote:*   

> There is no membership of any group required to sudo. You can create a shutdown group for instance and allow shutdown group members to run sudo halt -p if you like.

 I'm going to plead nolo contendere at this point.

- John

----------

## Buffoon

 *cwc wrote:*   

> I edited the sudouesr file using visudo and uncommented :
> 
> %sudo ALL=(ALL) ALL

 

You understand this is effectively giving root rights to all users?

----------

## John R. Graham

No, it's not. It's giving the ability to acquire root privileges to members of the sudo group. Without the creation of that group and the addition of particular users to that group, it's giving nothing to nobody.  :Wink: 

- John

----------

## Buffoon

Yes, this time I was wrong.   :Shocked: 

@cwc

You need to create sudo group for this to work.

----------

## cwc

 *limn wrote:*   

> cwc
> 
> ```
> grep sudo /etc/group || emerge sudo
> ```
> ...

 

Thanks for all the lines! Very enjoyable.

I did the following:

#grep sudo /etc/group || emerge sudo

then

#visudo

and uncommented 

%wheel ALL=(ALL) ALL

I am the only one (I know of) that uses my gentoo system so there is no worry.

----------

## mv

 *cwc wrote:*   

> I am the only one (I know of) that uses my gentoo system so there is no worry.

 

There is a huge reason to worry (only exception: If the machine is physically never connected to the internet). Just for example, imagine that you are browsing a compromised page (even a trusted page can be compromised) which uses one of the bazillions browser security holes to execute some code. Then this site can effectively execute anything on your machine (and easily hide its traces so that you will never recognize that somethnig has happened if e.g. your machine has become part of a botnet or of a child-porn storage area).

Doing such an utterly stupid thing as allowing any user root access might even make you reliable by law for not taking care more (it certainly depends on your country and the lawyers which you will have, but I would not risk it).

----------

## limn

cwc

Sorry about that. 

I thought that emerging sudo would create the sudo group.

When sudo is compiled/installed it will create this group if on a Debian box.

----------

