sudo允许用户以其他用户的身份(比如root)执行命令,比如切换用户、执行命令、读写文件等;
配置
sudo配置在:/etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
...
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
...
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
从这个配置文件可以看到3点:
- 配置的格式(user MACHINE=COMMANDS)以及示例(在末尾附近),比如root的权限;
- /etc/sudoers.d/* 这个目录下边的文件也会被加载,这样就可以把不同类别的权限配置分开到不同的文件;
- 使用visudo编辑,使用vi或vim编辑也可以,不过visudo在保存前会做检查,如果配置有问题会报错,直接保存错误的配置可能导致难以预料的后果,千万不要尝试;
常用场景
1 切换用户
username ALL=(root) NOPASSWD: /bin/su - targetuser
允许username切换到targetuser
%groupname ALL=(root) NOPASSWD: /bin/su - targetuser
允许groupname里边的用户切换到targetuser
2 执行命令
username ALL=(root) NOPASSWD: /usr/sbin/iptables
允许username执行iptables命令
