Linux-sudo claim

sudo authorization

In the Linux management process, not every system administrator is allowed to use root to manage the server. However, there are always administrators with ordinary user status who need to execute some commands with root privileges during the management process.

sudo is a management tool for command authorization in Linux. It can allow certain ordinary users to execute commands that only administrators can execute through authorization, such as shutdown, restart, etc., which can reduce the number of root holders and reduce The number of root logins to ensure the security of the server.

 我们可以通过修改sudo配置文件（visudo）中的语法来实现

超级管理员：授权/etc/sudoers	visudo(具有语法检查机制，判断用户的授权格式是否正确)
		root ALL=(ALL) ALL
		root	：被授权者
		ALL		：能被管理的机器地址（当做固定格式）
		ALL		：授予的身份（root）
		ALL		：授予的命令（命令的绝对路径）（授权具体的命令+选项+操作对象）

普通管理员：
	    当普通用户执行root授权的命令时，系统查询/etc/sudoers文件中是否有root对用户的授权
        当查询普通用户已拥有授权后，需要输入普通用户的密码来确认用户身份
        若密码输入成功后，则可以借用root身份来执行已经授权的命令，命令执行完成后，授权结束	

Practice case

1. Authorized xx users can restart the server

2. Give xx user all command permissions of root

  xx  ALL= (root)  ALL

3. Allow xx users to add ordinary users

  xx  ALL=（root） /usr/sbin/useradd

4. Allow user xx to change the password of the newly added user, not allow to change the password of the root user

  xx  ALL=(root)   /usr/bin/passwd,!/usr/bin/passwd root,!/usr/bin/passwd ""

5. Authorized xx users can manage the web server (httpd)

   First of all, we have to consider that xx users need to have permission to restart the httpd program
   xx ALL = (root) systemctl restart httpd

   When considering xx users can edit the configuration file of httpd
   xx ALL = (root) / usr / bin / vim /etc/httpd/conf/httpd.conf

   Finally, it is required that xx users can create and delete webpage files, and use ACL to implement
   setfacl -mu: xx: rwx / var / www / html (implemented xx so that users can create and delete files in the html directory)
   setfacl -md : u: xx: rwx / var / www / html (implemented that xx users also have permissions to sub-files / directories created in the future, and also prevent the misoperation of other system administrators)

Note: sudo authorization should follow the specific authorization principle as much as possible. Ordinary users need to grant whatever permissions they need. They must be specific to commands, options, parameters, etc. Otherwise, there will be a problem of permission overflow, resulting in reduced server security.