10 Tips for sudo command in Linux system

Overview

sudoMeans " super u ser do ". It allows authenticated users to run commands as other users. Other users can be regular users or superusers. However, most of the time we use it to run commands with elevated privileges.

sudoThe command is used in conjunction with the security policy. The default security policy is sudoersthat it can /etc/sudoersbe . Its security policy is highly extensible. People can develop and distribute their own security policies as plugins.

Difference from su

In GNU/Linux, there are two ways to run commands with elevated privileges:

• use sucommand
• use sudocommand

suMeans " s witch u ser". Using su, we can switch to root user and execute commands. But there are some disadvantages in this way:

• We need to share root's password with others.
• Because the root user is superuser, we cannot grant controlled access.
• We cannot review what users are doing.

sudoThese problems are solved in a unique way.

1. First, we don't need to compromise to share the root user's password. Regular users can execute commands with elevated privileges using their own passwords.
2. We can control sudouser access, which means we can restrict users to only execute certain commands.
3. In addition to this, sudoall user activity is logged so we can review what was done at any time. In Debian-based GNU/Linux, all activity is recorded in /var/log/auth.logfiles .

These points are covered later in this tutorial.

Hands-on with sudo

Now, we have a general understanding of sudo. Let's get our hands dirty. For demonstration, I use Ubuntu. However, the operation for other distributions should be the same.

Allow sudo permissions

Let's add regular users as sudousers . In my case the username is linuxtechi.

1) Edit the /etc/sudoersfile :

1. $ sudo visudo

2) Add the following line to allow the user to linuxtechihave sudo privileges:

1. linuxtechi ALL=(ALL) ALL

In the above command:

• linuxtechiIndicates the username
• The first ALLinstructs to allow access from any terminal, machinesudo
• The second (ALL)indicates that sudocommand is allowed to execute as any user
• The third ALLmeans that all commands can be executed as root

Execute commands with elevated privileges

To execute a command with elevated privileges, simply prefix the command with sudothe following:

1. $ sudo cat /etc/passwd

When you execute this command, it will ask linuxtechifor the password of , not the password of the root user.

Execute commands as another user

In addition to that, we can use sudoto execute commands as another user. For example, in the following command, linuxtechiuser deveshexecutes the command as user :

1. $ sudo -u devesh whoami
2. [sudo] password for linuxtechi:
3. devesh

The built-in command line is

sudoOne limitation is - it cannot use the shell's built-in commands. For example, historylogging is a built-in command, and if you try to sudoexecute this command with , you will get the following command not found error:

1. $ sudo history
2. [sudo] password for linuxtechi:
3. sudo: history: command not found

access root shell

To overcome the above problems, we can access the root shell and execute any command there, including the shell's built-in commands.

To access the root shell, execute the following command:

1. $ sudo bash

After executing this command - you will observe that the prompt changes to a pound sign ( #).

Skill

这节我们将讨论一些有用的技巧，这将有助于提高生产力。大多数命令可用于完成日常任务。

以 sudo 用户执行之前的命令

让我们假设你想用提升的权限执行之前的命令，那么下面的技巧将会很有用：

1. $ sudo !4

上面的命令将使用提升的权限执行历史记录中的第 4 条命令。

在 Vim 里面使用 sudo 命令

很多时候，我们编辑系统的配置文件时，在保存时才意识到我们需要 root 访问权限来执行此操作。因为这个可能让我们丢失我们对文件的改动。没有必要惊慌，我们可以在 Vim 中使用下面的命令来解决这种情况：

1. :w !sudo tee %

上述命令中：

• 冒号 (:) 表明我们处于 Vim 的退出模式
• 感叹号 (!) 表明我们正在运行 shell 命令
• sudo 和 tee 都是 shell 命令
• 百分号 (%) 表明从当前行开始的所有行

使用 sudo 执行多个命令

至今我们用 sudo 只执行了单个命令，但我们可以用它执行多个命令。只需要用分号 (;) 隔开命令，如下所示：

1. $ sudo -- bash -c 'pwd; hostname; whoami'

上述命令中

• 双连字符 (--) 停止命令行切换
• bash 表示要用于执行命令的 shell 名称
• -c 选项后面跟着要执行的命令

无密码运行 sudo 命令

当第一次执行 sudo 命令时，它会提示输入密码，默认情形下密码被缓存 15 分钟。但是，我们可以避免这个操作，并使用 NOPASSWD 关键字禁用密码认证，如下所示：

1. linuxtechi ALL=(ALL) NOPASSWD: ALL

限制用户执行某些命令

为了提供受控访问，我们可以限制 sudo 用户只执行某些命令。例如，下面的行只允许执行 echo 和 ls 命令 。

1. linuxtechi ALL=(ALL) NOPASSWD: /bin/echo /bin/ls

深入了解 sudo

让我们进一步深入了解 sudo 命令。

1. $ ls -l /usr/bin/sudo
2. -rwsr-xr-x 1 root root 145040 Jun 13  2017 /usr/bin/sudo

如果仔细观察文件权限，则发现 sudo 上启用了 setuid 位。当任何用户运行这个二进制文件时，它将以拥有该文件的用户权限运行。在所示情形下，它是 root 用户。

为了演示这一点，我们可以使用 id 命令，如下所示：

1. $ id
2. uid=1002(linuxtechi) gid=1002(linuxtechi) groups=1002(linuxtechi)

当我们不使用 sudo 执行 id 命令时，将显示用户 linuxtechi 的 id。

1. $ sudo id
2. uid=0(root) gid=0(root) groups=0(root)

但是，如果我们使用 sudo 执行 id 命令时，则会显示 root 用户的 id。

结论

从这篇文章可以看出 —— sudo 为普通用户提供了更多受控访问。使用这些技术，多用户可以用安全的方式与 GNU/Linux 进行交互。

 转自：Linux中国https://linux.cn/article-9559-1.html