Overview
sudo
Means " super u ser do ". It allows authenticated users to run commands as other users. Other users can be regular users or superusers. However, most of the time we use it to run commands with elevated privileges.
sudo
The command is used in conjunction with the security policy. The default security policy is sudoers
that it can /etc/sudoers
be . Its security policy is highly extensible. People can develop and distribute their own security policies as plugins.
Difference from su
In GNU/Linux, there are two ways to run commands with elevated privileges:
- use
su
command - use
sudo
command
su
Means " s witch u ser". Using su
, we can switch to root user and execute commands. But there are some disadvantages in this way:
- We need to share root's password with others.
- Because the root user is superuser, we cannot grant controlled access.
- We cannot review what users are doing.
sudo
These problems are solved in a unique way.
- First, we don't need to compromise to share the root user's password. Regular users can execute commands with elevated privileges using their own passwords.
- We can control
sudo
user access, which means we can restrict users to only execute certain commands. - In addition to this,
sudo
all user activity is logged so we can review what was done at any time. In Debian-based GNU/Linux, all activity is recorded in/var/log/auth.log
files .
These points are covered later in this tutorial.
Hands-on with sudo
Now, we have a general understanding of sudo. Let's get our hands dirty. For demonstration, I use Ubuntu. However, the operation for other distributions should be the same.
Allow sudo permissions
Let's add regular users as sudo
users . In my case the username is linuxtechi
.
1) Edit the /etc/sudoers
file :
$ sudo visudo
2) Add the following line to allow the user to linuxtechi
have sudo privileges:
linuxtechi ALL=(ALL) ALL
In the above command:
linuxtechi
Indicates the username- The first
ALL
instructs to allow access from any terminal, machinesudo
- The second
(ALL)
indicates thatsudo
command is allowed to execute as any user - The third
ALL
means that all commands can be executed as root
Execute commands with elevated privileges
To execute a command with elevated privileges, simply prefix the command with sudo
the following:
$ sudo cat /etc/passwd
When you execute this command, it will ask linuxtechi
for the password of , not the password of the root user.
Execute commands as another user
In addition to that, we can use sudo
to execute commands as another user. For example, in the following command, linuxtechi
user devesh
executes the command as user :
$ sudo -u devesh whoami
[sudo] password for linuxtechi:
devesh
The built-in command line is
sudo
One limitation is - it cannot use the shell's built-in commands. For example, history
logging is a built-in command, and if you try to sudo
execute this command with , you will get the following command not found error:
$ sudo history
[sudo] password for linuxtechi:
sudo: history: command not found
access root shell
To overcome the above problems, we can access the root shell and execute any command there, including the shell's built-in commands.
To access the root shell, execute the following command:
$ sudo bash
After executing this command - you will observe that the prompt changes to a pound sign ( #
).
Skill
这节我们将讨论一些有用的技巧,这将有助于提高生产力。大多数命令可用于完成日常任务。
以 sudo 用户执行之前的命令
让我们假设你想用提升的权限执行之前的命令,那么下面的技巧将会很有用:
$ sudo !4
上面的命令将使用提升的权限执行历史记录中的第 4 条命令。
在 Vim 里面使用 sudo 命令
很多时候,我们编辑系统的配置文件时,在保存时才意识到我们需要 root 访问权限来执行此操作。因为这个可能让我们丢失我们对文件的改动。没有必要惊慌,我们可以在 Vim 中使用下面的命令来解决这种情况:
:w !sudo tee %
上述命令中:
- 冒号 (
:
) 表明我们处于 Vim 的退出模式 - 感叹号 (
!
) 表明我们正在运行 shell 命令 sudo
和tee
都是 shell 命令- 百分号 (
%
) 表明从当前行开始的所有行
使用 sudo 执行多个命令
至今我们用 sudo
只执行了单个命令,但我们可以用它执行多个命令。只需要用分号 (;
) 隔开命令,如下所示:
$ sudo -- bash -c 'pwd; hostname; whoami'
上述命令中
- 双连字符 (
--
) 停止命令行切换 bash
表示要用于执行命令的 shell 名称-c
选项后面跟着要执行的命令
无密码运行 sudo 命令
当第一次执行 sudo
命令时,它会提示输入密码,默认情形下密码被缓存 15 分钟。但是,我们可以避免这个操作,并使用 NOPASSWD
关键字禁用密码认证,如下所示:
linuxtechi ALL=(ALL) NOPASSWD: ALL
限制用户执行某些命令
为了提供受控访问,我们可以限制 sudo
用户只执行某些命令。例如,下面的行只允许执行 echo
和 ls
命令 。
linuxtechi ALL=(ALL) NOPASSWD: /bin/echo /bin/ls
深入了解 sudo
让我们进一步深入了解 sudo
命令。
$ ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 145040 Jun 13 2017 /usr/bin/sudo
如果仔细观察文件权限,则发现 sudo
上启用了 setuid 位。当任何用户运行这个二进制文件时,它将以拥有该文件的用户权限运行。在所示情形下,它是 root 用户。
为了演示这一点,我们可以使用 id
命令,如下所示:
$ id
uid=1002(linuxtechi) gid=1002(linuxtechi) groups=1002(linuxtechi)
当我们不使用 sudo
执行 id
命令时,将显示用户 linuxtechi
的 id。
$ sudo id
uid=0(root) gid=0(root) groups=0(root)
但是,如果我们使用 sudo
执行 id
命令时,则会显示 root 用户的 id。
结论
从这篇文章可以看出 —— sudo
为普通用户提供了更多受控访问。使用这些技术,多用户可以用安全的方式与 GNU/Linux 进行交互。
转自:Linux中国https://linux.cn/article-9559-1.html