.
Overview
sudo
Means " super u ser do ". It allows authenticated users to run commands as other users. Other users can be regular users or superusers. However, most of the time we use it to run commands with elevated privileges.
sudo
The command is used in conjunction with the security policy. The default security policy is sudoers
that it can be configured through a file /etc/sudoers
. Its security policy is highly extensible. People can develop and distribute their own security policies as plugins.
Difference from su
In GNU/Linux, there are two ways to run commands with elevated privileges:
- use
su
command - use
sudo
command
su
Means " s witch u ser". Using su
, we can switch to root user and execute commands. But there are some disadvantages in this way:
- We need to share root's password with others.
- Because the root user is superuser, we cannot grant controlled access.
- We cannot review what users are doing.
sudo
These problems are solved in a unique way.
- First, we don't need to compromise to share the root user's password. Regular users can execute commands with elevated privileges using their own passwords.
- We can control
sudo
user access, which means we can restrict users to only execute certain commands. - In addition to this,
sudo
all user activity is logged so we can review what was done at any time. In Debian-based GNU/Linux, all activities are recorded in/var/log/auth.log
files.
These points are covered later in this tutorial.
Hands-on with sudo
Now, we have a general understanding of sudo. Let's get our hands dirty. For demonstration, I use Ubuntu. However, the operation for other distributions should be the same.
允许 sudo 权限
Let's add regular users as sudo
users. In my case the username is linuxtechi
.
/etc/sudoers
1) Edit the file as follows :
$ sudo visudo
2) Add the following line to allow the user to linuxtechi
have sudo privileges:
linuxtechi ALL=(ALL) ALL
In the above command:
linuxtechi
Indicates the username- The first
ALL
indication allows access from any terminal, machinesudo
- The second
(ALL)
indicates thatsudo
the command is allowed to be executed as any user - The third
ALL
means that all commands can be executed as root
以提升的权限执行命令
To execute a command with elevated privileges, simply prefix the command with sudo
the following:
$ sudo cat /etc/passwd
When you execute this command, it will ask linuxtechi
for the password instead of the root user's password.
以其他用户执行命令
In addition to that, we can use sudo
Execute commands as another user. For example, in the following command, the user executes the command linuxtechi
as the user devesh
:
$ sudo -u devesh whoami
[sudo] password for linuxtechi:
devesh
内置命令行为
sudo
One limitation is - it cannot use the shell's built-in commands. For example, history
logging is a built-in command. If you try to sudo
execute this command, you will get the following command not found error:
$ sudo history
[sudo] password for linuxtechi:
sudo: history: command not found
access root shell
To overcome the above problems, we can access the root shell and execute any command there, including the shell's built-in commands.
To access the root shell, execute the following command:
$ sudo bash
After executing this command - you will observe that the prompt changes to a pound sign ( #
).
Skill
In this section we will discuss some useful tips that will help increase productivity. Most commands can be used to complete daily tasks.
以 sudo 用户执行之前的命令
Let's assume you want to execute the previous command with elevated privileges, then the following trick will be useful:
$ sudo !4
The above command will execute the 4th command in the history with elevated privileges.
在 Vim 里面使用 sudo 命令
Many times, when we edit a system's configuration files, we only realize when we save that we need root access to do this. Because this could make us lose our changes to the file. There is no need to panic, we can use the following command in Vim to solve this situation:
:w !sudo tee %
In the above command:
- A colon (
:
) indicates that we are in Vim's exit mode - An exclamation mark (
!
) indicates that we are running a shell command sudo
andtee
are both shell commands- The percent sign (
%
) indicates all lines starting with the current line
使用 sudo 执行多个命令
So far we have sudo
only executed a single command, but we can use it to execute multiple commands. Just separate the commands with semicolons ( ;
) as follows:
$ sudo -- bash -c 'pwd; hostname; whoami'
in the above command
- Double hyphen (
--
) stops command line switching bash
Indicates the shell name to use to execute the command-c
option followed by the command to execute
无密码运行 sudo 命令
When the sudo
command is executed for the first time, it prompts for a password, which by default is cached for 15 minutes. However, we can avoid this operation and NOPASSWD
disable password authentication using a keyword like this:
linuxtechi ALL=(ALL) NOPASSWD: ALL
限制用户执行某些命令
To provide controlled access, we can restrict sudo
users to only execute certain commands. For example, the line below allows only execute echo
and ls
commands.
linuxtechi ALL=(ALL) NOPASSWD: /bin/echo /bin/ls
深入了解 sudo
Let's dive deeper into the sudo
commands.
$ ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 145040 Jun 13 2017 /usr/bin/sudo
If you look closely at the file permissions, you will see sudo
that the setuid bit is enabled. When any user runs this binary, it will run with the permissions of the user who owns the file. In the case shown, it is the root user.
To demonstrate this, we can use the id
command as follows:
$ id
uid=1002(linuxtechi) gid=1002(linuxtechi) groups=1002(linuxtechi)
When we don't use sudo
the execute id
command, the user linuxtechi
's id will be displayed.
$ sudo id
uid=0(root) gid=0(root) groups=0(root)
However, if we use sudo
the execute id
command, the root user's id is displayed.
in conclusion
As can be seen from this article - sudo
more controlled access is provided for ordinary users. Using these techniques, multiple users can interact with GNU/Linux in a secure manner.
via: https://www.linuxtechi.com/quick-tips-sudo-command-linux-systems/
Author: Pradeep Kumar Translator: szcf-weiya Proofreading: wxy
This article is originally compiled by LCTT , and launched by Linux China with honor