.
Overview
sudoMeans " super u ser do ". It allows authenticated users to run commands as other users. Other users can be regular users or superusers. However, most of the time we use it to run commands with elevated privileges.
sudo The command is used in conjunction with the security policy. The default security policy is sudoersthat it can be configured through a file /etc/sudoers . Its security policy is highly extensible. People can develop and distribute their own security policies as plugins.
Difference from su
In GNU/Linux, there are two ways to run commands with elevated privileges:
- use
sucommand - use
sudocommand
su Means " s witch u ser". Using su, we can switch to root user and execute commands. But there are some disadvantages in this way:
- We need to share root's password with others.
- Because the root user is superuser, we cannot grant controlled access.
- We cannot review what users are doing.
sudo These problems are solved in a unique way.
- First, we don't need to compromise to share the root user's password. Regular users can execute commands with elevated privileges using their own passwords.
- We can control
sudouser access, which means we can restrict users to only execute certain commands. - In addition to this,
sudoall user activity is logged so we can review what was done at any time. In Debian-based GNU/Linux, all activities are recorded in/var/log/auth.logfiles.
These points are covered later in this tutorial.
Hands-on with sudo
Now, we have a general understanding of sudo. Let's get our hands dirty. For demonstration, I use Ubuntu. However, the operation for other distributions should be the same.
允许 sudo 权限
Let's add regular users as sudo users. In my case the username is linuxtechi.
/etc/sudoers 1) Edit the file as follows :
$ sudo visudo
2) Add the following line to allow the user to linuxtechi have sudo privileges:
linuxtechi ALL=(ALL) ALL
In the above command:
linuxtechiIndicates the username- The first
ALLindication allows access from any terminal, machinesudo - The second
(ALL)indicates thatsudothe command is allowed to be executed as any user - The third
ALLmeans that all commands can be executed as root
以提升的权限执行命令
To execute a command with elevated privileges, simply prefix the command with sudothe following:
$ sudo cat /etc/passwd
When you execute this command, it will ask linuxtechi for the password instead of the root user's password.
以其他用户执行命令
In addition to that, we can use sudo Execute commands as another user. For example, in the following command, the user executes the command linuxtechi as the user devesh :
$ sudo -u devesh whoami
[sudo] password for linuxtechi:
devesh
内置命令行为
sudo One limitation is - it cannot use the shell's built-in commands. For example, history logging is a built-in command. If you try to sudo execute this command, you will get the following command not found error:
$ sudo history
[sudo] password for linuxtechi:
sudo: history: command not found
access root shell
To overcome the above problems, we can access the root shell and execute any command there, including the shell's built-in commands.
To access the root shell, execute the following command:
$ sudo bash
After executing this command - you will observe that the prompt changes to a pound sign ( #).
Skill
In this section we will discuss some useful tips that will help increase productivity. Most commands can be used to complete daily tasks.
以 sudo 用户执行之前的命令
Let's assume you want to execute the previous command with elevated privileges, then the following trick will be useful:
$ sudo !4
The above command will execute the 4th command in the history with elevated privileges.
在 Vim 里面使用 sudo 命令
Many times, when we edit a system's configuration files, we only realize when we save that we need root access to do this. Because this could make us lose our changes to the file. There is no need to panic, we can use the following command in Vim to solve this situation:
:w !sudo tee %
In the above command:
- A colon (
:) indicates that we are in Vim's exit mode - An exclamation mark (
!) indicates that we are running a shell command sudoandteeare both shell commands- The percent sign (
%) indicates all lines starting with the current line
使用 sudo 执行多个命令
So far we have sudo only executed a single command, but we can use it to execute multiple commands. Just separate the commands with semicolons ( ;) as follows:
$ sudo -- bash -c 'pwd; hostname; whoami'
in the above command
- Double hyphen (
--) stops command line switching bashIndicates the shell name to use to execute the command-coption followed by the command to execute
无密码运行 sudo 命令
When the sudo command is executed for the first time, it prompts for a password, which by default is cached for 15 minutes. However, we can avoid this operation and NOPASSWD disable password authentication using a keyword like this:
linuxtechi ALL=(ALL) NOPASSWD: ALL
限制用户执行某些命令
To provide controlled access, we can restrict sudo users to only execute certain commands. For example, the line below allows only execute echo and ls commands.
linuxtechi ALL=(ALL) NOPASSWD: /bin/echo /bin/ls
深入了解 sudo
Let's dive deeper into the sudo commands.
$ ls -l /usr/bin/sudo
-rwsr-xr-x 1 root root 145040 Jun 13 2017 /usr/bin/sudo
If you look closely at the file permissions, you will see sudo that the setuid bit is enabled. When any user runs this binary, it will run with the permissions of the user who owns the file. In the case shown, it is the root user.
To demonstrate this, we can use the id command as follows:
$ id
uid=1002(linuxtechi) gid=1002(linuxtechi) groups=1002(linuxtechi)
When we don't use sudo the execute id command, the user linuxtechi 's id will be displayed.
$ sudo id
uid=0(root) gid=0(root) groups=0(root)
However, if we use sudo the execute id command, the root user's id is displayed.
in conclusion
As can be seen from this article - sudo more controlled access is provided for ordinary users. Using these techniques, multiple users can interact with GNU/Linux in a secure manner.
via: https://www.linuxtechi.com/quick-tips-sudo-command-linux-systems/
Author: Pradeep Kumar Translator: szcf-weiya Proofreading: wxy
This article is originally compiled by LCTT , and launched by Linux China with honor