su command
The su command is used to switch users. The format is: su - username The commonly used options are as follows:
- l, login to log in and change to the switched user environment;
- c, command=COMMAND executes a command, and then exits the switched user environment;
[lichao@test-02 ~]$ ls /root
ls: 无法打开目录/root: 权限不够
[lichao@test-02 ~]$ su - root
密码:
上一次登录:五 12月 29 02:37:30 CST 2017从 192.168.101.1pts/0 上
[root@test-02 ~]# ls /root
anaconda-ks.cfg
[root@test-02 ~]# 登出
[lichao@test-02 ~]$ su - root -c ls /root
密码:
anaconda-ks.cfg
[lichao@test-02 ~]$
When using a common user to switch to root, you need to enter the root password, and using root to switch to a common user does not require a password.
sudo instruction
To authorize ordinary users to have the authority of other users, most of the time, it is to authorize ordinary users to have the authority of root user. To use this command, you need to edit the configuration file, etc/sudoers, but the system will not report an error if you edit this file directly and make an error, so We use the visudo command to edit, if there is a problem with editing, the system will prompt an error
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
lichao ALL=(ALL) /usr/bin/ls, /usr/bin/cat, /usr/bin/more
After editing in this way, lichao can have the permissions of root's ls, cat, and more. The usage is as follows
[lichao@test-02 ~]$ ls /root
ls: 无法打开目录/root: 权限不够
[lichao@test-02 ~]$ sudo ls /root
1.txt anaconda-ks.cfg
[lichao@test-02 ~]$ cat /root/1.txt
cat: /root/1.txt: 权限不够
[lichao@test-02 ~]$ sudo cat /root/1.txt
aaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbcccccccccccccccccccdddddddddddddddddddeeeeeeeeeeeeeeeeeeefffffffffffffffffffffggggggggggggg
hhhhhhhhhhhhhhhhhhiiiiiiiiiiiiiiiijjjjjjjjjjjjjjjjjjjjjjjkkkkkkkkkkkkkkkkkkkkkllllllllllllllllll
[lichao@test-02 ~]$ less /root/1.txt
/root/1.txt: 权限不够
[lichao@test-02 ~]$ sudo less /root/1.txt
对不起,用户 lichao 无权以 root 的身份在 test-02 上执行 /bin/less /root/1.txt。
[lichao@test-02 ~]$ sudo more /root/1.txt
aaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbcccccccccccccccccccdddddddddddddddddddeeeeeeeeeeeeeeeeeeefffffffffffffffffffffggggggggggggg
hhhhhhhhhhhhhhhhhhiiiiiiiiiiiiiiiijjjjjjjjjjjjjjjjjjjjjjjkkkkkkkkkkkkkkkkkkkkkllllllllllllllllll
[lichao@test-02 ~]$
Restrict remote login to root
Edit the /etc/ssh/ssh_config file, delete the #PermitRootLogin yes, the comment symbol, change the following yes to no, and restart the service, which restricts the remote login root
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
[root@test-02 ~]# systemctl restart sshd.service restart the service, that's it
How to restrict remote login to root, and some ordinary users need root privileges? At this time, you can visudo and authorize su to the user who needs permission, and that's it.
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
AD ALL=(ALL) NOPASSWD: /usr/bin/su