sudo is to allow a user to perform certain tasks on certain hosts as any other user. Remember to execute commands in another identity, not switch to another user!
But if you want a user to use sudo to execute commands, it must be defined in the sudo configuration file. Only users defined in /etc/sudoers can execute the corresponding commands, and these commands must also be in the It can be defined in the sudo configuration file /etc/sudoers. By default, only the root user can use sudo to execute commands.
1. Features of
sudo The role of sudo is destined to be extra cautious in terms of security, otherwise it will lead to illegal users grabbing root privileges. At the same time, it also takes into account the ease of use, so that system administrators can use it more efficiently and conveniently. The aim of sudo's designers was to give users as few permissions as possible and still allow them to do their jobs. Therefore, sudo has the following characteristics:
# 1. sudo can restrict specified users to run certain commands on specified hosts.
# 2. sudo can provide logs, faithfully record what each user has done with sudo, and can transmit the logs to the central host or log server.
# 3. sudo provides configuration files for system administrators, allowing system administrators to centrally manage user permissions and hosts used. Its default storage location is /etc/sudoers.
# 4. sudo uses the timestamp file to complete a "ticket check"-like system. When the user executes sudo and enters a password, the user gets a "ticket" with a default lifetime of 5 minutes (the default value can be changed at compile time). After the timeout, the user must re-enter the password.
2. The sudo command The
sudo program itself is a binary file with the SUID bit set. We can check its permissions:
$ls -l /usr/bin/sudo
---s--x--x 2 root root 106832 02-12 17:41 /usr/bin/sudo
its owner is root , so every user can execute the program as root. A program with a SUID set can give the user the owner's EUID at runtime. This is why programs with SUID set must be written carefully. But setting the SUID of a command file and running it with sudo are different concepts, they serve different purposes.
The configuration of sudo is recorded in the /etc/sudoers file, which we will describe in detail below. The configuration file specifies which users can execute which commands. To use sudo, the user must provide a specified username and password. Note: what sudo needs is not the password of the target user, but the password of the user executing sudo. If a user who is not in sudoers executes a command via sudo, sudo will report the event to the administrator. Users can use sudo -v to see if they are among sudoers. If it is, it can also update the time on your "ticket"; if not, it will prompt you, but not the administrator.
The sudo command format is as follows:
sudo -K -L -V -h -k -l -vsudo [-HPSb] [-a auth_type] [-c class-] [-p prompt] [-u username#uid] {-e file [... ] -i -s command}
Let's take a look at some other commonly used parameters of sudo:
3. To configure sudo
, only users who have been defined in /etc/sudoers can use the sudo command, so if you want some users to be able to use it sudo to execute some commands, just add the corresponding sudo entry in /etc/sudoers.
Configuring sudo must be done by editing the /etc/sudoers file, which can only be modified by superusers, and must also be edited using visudo.
Visudo is used for two reasons, one is that it prevents two users from modifying it at the same time, and the other is that it also allows limited syntax checking. So, even if you're the only superuser, you'd better use visudo to check the syntax.
Under normal circumstances, if we want to edit a configuration file, we can directly use the vim command, but since the configuration file edited with vim cannot check the syntax of the addition and subtraction entries, we generally do not recommend using vim to edit directly. Instead, use the visudo command to edit the /etc/sudoers file. This command is used to edit the /etc/sudoers file by default. This command can check the syntax error of this file. Therefore, if you want to modify the /etc/sudors file, it is better to use visudo to edit it, so that it will not What went wrong.
visudo -f filename: can also be used to edit other configuration files, just add -f and specify the file.
visudo will not save configuration files with syntax errors, it will prompt you about the problem and ask what to do, like:
>>> sudoers file: syntax error, line 22 <<
At this point we have three options: type "e" to re-edit, type "x" to exit without saving, type "Q" to exit and save. If Q is really chosen, then sudo will not run again until the error is corrected.
Now, let's take a look at the configuration file.
sudo entry format
who which_host=(runas) command
who: indicates the user account.
which_host: Indicates the source host of the registrant. ALL means all hosts.
runas: Indicates which user to execute as. By default, no user is added, indicating that it is executed as root.
command: Specifies which commands this user can execute with sudo (these commands should use absolute paths). ALL means all commands.
Let's start with a simple example:
Let user Foobar execute all root executable commands via sudo.
Open the configuration file with visudo as root, and you can see the following lines:
# Runas alias specification
# User privilege specification
root ALL=(ALL)ALL
We can see that it is almost the same at a glance, root has all permissions, as long as we follow the existing ones The root example is fine, we add a line below (preferably use tab as a blank):
foobar ALL=(ALL) ALL
After saving and exiting, switch to the foobar user, we use its identity to execute the command:
[foobar@localhost ~]$ ls /root
ls: /root: Insufficient permissions
[foobar@localhost ~]$ sudo ls /root
PassWord:
anaconda-ks.cfg Desktop install.log install.log.syslog
Okay, let's limit foobar's rights and prevent him from doing whatever he wants. For example, we only want him to use ls and ifconfig like root, change that line to:
foobar localhost=/sbin/ifconfig,/bin/ls and
then execute the command:
[foobar@localhost ~]$ sudo head -5 /etc/ shadow
Password:
Sorry, user foobar is not allowed to execute '/usr/bin/head -5 /etc/shadow' as root on localhost.localdomain.
[foobar@localhost ~]$ sudo /sbin/ifconfigeth0 Linkencap:Ethernet HWaddr 00 :14:85:EC:E9:9B...
Now let's see what exactly those three ALLs mean. The first ALL refers to the host in the network, and we later changed it to the hostname, which indicates that foobar can execute the following commands on this host. The ALL in the second bracket refers to the target user, who is the identity to execute the command. The last ALL of course refers to the command name. For example, we want the foobar user to execute the kill command as jimmy or rene on the linux host, and write the configuration file like this:
foobar linux=(jimmy,rene)/bin/kill
But there is still a problem, is foobar jimmy or jimmy ? rene's identity execution? At this time, we should think of sudo -u, which is used at such times. foobar can use sudo -u jimmy kill PID or sudo -u rene kill PID, but this is quite troublesome. In fact, we can set rene or jimmy as the default target user without adding -u every time. Add a line above it:
Defaults:foobar runas_default=rene
Defaults If there is a colon after Defaults, it is the default for the following users, if not, it is the default for all users. Just like the line in the configuration file:
Defaults env_reset
In the above process, the password must be entered every time the command is executed. This is because if a user leaves for something but does not log out of the current user, then any user will Any command can be executed on this host, the root password can be changed, or the relevant information can be deleted, etc., which is extremely insecure for the system. Therefore, before each command is executed, you need to enter the current user's own password. The password is valid for 5 minutes (you do not need to enter a password to execute any command within 5 minutes), and you need to re-enter it after 5 minutes.
Another problem is that many times, we are already logged in, and it is cumbersome to enter the password every time we use sudo. Can we stop entering passwords? Of course, we can modify the configuration file like this:
foobar localhost=NOPASSWD: /bin/cat, /bin/ls and
sudo again:
[foobar@localhost ~]$ sudo ls /rootanaconda-ks.cfg Desktop install.log
install.log. syslog
Of course, you could also say "some commands cannot be run by user foobar" by using the ! operator, but that's not a good idea. Because, using the ! operator to "tick out" some commands from ALL is generally ineffective, a user can copy that command to another place and run it with a different name.
Defining command aliases for sudo entries
Sometimes if some users need to execute the same command, it can be troublesome to add sudo entries for them one by one. At this time, we can create aliases for some users or some commands, and add sudo entries for them as aliases, which is much more convenient.
When defining an alias, the alias name must only be uppercase English letters
. You can define an alias for each field in the sudo entry.
Define a user alias:
Format: User_Alias aliasname=
aliasname can be a user name, a group name (leading with %), and can also contain other user aliases (nested).
Define a host alias
format: Host_Alias aliasname=
aliasname can be hostname, ip-addr, network address, other host aliases (nested)
to define the execution identity alias
format: Runas_Alias aliasname=
aliasname can be username, group name (preceded by %), other Runas aliases (nested) )
Execute command alias
format: Cmnd_Alias aliasname=
aliasname can be command path (absolute path), directory (all commands in this directory), other pre-defined aliases
There are 3 users, hadoop, xsl, test can execute useradd, passwd command, how to operate?
You can add the following entries in /etc/sudoer:
User_Alias USERALIAS=hadoop,xsl,test
Cmnd_Alias CMDALIAS=/usr/sbin/useradd,!/usr/bin/passwd root,/usr/bin/passwd [A-Za -z]*
USERALIAS ALL=(root) CMDALIAS