Linux basic skills series sudo command

1.Introduction to sudo command

The sudo command comes from the abbreviation of the English phrase "super user do", which is translated in Chinese as "things that only super users can do".

The function of sudo is to authorize ordinary users to execute administrator commands, allowing ordinary users to execute some or all root commands, such as halt, reboot, shutdown, init, etc.

This not only reduces the root user's login and management time, but also improves security. sudo is a replacement for Shell and is oriented to each command.

The biggest difference between sudo and su commands is:

Using the su command to change a user's identity requires telling others the administrator's account password. I always feel uneasy. This is where the sudo command comes in handy.

Using the sudo service can authorize a specified user to execute certain specified commands, delegating as little authority as possible while meeting work requirements to ensure the security of the server.

Configuring sudo must be done by editing the /etc/sudoers file, and only superusers can modify it.

Main features of sudo:

sudo can restrict users to run certain commands only on a certain host.

sudo provides rich logs, recording in detail what each user has done. It can transmit logs to a central host or log server.

sudo uses timestamped file logs to perform a similar "ticket checking" system. When the user calls sudo and enters his password, the user gets a ticket with a lifetime of 5 minutes (this value can be set in /etc/sudoers)

The sudo configuration file is /etc/sudoers, and the attribute must be 0440. It allows system administrators to centrally manage user permissions and host usage.

2. Syntax format and common options

We use sudo --help to view the syntax format and commonly used commands:

[root@doc ~]# sudo --help

For many people, sudo is a super complicated command, not because the command is difficult, but because the command itself requires a configuration file.

3. Detailed explanation of sudo configuration file

3.1 sudo configuration file

The default sudo configuration file is: /etc/sudoers

Generally, the Linux designated editing tool visudo is used. The advantage of this tool is that it can perform error checking.

When using visudo to add rules that do not comply with the grammatical rules, we will be prompted with an error message when saving and exiting; after configuring, you can switch to an ordinary user authorized by you and use sudo -l to check which commands are executable or prohibited. of;

Each line in the /etc/sudoers file is a rule. The # sign in front of it can be regarded as the content of the comment and will not be executed. If the rule is very long, it can be written in multiple columns and the \ sign can be used to continue the line.

The rules of /etc/sudoers can be divided into two categories:

One type is authorization rules

The other category is alias definition;

The alias definition is not required, but the authorization rules are;

3.2 Configuration file comments

Let's take a look at the configuration file. This configuration file is based on centos7.9

[root@mufeng ~]# cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##该文件允许特定用户像root用户一样使用各种各样的命令，而不需要root用户的密码 
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 在文件的底部提供了很多相关命令的示例以供选择，这些示例都可以被特定用户或  
## ## 用户组所使用  
## This file must be edited with the 'visudo' command.
## 该文件必须使用"visudo"命令编辑

## Host Aliases
#主机别名
## Groups of machines. You may prefer to use hostnames (perhap using 
## wildcards for entire domains) or IP addresses instead.
## 对于一组服务器，你可能会更喜欢使用主机名（可能是全域名的通配符）
## 或IP地址代替，这时可以配置主机别名
  
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2
## User Aliases
#用户别名
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
## 这并不很常用，因为你可以通过使用组来代替一组用户的别名  
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...
## 指定一系列相互关联的命令（当然可以是一个）的别名，通过赋予该别名sudo权限，  
## 可以通过sudo调用所有别名包含的命令，下面是一些示例


## Networking
#网络操作相关命令别名  
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient,
 /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, 
 /sbin/mii-tool

## Installation and management of software
#软件安装管理相关命令别名  
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
#服务相关命令别名 
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
#本地数据库升级命令别名  
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
#磁盘操作相关命令别名
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
#代理权限相关命令别名 
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
#进程相关命令别名
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
#驱动命令别名
Cmnd_Alias DRIVERS = /sbin/modprobe
#环境变量的相关配置
# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. 
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## 下面是规则配置：什么用户在哪台服务器上可以执行哪些命令（sudoers文件可以在多个系统上共享）
## Syntax:
##语法
##      user    MACHINE=COMMANDS
##  用户 登录的主机=（可以变换的身份） 可以执行的命令  
##
## The COMMANDS section may have other options added to it.
## 命令部分可以附带一些其它的选项  
##
## Allow root to run any commands anywhere 
## 允许root用户执行任意路径下的任意命令 
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## 允许sys中户组中的用户使用NETWORKING等所有别名中配置的命令
  
## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
## 允许wheel用户组中的用户执行所有命令  
## Same thing without a password
## 允许wheel用户组中的用户在不输入该用户的密码的情况下使用所有命令
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
## 允许users用户组中的用户像root用户一样使用mount、unmount、chrom命令 
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now
## 允许users用户组中的用户像root用户一样使用shutdown命令

visudo –c command has syntax checking function

Alias ​​type (Alias_Type): Alias ​​types include the following

Host_Alias ​​defines host alias;

User_Alias ​​User alias, alias members can be users or user groups (the % sign must be added in front)

Runas_Alias ​​is used to define the runas alias. This alias specifies the "destination user", that is, the user that sudo is allowed to switch to;

Command_Alias ​​defines command alias;

If there are multiple members under an alias, the members must be separated by half-width commas; and the members must be host names or IP addresses that can be viewed through w, and the user name must actually exist in /etc/passwd.

3.3 sudo authorization rules

Authorization rules are execution rules for allocating permissions. The definition of aliases we mentioned earlier is mainly for more convenient authorization and reference to aliases. If there are only a few users in the system and the decentralized permissions are actually relatively limited, you do not need to define aliases, but for System users are authorized directly, so aliases are not necessary in authorization rules;

The authorization rules of sudo are introduced in detail in man sudoers. Let’s learn together:

Format: Authorized user host = command action

These three elements are indispensable, but you can also specify to switch to a specific user before taking action. The user specified here should be enclosed in brackets. If you do not need a password to run the command directly, you should add the NOPASSWD parameter.

Case number one:

[root@mufenggrow ~]# grep mufeng /etc/sudoers
mufeng  ALL=/usr/bin/chown,/usr/bin/chmod
[root@mufenggrow ~]#

If we add this line to /etc/sudoers, it means that mufeng can be used in any system with possible host names. You can switch to the root user to execute the /bin/chown and /bin/chmod commands and view them through sudo -l

[mufeng@mufenggrow ~]$ sudo -l
[sudo] mufeng 的密码：
匹配 %2$s 上 %1$s 的默认条目：
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 mufeng 可以在 mufenggrow 上运行以下命令：
    (root) /usr/bin/chown, /usr/bin/chmod
[mufeng@mufenggrow ~]$

Case 2

mufeng ALL=(root)/usr/bin/chown,/usr/bin/chmod

Indicates that the mufeng user can switch to root to execute chown, and can switch to any user to execute chmod.

Case three:

mufeng ALL=(root) NOPASSWD/usr/bin/chown,/usr/bin/chmod

It means that mufeng can switch to root to execute chown without entering a password, and can switch to any user to execute chmod command. But you need to enter a password when executing the chmod command.

Case 4

If mufeng is not a user but a user group, you need to add %

%mufeng ALL=(root)/usr/bin/chown,/usr/bin/*

This indicates users under the user group mufeng, and the following * indicates all commands under bin.

4. Practical reference cases for common sudo parameters

Create test user:

[root@mufenggrow ~]# useradd mufeng
[root@mufenggrow ~]# echo 12345678 |passwd --stdin mufeng
更改用户 mufeng 的密码 。
passwd：所有的身份验证令牌已经成功更新。
[root@mufenggrow ~]# su - mufeng
[mufeng@mufenggrow ~]$ whoami
mufeng

4.1 Check which commands the current user has authorized by the sudo service

At this time, you can use the -l parameter, here is the lower case of L.

Let's look at the case:

[mufeng@mufenggrow ~]$ sudo -l
[sudo] mufeng 的密码：
匹配 %2$s 上 %1$s 的默认条目：
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 mufeng 可以在 mufenggrow 上运行以下命令：
    (root) /usr/bin/chown, /usr/bin/chmod

You can set it directly in visudo. Note: You can directly open the configuration file by executing visudo. Do not add vim in front. The configuration method is the same as /etc/sudoers

4.2 Ending the validity period of password

When the sudo command executes a command for the first time, you need to add a password. When you execute this command for the second time, you do not need to add a password. When we use the -k parameter to end the password validity period, you need to use the password during execution.

References:

[root@mufenggrow ~]# su - mufeng
上一次登录：一 1月 30 19:47:47 CST 2023pts/0 上
[mufeng@mufenggrow ~]$ sudo useradd test1
[sudo] mufeng 的密码：
#可以看到第一次需要输入密码，下面第二次就不需要使用密码了
[mufeng@mufenggrow ~]$ sudo useradd test2
# 取消密码有效期
[mufeng@mufenggrow ~]$ sudo -k
[mufeng@mufenggrow ~]$ sudo useradd test3
[sudo] mufeng 的密码：
[mufeng@mufenggrow ~]$

4.3 Restricting user permissions

Restrict mufeng's permissions so that mufeng can only execute the chmod command

[root@mufenggrow ~]# visudo

The first ALL refers to the hosts in the network. ALL in the second bracket refers to the target user, that is, who is the identity to execute the command. The last ALL is the instruction name.

So here mufenggrow is the host name, which is the host.

As a bonus for this article, you can receive free C/C++ development learning materials package, technical videos/codes, and 1,000 interview questions from major manufacturers, including (C++ basics, network programming, database, middleware, back-end development/audio and video development/Qt development/ Game development/Linuxn kernel and other advanced learning materials and best learning routes) ↓↓↓↓↓↓See below↓↓Click at the bottom of the article to get it for free↓↓