A user switching -su
Substitute User
su - [account name]
su - [Account Name] -C 'command'
1. Switch User
- [root@proxy ~]#useradd jjh
- [Root @ proxy ~] #su - jjh // root user is not required to enter a password through Cep
- [jjh@proxy ~]$ whoami
- jjh
- [Jjh @ proxy ~] $ su - // switch accounts, default is switched to the root account
- Password: // Enter the root password
- [Root @ proxy ~] # whoami // confirm the results
- root
2. Run switch user and
- [Root @ proxy ~] # su - jjh -c "touch /tmp/test.txt" // administrator and ordinary users to create file switch
- [root@proxy ~]# ll /tmp/test.txt
- [root@proxy ~]#su - jjh
- [Jjh @ proxy ~] $ su - -c "systemctl restart sshd" // administrator to restart the service, you need a password
- password:
- ● sshd.service - OpenSSH server daemon
- Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
- active: active (running) since 五 2018-01-19 08:59:40 CST; 1 months 4 days ago
3. Check the use su to switch
You can see which users use the su command to log the root account by viewing the log
[root@web1 ~]#cat /var/log/secure
...........
Oct 14 14:24:14 web1 su: pam_unix(su-l:session): session opened for user jjh by root(uid=0)
Oct 14 14:24:17 web1 su: pam_unix(su-l:session): session closed for user jjh
Second, the unauthorized operation -sudo
Supter of another do super execution
# sudo command to execute commands through sudo
View executable command sudo -l #
Sudo files modified in two ways:
visudo
vim /etc/sudoers
Empowering format:
Find / etc / 92 good sudoers of (command line input set nu show line numbers), you can see there is a configuration on the root
root ALL=(ALL) ALL
Format: user permissions = (execution in what capacity) [command of]
In ALL including the root, it is generally ALL = (ALL) can, Run command must be absolute path, as is actually performed useradd / usr / sbin / useradd
1. Allow softadm rights management systems and services
1) Modify / etc / sudoers configuration
Modify / etc / sudoers can directly edit the file using vim, or modify the file using visudo command.
Grant the user permissions to execute the relevant script, allowing to manage the system services through systemctl tool.
- [root@proxy ~]# useradd jjh
- [Root @ proxy ~] # vim / etc / sudoers // After modifying the file, use the Force Save wq
- .. ..
- jjh ALL=(ALL) /usr/bin/systemctl
- // execute systemctl authorized softadm command as root (ALL including root)
2) switch to softadm user, and execute permissions to verify sudo
- [root@proxy ~]# su - jjh
- [Jjh @ proxy ~] $ sudo -l // permission to view
- … …
- [Sudo] password for jjh: // Enter the password softadm
- (ALL) /usr/bin/systemctl
- [Jjh @ proxy ~] $ systemctl start httpd start the service failed // without sudo
- Authentication is required
- .. ..
- [Jjh @ proxy ~] $ sudo systemctl restart httpd // successfully start the service by sudo
2. To allow ordinary users to add by way sudo / delete / modify user account other than root
1) Modify / etc / sudoers configuration
User management for the user to grant permission to execute related commands, we can use wildcard matching similar useradd, userdel and so the first few characters of the command. ! Represents the inverse of the right to disable the execution of an order. We do not want unauthorized operation when the threat to the root user, you need to disable the implementation of the right to the root
- [Root @ proxy ~] # useradd jjh // add users
- [Root @ proxy ~] # which useradd // see the actual script execution command
- /usr/sbin/useradd
- [root@proxy ~]# vim /etc/sudoers
- .. ..
- useradm ALL=(ALL) /usr/bin/passwd,!/usr/bin/passwd root,/usr/sbin/user*,!/usr/sbin/user* root
2) switching a common user authentication authority sudo
Can be added by way sudo / delete / modify the average user:
- [root@proxy ~]# su - jjh
- [Jjh @ proxy ~] $ sudo -l // useradm user can run the following command on the host:
- .. ..
- (root) /usr/bin/passwd, !/usr/bin/passwd root, /usr/sbin/user*,
- !/usr/sbin/user* * root
- [Jjh @ proxy ~] $ sudo useradd newuser01 // can add users
- [Jjh @ proxy ~] $ sudo passwd newuser01 // ordinary user can modify the password
- Jjh change the user's password.
- New Password:
- Re-enter the new password:
- passwd: all authentication tokens have been successfully updated.
But can not change the root password (you can try to negate the operation was canceled, if you can change the root password):
- [useradm@proxy ~]$ sudo passwd root
- Sorry, you have no right useradm in as root on localhost
- Execute / usr / bin / passwd root.
3. Allow the wheel group members to execute privileged commands all
This case is used to demonstrate the convenience of sudo and the dangers of improperly set, used with caution in a production environment.
- [root@proxy ~]# vim /etc/sudoers //98行
- .. ..
- %wheel ALL=(ALL) ALL
- [root@proxy ~]# usermod -a -G wheel jjh
- [root@proxy ~]#su - jjh
- [jjh@proxy ~]$ sudo -l
- .. ..
- Jjh user can run the following command on the host:
- (root) /bin/*
4. sudo enable logging mechanism to perform the tracking operation sudo
1) Modify / etc / sudoers configuration, adding the log settings
- [root@proxy ~]# visudo
- Defaults logfile="/var/log/sudo"
- .. ..
2) perform sudo operations to root (by default have all permissions)
- [root@proxy ~]# su - jjh
- [jjh@proxy ~]$ sudo -l
- [Jjh @ proxy ~] $ sudo -l // View authorized sudo operations
- [Softadm @ proxy ~] # sudo systemctl status httpd // View authorized sudo operations
3) Confirm logging in force
- [root@proxy ~]# tail /var/log/sudo
- .. ..
- May 16 22:14:49 : root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=list
- Feb. 22 22:35:43: softadm: TTY = pts / 11; PWD = / home / softadm; USER = root;
- COMMAND=/bin/systemctl status httpd