table of Contents
This article from the "Linux in respect of such a school," Liu finishing excerpt Trent teacher, write their own blog easy access to the latter part
of the book is great, concise language, easy to understand, highly recommended, you can point connection to learn ~
sudo
Scenarios and common sense
Despite using the su command, the average user can completely switch to root administrator to complete the corresponding work, but it will be exposed root administrator's password, thereby increasing the probability of the system password hacker obtained, which is obviously not the most secure Program.
Next will describe how to use the sudo command to execute permissions given to a specific command to a specific user, both to ensure that ordinary users to perform specific work, but also to avoid leaks root administrator password.
We have to do is to configure sudo reasonable service, in order to take into account the convenience and safety of users of the system.
Sudo configuration principle is very simple service => in ensuring the completion of the corresponding ordinary users working premise, giving additional rights as little as possible.
sudo command is used to provide additional ordinary users permissions to complete the original root administrator to complete the task
format:sudo [参数] 命令名称
Optional parameters command sudo
| parameter | effect |
|---|---|
| -h | List help information |
| -l | Command lists the current user can perform |
| -u user name or UID value | To execute the command specified user identity |
| -k | Effective time to empty password, password authentication is required again next time when performing sudo |
| -b | Executes the specified command in the background |
| -p | Change the password prompt inquiry |
sudo functions
In conclusion, sudo command has the following functions:
- Restrict user executes the specified command
- Record each command executed by the user
- Configuration file (/ etc / sudoers) provides centralized user management, authority and host parameters
- Over 5 minutes (the default value) without authenticating the user authentication password again let
Of course, if you are concerned directly modify the configuration file problem occurs, you can use the sudo command provides the visudo command to configure user permissions.
Of course, if you are concerned directly modify the configuration file problem occurs, you can use the sudo command provides the visudo command to configure user permissions. (Only root administrators can use the visudo command to edit the configuration file sudo services.)
visudo: >>> /etc/sudoers: syntax error near line 111 <<<
What now?
Options are:
(e)dit sudoers file again
(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)When you configure the profile to use the sudo command visudo command, the same method used in the method and Vim editor of its operation, so after their completion remember to save and exit line mode.
Sudo command in the configuration file, the information specified on the (approximately) will be completed in accordance with the format line 99 the following:
Who can use allow the use of host = list (to whose identity) executable commands
[root@linuxprobe ~]# visudo
96 ##
97 ## Allow root to run any commands anywhere
98 root ALL=(ALL) ALL
99 linuxprobe ALL=(ALL) ALLAfter completed remember to first save and then exit, and then switch to a normal user specified, then you can view all executable commands with sudo -l command
(The following command to verify that the ordinary user's password, rather than a root administrator password, please do not confuse the reader):
[root@linuxprobe ~]# su - linuxprobe
Last login: Thu Sep 3 15:12:57 CST 2017 on pts/1
[linuxprobe@linuxprobe ~]$ sudo -l
[sudo] password for linuxprobe:此处输入linuxprobe用户的密码
Matching Defaults entries for linuxprobe on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User linuxprobe may run the following commands on this host:
(ALL) ALLNext is the time to witness the miracle! As an ordinary user, it is certainly not see the file information root administrator's home directory (/ root) is, however, only need to think of the command preceded by sudo command on it:
[linuxprobe@linuxprobe ~]$ ls /root
ls: cannot open directory /root: Permission denied
[linuxprobe@linuxprobe ~]$ sudo ls /root
anaconda-ks.cfg Documents initial-setup-ks.cfg Pictures Templates
Desktop Downloads Music Public VideosImmediate effect!
But given the highest executive power production environment does not allow ordinary users to have a whole system of all commands (this is not in line with the previously mentioned rights conferred principle that the authority given as little as possible), therefore some parameters can not ALL appropriate.
It can only be given to ordinary users specific orders to meet the needs of the work, which has also been necessary permissions constraints.
If you need to allow a user to use as root administrator of the specified order, must remember to give the absolute path of the command, otherwise the system will not identify them.
We can first use the whereis command to find the path to save the corresponding command, and then line 99 of the profile user rights to modify the parameters corresponding to the path:
[linuxprobe@linuxprobe ~]$ exit
logout
[root@linuxprobe ~]# whereis cat
cat: /usr/bin/cat /usr/share/man/man1/cat.1.gz /usr/share/man/man1p/cat.1p.gz
[root@linuxprobe ~]# visudo
96 ##
97 ## Allow root to run any commands anywhere
98 root ALL=(ALL) ALL
99 linuxprobe ALL=(ALL) /usr/bin/catAfter editing is still a good first save and then exit. Again switched to the specified average user, and then try to properly view the contents of a file, then the system prompts do not have permission. The next time you use the sudo command can successfully view the contents of the file:
[root@linuxprobe ~]# su - linuxprobe
Last login: Thu Sep 3 15:51:01 CST 2017 on pts/1
[linuxprobe@linuxprobe ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[linuxprobe@linuxprobe ~]$ sudo cat /etc/shadow
root:$6$GV3UVtX4ZGg6ygA6$J9pBuPGUSgZslj83jyoI7ThJla9ZAULku3BcncAYF00Uwk6Sqc4E36MnD1hLtlG9QadCpQCNVJs/5awHd0/pi1:16626:0:99999:7:::
bin:*:16141:0:99999:7:::
daemon:*:16141:0:99999:7:::
adm:*:16141:0:99999:7:::
lp:*:16141:0:99999:7:::
sync:*:16141:0:99999:7:::
shutdown:*:16141:0:99999:7:::
halt:*:16141:0:99999:7:::
mail:*:16141:0:99999:7:::
operator:*:16141:0:99999:7:::
games:*:16141:0:99999:7:::
ftp:*:16141:0:99999:7:::
nobody:*:16141:0:99999:7:::
………………省略部分文件内容………………I do not know if you ever noticed that after each run sudo command will be asked to verify the password. Although the password is the password for the user currently logged on, but each time the sudo command must enter a password actually quite troublesome, then you can add NOPASSWD parameters, no longer need password authentication allows the user to execute sudo command :
[linuxprobe@linuxprobe ~]$ exit
logout
[root@linuxprobe ~]# whereis poweroff
poweroff: /usr/sbin/poweroff /usr/share/man/man8/poweroff.8.gz
[root@linuxprobe ~]# visudo
96 ##
97 ## Allow root to run any commands anywhere
98 root ALL=(ALL) ALL
99 linuxprobe ALL=NOPASSWD: /usr/sbin/poweroff