As a user administrator privileges, it is easy to misuse causing unnecessary losses. Furthermore, by the root management is also strange tired, administrators are people too need to leave time to go about dating, watch movies, play the fool loaded, in a daze, is not it? So health management approach is a good Linux service after architecture, may authorize the normal user to help complete the daily management.
The tool is now more popular sudo, almost all Linux already installed by default. Also note that all the rights we have just introduced, such as general rights, the default operation of the object is a file and directory permissions, ACL permissions, special permissions, file system permissions and other attributes, but the object is sudo operating system commands, also originally only the root is giving ordinary users execute commands by the super user performs.
sudo simple to use, root administrator uses the visudo command to edit the configuration file / etc / sudoers authorization. Command is as follows:
[the root @ localhost ~] # the visudo
... output omitted ...
the root ALL = (ALL) ALL
%wheel ALL=(ALL) ALL
# These two lines is the template system provides us, we refer it to write their own on it
... output omitted ...
Explain the format of the file.
root ALL = (ALL) ALL
# Username managed host address = (usable capacity) authorization command (absolute path)
#% Wheel ALL = (ALL) ALL
#% group name managed host address = (available identity) authorization command (absolute path)
Specific meaning four of the following parameters:
user name / group name: which represents the root user or user group to confer command, pay attention to the group name with "%."
The user can specify the IP address of the management server with the specified command. If you write ALL, the user can manage on behalf of any host; if you write fixed IP, users can manage on behalf of the specified server. If we write here the machine IP address, does not mean that only allows the user to specify the command to use the machine, and on behalf of the specified user can manage the current server from any IP address.
You can use identity: that is the source of what users switch to using the identity, (ALL) representative can switch to any identity. This field may be omitted.
Authorized command: What command authorization on behalf of the root to the general user. The default is ALL, on behalf of any order, of course not, what if you need to command authorization, you can simply write command name. Remember, though, must write an absolute path.
[Example 1]
Authorized User lamp can restart the server, add the root, the following line:
[root] ~ @ localhost the visudo #
lamp ALL = / sbin / -R & lt now the shutdown
Specifying the group name with the percent signs, such as% admgroup, a plurality of command authorization separated by commas. Users can use the sudo -l lamp authorized to view a list of commands.
[the root @ localhost ~] # SU - lamp
# lamp is switched to the user
[@ lamp localhost ~] $ the sudo -l
[the sudo] password for lamp:
# lamp to enter a user password
User lamp may run the following commands on this host:
(root) / sbin / shutdown -r now
# users can see the lamp shutdown -r now have the privilege of
P lamp prompted for a password to the user's password, the server is to verify that the user operation is not the user himself lamp. lamp when the user needs to perform, simply using the following command:
[localhost lamp @ ~] $ the sudo / sbin / -R & lt now the shutdown
That lamp user can restart the server. Note that the command to write the absolute path, or the / sbin path to import ordinary users PATH path, or can not execute.
[Example 2]
authorizing a user to manage your Web server. First to analyze what authorized users manage Apache least basic authorization to implement:
You can use Apache management script.
You can modify the Apache configuration file.
You can update web content.
Apache assume management script is /etc/rc.d/init.d/httpd. The first condition is met, be authorized using the visudo command.
[the root @ localhost ~] # the visudo
LAMP = 192.168.0.156 / etc / rc.d / the init.d / reload the httpd,
/etc/rc.d/init.d/httpd configtest
Authorized users can connect lamp Apache server on 192.168.0.156, reread Apache configuration file management script to make setting changes to take effect (reload) and can detect syntax errors Apache configuration file (configtest), but does not allow its implementation to close ( STOP), the restart (the restart) operation command and the like ( "" means that a line is not completed, and the contents of the line following the same line).
The second condition is satisfied, the visudo command using the same authorization.
[root @ localhost ~] # visudo
lamp 192.168.0.156 = / bin / vi /etc/httpd/conf/httpd.conf
authorized users can use the vi editor lamp Apache configuration file as root.
Sudo two or more settings to pay special attention, a lot of people will use sudo make two types of errors:
First, the command is not authorized to refine the options and parameters;
second, the command can only be performed by authorized administrators believe;
The third condition is relatively simple, assuming that web storage directory is / var / www / html, you only need to authorize lamp user has write permissions to this directory, or simply change the directory to the owner of the lamp can be. If desired, you can also set the lamp user can update the web sharing service via FTP and other documents.
So far, this chapter is over, we introduced the common rights of all Linux systems. Finally, please keep in mind the basic principles of system security: minimal user gives permission. Spider-Man said, "With great power comes great responsibility"; Linux administrator said, "the greater the capacity the greater the probability of error"!
