Shulou(Shulou.com)06/01 Report--

This article shows you how to use Sudo delegation permissions in the Linux system, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction to sudo permission delegation

Su switch identity: su-l username-c 'command'

Sudo

From the sudo package

Man 5 sudoers

Sudo can authorize a specified user to run certain commands on a specified host. If an unauthorized user attempts to use sudo, you will be prompted to contact the administrator

Sudo can provide logs to record each user's actions using sudo

Sudo provides configuration files for system administrators, allowing them to centrally manage users' permissions and hosts

Sudo uses a timestamp file to complete a system similar to "ticket checking". The default survival period is a 5-minute "ticket".

Edit the configuration file through the visudo command with syntax checking:

Visudo-c check syntax

Visudo-f / etc/sudoers.d/test

Sudo

Configuration file: / etc/sudoers, / etc/sudoers.d/

Timestamp file: / var/db/sudo

Log file: / var/log/secure

The profile supports the use of the wildcard character glob:

? Any single character

*: match characters of any length

[wxc] matches one of the characters

[! wxc] other than these three characters

\ x: escape

[[alpha]]: letter example: / bin/ls [[alpha]] *

There are two types of profile rules:

1. Alias definition: not required

2. Authorization rules: necessary

Sudoers

Authorization rule format:

User login host = (on behalf of user) command

Example:

Root ALL= (ALL) ALL

Format description:

User: identity of the operator of the command

Host: through which hosts

(runas): as which user

Command: which commands are run

Alias

Users and runas:

Username

# uid

% group_name

% # gid

User_alias | runas_alias

Host:

Ip or hostname

Network (/ netmask)

Host_alias

Command:

Command name

Directory

Sudoedit

Cmnd_Alias

Recently, I wrote a short Bash program to copy MP3 files from the USB thumb drive on one network host to another. These files are copied to a specific directory on the server I run for the volunteer organization, where they can be downloaded and played.

My program also does some other things, such as changing the names of files before they are copied so that they are automatically sorted by date on the page. It also deletes all files on the USB drive and verifies that the transfer is completed correctly. This nice Mini Program has several options, such as-h to show help,-t for test mode, and several others.

Although my program is excellent, it must be run as a root to perform its main functions. Unfortunately, only a few people in this organization are interested in managing our audio and computer systems, which allows me to find semi-technicians and train them to log in to the computers that perform the transmission and run this Mini Program.

It's not that I can't run the project myself, but for a variety of reasons, including travel and illness, I'm not always there. Even when I am present, as a "lazy system administrator", I like to let others do my work for me. So I write scripts to automate these tasks and use sudo to specify several users to run these scripts. Many Linux commands require that the user be a root user to run. This protects the system from accidental damage, such as my own stupidity and vandalism by malicious users.

Do what you do well.

The sudo program is a convenient tool that allows me, as a system administrator with root access, to delegate responsibility for all or more administrative tasks to other users of the computer. It allows me to execute the delegate without compromising the root password, thus maintaining a high degree of security on the host.

For example, let's assume that I give the regular user "ruser" access to my Bash program "myprog", which must be run as root to perform some of its functions. First, the user logs in as ruser with his own password, and then runs myprog using the following command.

Myprog

The sudo program checks the / etc/sudoers file and verifies that ruser allows myprog to run. If so, sudo asks the user to enter their password-not the root password. After entering the password in ruser, the program will run. In addition, sudo uses the date and time the program ran, the complete command, and the user running it to record access to myprog. This data is logged in. / var/log/security.

I find it helpful to have sudo run the log of each command for training. I can see who did what and whether they typed the command correctly.

I did this to authorize myself and another user to run a program; however, sudo can be used to do more. It allows sysadmin to delegate permissions to manage network functions or specific services to a person or group of trusted users. It allows these functions to be delegated while protecting the root password.

Configure the sudoers file

As a system administrator, I can use the / etc/sudoers file to allow users or groups of users to access a single command, a defined command group, or all commands. This flexibility is key to the power and simplicity of delegating using sudo.

At first I found the sudoers file very messy, so I copied and deconstructed the entire sudoers file from the host where I used it. I hope that when you pass this analysis, it will not be very vague to you. By the way, I found that the default configuration files in RedHat-based distributions tend to have a large number of comments and examples to provide guidance, which makes things easier and reduces the need for online search.

Do not use the standard editor to modify sudoers files. Use the visudo command because it is designed to enable any changes as soon as you save the file and exit the editor. In addition to Vi, you can also use with visudo.

Let's analyze this file with several aliases from the start.

Host alias

The host alias section is used to create a host group of commands or command aliases that can be used to provide access. The basic idea is to maintain this single file for all hosts in the organization and copy it to each owner of / etc. Therefore, some hosts, such as servers, can be configured as a group so that certain users can access specific commands, such as the ability to start and stop services such as httpd, DNS, and network, the ability to mount file systems, and so on.

You can use the IP address instead of the hostname in the host alias.

# # Sudoers allows particular users to run various commands as## the root user, without needing the root password.## Examples are provided at the bottom of the file for collections## of related commands, which can then be delegated out to particular## users or groups.## This file must be edited with the 'visudo' command.## Host Aliases## Groups of machines. You may prefer to use hostnames (perhaps using## wildcards for entire domains) or IP addresses instead.# Host_Alias FILESERVERS = fs1, fs2# Host_Alias MAILSERVERS = smtp, smtp2## User Aliases## These aren't often necessary, as you can use regular groups## (ie, from files, LDAP, NIS, etc) in this file-just use% groupname## rather than USERALIAS# User_Alias ADMINS = jsmith, mikemUser_Alias AUDIO = dboth Ruser## Command Aliases## These are groups of related commands...## Networking# Cmnd_Alias NETWORKING = / sbin/route, / sbin/ifconfig, / bin/ping, / sbin/dhclient, / usr/bin/net, / sbin/iptables, / usr/bin/rfcomm, / usr/bin/wvdial, / sbin/iwconfig, / sbin/mii-tool## Installation and management of software# Cmnd_Alias SOFTWARE = / bin/rpm, / usr/bin/up2date / usr/bin/yum## Services# Cmnd_Alias SERVICES = / sbin/service, / sbin/chkconfig## Updating the locate database# Cmnd_Alias LOCATE = / usr/bin/updatedb## Storage# Cmnd_Alias STORAGE = / sbin/fdisk, / sbin/sfdisk, / sbin/parted, / sbin/partprobe, / bin/mount, / bin/umount## Delegating permissions# Cmnd_Alias DELEGATING = / usr/sbin/visudo, / bin/chown, / bin/chmod / bin/chgrp## Processes# Cmnd_Alias PROCESSES = / bin/nice, / bin/kill, / usr/bin/kill / usr/bin/killall## Drivers# Cmnd_Alias DRIVERS = / sbin/modprobe# Defaults specification# Refuse to run if unable to disable echo on the tty.Defaults visiblepwDefaults env_resetDefaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep + = "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep + = "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep + = "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep + = "LC_TIME LC_ALL LANGUAGE LINGUAS _ XKB_CHARSET XAUTHORITY" Defaults secure_path = sbin:bin:usrsbin:usrbin:usrlocalbin## Next comes the main part: which users can run what software on## which machines (the sudoers file can be shared between multiple## systems). # # Syntax:## user MACHINE=COMMANDS## The COMMANDS section may have other options added to it.## Allow root to run any commands anywhereroot = ALL ALL## Allows members of the 'sys' group to run networking Software,## service management apps and more.#% sys ALL= NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS## Allows people in group wheel to run all commandswheel = ALL ALL## Same thing without a password#% wheel ALL= (ALL) NOPASSWD: ALL## Allows members of the users group to mount and unmount the## cdrom as root#% users ALL=/sbin/mount / mnt/cdrom / sbin/umount / mnt/cdrom## Allows members of the users group to shutdown this system#% users localhost=/sbin/shutdown-h now## Read drop-in files from / etc/sudoers.d (the # here does not mean a comment) # includedir / etc/sudoers.d### # Added by David Both to provide limited access to myprog # AUDIO guest1=usrlocalbinmyprog

Default sudoers file, modified to bold.

User alias

The user alias configuration allows the root to sort users into alias groups so that the entire group can access specific root functions. This is the part that I added a line. User_Alias AUDIO = dboth, ruser, which defines the alias audio and assigns two users to the alias.

As described in the sudoers file, you can simply use the / etc/groups file instead of aliases. If you have defined a group that meets your needs, such as "audio", use the group name, preceded by the% flag:% audio when assigning commands that will be available to the group following the sudoers file.

Command alias

Below the sudoers file is a command alias section. These aliases are a list of related commands, such as the network commands or commands required to install updates or new RPM packages. These aliases allow sysadmin to easily allow access to command groups.

A number of aliases have been set up in this section that can easily delegate access to specific types of commands.

Environment default

The next section sets some default environment variables. The most interesting item in this section is the! visiblepw line, which prevents sudo from running if the user environment is set to display passwords. This is a security precaution that should not be overturned.

Command part

The command section is the main part of the sudoers file. By adding enough entries here, everything you need to do can be done without all aliases. Aliases only make things a lot easier.

This section uses aliases that you have defined to tell sudo who can do what on which host. These examples are self-evident when you understand the syntax in this section. Let's take a look at the syntax we found in the commands section.

Ruser = ALL ALL

This means that ruser can run any program on any host like any user.

This is a common entry for our user, ruser. The first ALL is on the line, indicating that this rule applies to all hosts. The second ALL allows ruser to run commands like other users. By default, the command runs as the root user, but ruser can specify on the sudo command line that the program runs as another user. The last ALL means that ruser can run all commands without restrictions. This will effectively make the ruser root.

Notice that the root has an entry, as shown below. This allows the root user to have full access to all commands on all hosts.

Root = ALL ALL

This means that root can run any program on any host as any user.

To try this, I commented out the line and, as a root user, tried to run chown without sudo. It worked.-it surprised me. Then I failed with the sudo chown message, "the root is not in the sudoers file, this event will be reported." This means that root can run everything as root, but not when using the sudo command. This will prevent root users from passing sudo commands as other users, but root has many ways to get around this limitation.

The following code is the code I added to control access to myprog. It specifies that users listed in the audio group, as defined at the top of the sudoers file, can only access one program myprog, guest 1, on one host.

AUDIO guest1=usrlocalbinmyprog

Allow users in the audio group to access myprog on host user 1.

Note that the syntax of the above line specifies only the hosts and programs that allow this access. It does not specify that users can run programs like other users.

Bypass the password

You can also use NOPASSWORD to allow users specified in the group audio to run myprog without entering their password. Here is how:

AUDIO guest1=NOPASSWORD: usrlocalbinmyprog

Allow users in the audio group to access myprog on host user 1.

I didn't do this for my program because I think it might be helpful for users with access to sudo to stop and think about what they are doing. Let me take my Mini Program entry as an example.

Wheel

The round specification in the commands section of the sudoers file (shown in the following figure) allows all users in the "wheel" group to run all commands on any host. The wheel group is defined in the / etc/group file, and users must be added to the group to work. The signature before the% group name means that the sudo should be in the / etc/group file.

Wheel ALL = ALL ALL

Allows all users who are members of the "wheel" group, such as the / etc/group file, to run all commands on any host.

This is a good way to delegate full root access to multiple users without providing a root password. Simply add users to the wheel group and give them full root access. It also provides a way to monitor its activity through log entries created by sudo. Some distributions, such as Ubuntu, add the user ID to / etc/group, which allows them to use the sudo command for all privileged commands.

The above is how to use Sudo delegation permissions in the Linux system. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.