Shulou(Shulou.com)06/01 Report--

Friends who come into contact with Linux should all come into contact with the command sudo, especially as soon as they come into contact with ubuntu friends, as long as they enter the system to execute special commands, they need to add + sudo command before the command to execute the command. What kind of artifact is sudo? Sudo is a command in charge. It literally means "only superusers can do it!" (super user do!) can also use su-"switch user", but it is easy to disclose the system user password by using su method, which leads to system insecurity. Due to the excessive authority of root users, it is rare to use root users to log in to the system directly in the actual production process, but to use ordinary users to log in to the system. However, if ordinary users need su to root users for daily maintenance of the system, in order to improve security, sudo can be used to authorize a user to run certain commands as a certain user on a certain host, thus reducing the number of people who know the password of root users and improving the security of the system.

Advantages of sudo:

① authorizes the specified user to run the specified administrative commands on the specified host

② sudo audit security: some administrative commands are authorized to some ordinary users, and they can be limited to execute such commands only on certain hosts, and the operation process is recorded and logged for future audit.

③ "ticket checking system": timeliness authentication. When the user executes the sudo command for the first time, the user will be asked to enter a password to verify the user's identity. After success, the user will get a "token" with a fixed survival time (the default survival time of the token is 5 minutes).

Common parameters of sudo:

# # Parameter-V displays the version number-h will display the version number and instructions on how to use the instruction-l will show his permission (the user who executes sudo)-v because sudo will ask the password if it is not executed for the first time or within N minutes (N default is five). This parameter is re-confirmed, if it exceeds N minutes. Will also ask for the password-k will force the user to ask the password the next time sudo is executed (whether it takes more than N minutes or not)-b the instructions to be executed will be executed in the background

The process of using sudo:

Sudo license file: / etc/sudoers, which only the administrator can edit

1. The method of realizing sudo authorization

① uses vim to open editing:

Text coloring can be implemented, but syntax errors cannot be detected and it is not recommended to use

② visudo: a dedicated sudoers text editing tool

Prompt syntax errors can be detected after configuration. It is recommended to use this editing tool for / etc/sudoers editing.

Help documentation: man visudo;man visudoers

③ defines sudo authorization, / etc/sudoers

Syntax: who which_host= (whom) command

Who can execute those commands on those hosts as who?

Sudo profile alias application:

Alias: Alias (all defined in uppercase letters)

Host_Alias: define host aliases, use, separate

User_Alias: defines a user alias, either a user name or a group name (% group name)

Cmnd_Alias: define command aliases, you can define commands that cannot be executed, use! / usr/bin/passwd root

Runas_Alias: defines which users to execute

NOPASSWD: defines that users can execute commands without entering a password

PASSWD: defines that a user needs to enter a password when executing a command

Sudo case Application:

Authorized samlee users have permission to add users and change passwords, but cannot change root passwords (prevent users from changing root passwords):

[root@rsyncmaster ~] # visudo samlee ALL= (root) / usr/sbin/useradd, / usr/bin/passwd,! / usr/bin/passwd root

Use the samlee login test:

[samlee@rsyncmaster ~] $sudo useradd samleetest # No problem creating users [sudo] password for samlee: [samlee@rsyncmaster ~] $sudo passwd root # cannot change the root password Sorry, user samlee is not allowed to execute'/ usr/bin/passwd root' as root on rsyncmaster.samlee.com. [samlee@rsyncmaster ~] $tail / etc/passwd | grep samleetest # View the added user samleetest:x:503:503::/home/samleetest:/bin/bash

2.sudo alias definition and alias call

[root@rsyncmaster ~] # visudo User_Alias USERADMIN = samlee,%adminHost_Alias HOST= 172.16.0.0/16127.0.0.1Runas_Alias ADMIN = rootCmnd_Alias COMMAND = / sbin/ifconfig,/bin/pingUSERADMIN HOST= (ADMIN) COMMAND

Test; samlee user login test specified related commands:

20c:29ff:fed3:e453/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:61839 errors:0 dropped:0 overruns:0 frame:0 TX packets:60930 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6300546 (6.0MiB) TX bytes:11935948 (11.3MiB) lo Link encap:Local Loopback inet addr:127 .0.0.1 Mask:255.0.0.0 inet6 addr: 1Accord 128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:240 (240.0 b) TX bytes:240 (240.0 b) # use admin group user test: [admin@rsyncmaster ~] $sudo ifconfigeth0 Link encap:Ethernet HWaddr 00:0C:29:D3:E4:53 inet addr:172.16.100.7 Bcast:172.16.255.255 Mask:255.255.0.0 inet6 addr: fe80::20c:29ff:fed3:e453/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:62130 errors:0 dropped:0 Overruns:0 frame:0 TX packets:61216 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6324018 (6. 0 MiB) TX bytes:11965210 (11. 4 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: 1 to 128 Scope:Host UP LOOPBACK RUNNING MTU: 16436 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:240 (240.0 b) TX bytes:240 (240.0 b)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.