Shulou(Shulou.com)06/01 Report--

Sudo is a linux system management instruction, a tool that allows system administrators to let ordinary users execute some or all of the root commands, such as halt,reboot,su, and so on. This not only reduces the login and administration time for root users, but also improves security. Sudo is not a substitute for shell, it is for each command.

The configuration file / etc/sudoers for sudo is in the following format:

Root ALL= (ALL) ALL # root users can execute any command users ALL=/sbin/mount / mnt/cdrom, / sbin/umount / mnt/cdrom # users users anywhere, as anyone, on the host to mount and unmount as an administrator

Sudoers supports grouping of similar objects using aliases: group names must be in all uppercase letters

Which hosts are Host_Alias on?

Which users of User_Alias

What identities are used by Runas_Alias

What commands are used by Cmnd_Alias

Sudo authorized users:

$sudo-l can view the permissions granted to you by using sudoers

$sudo COMMAND uses the command

Grammar

Sudo [- bhHpV] [- s] [- u] [instruction] or sudo [- klv]

Parameters.

-b executes instructions in the background.

-h displays help.

-H sets the HOME environment variable to the HOME environment variable for the new identity.

-k end the validity period of the password, that is, you will need to enter the password the next time you execute sudo.

-l lists the instructions that the user can and cannot execute at present.

-p change the prompt symbol for asking for a password.

-s executes the specified shell.

-u takes the specified user as the new identity. If this parameter is not added, root is preset as the new identity.

-v extend the validity of the password by 5 minutes.

-V displays version information.

-S obtains the password from the standard input stream instead of the terminal

Example:

1. Enable Tom users to add Jerry users by executing useradd commands as administrators on all hosts

In root users

# which useradd/usr/sbin/useradd# passwd Tompassed:Tom# visudoTom ALL= (root) / usr/sbin/useradd

Reopen a terminal and log in as a Tom user

$sudo-l as a different user, you can use this command to view commands that can be used as other users [sudo] password for Tom:User Tom may run the following commands on this host: (root) / usr/sbin/useradd$ sudo / usr/sbin/useradd Jerry$ tail / etc/passwdTom:x:501:501::/home/Tom:/bin/bashJerry:x:502:502::/home/Jerry:/bin/bash

To the previous terminal, it is the root user

# tail / var/log/secure # View the log file, which is available only to root users. Mar 28 10:34:11 sange sudo: Tom:TTY=pts/2;PWD=/home/Tom;USER=root;COMMAND=listMar 28 10:34:15 sange sudo: Tom:TTY=pts/2;PWD=/home/Tom;USER=root COMMAND=/usr/sbin/useradd JerryMar 28 10:34:15 sange useradd [11625]: new group:name=Jerry,GID=502Mar 28 10:34:15 sange useradd [11625]: new user:name=Jerry,UID=502,GID=502,home=/home/Jerry,shell=/bin/bash

2. Add useradmins as a user group so that both Tom and Jerry can use management commands

# groupadd useradmins# usermod-a-G useradmins Tom# usermod-a-G useradmins Jerry# passwd Jerrypasswd:Jerry

Open another terminal and log in as a Jerry user

$sudo-l [sudo] password for Jerry: Jerry # now Jerry does not have permission Sorry,user Jerry may not run sudo on sange.$ sudo / usr/sbin/useradd user1 [sudo] password for Jerry: JerryJerry is not in the sudoers file. This incident will be reported

So go to the root terminal

# tail / var/log/secureMar 28 10:51:18 sange sudo: Jerry: command not allowed; TTY=pts/4; PWD=/home/Jerry; USER=root; COMMAND=listMar 28 10:51:47 sange sudo: Jerry: user NOT in sudoers; TTY=pts/4; PWD=/home/Jerry; USER=root; COMMAND=/usr/sbin/useradd user1You have new mail in/ var/spool/mail/root

If each individual authorization is too troublesome, but we hope that these multiple users will have such permissions at the same time.

# visudoTom ALL= (root) / usr/sbin/useradd->% useradminsALL= (root) / usr/sbin/useradd

To the Jerry terminal

$sudo-l [sudo] password for Jerry: User Jerry may run the following commands on this host: (root) / usr/sbin/useradd

To the Tom terminal

$sudo-l [sudo] password for Tom: Sorry,user Tom may not run sudo on sange. # I'm not sure why, just open another terminal.

Reopen a terminal and log in with the Tom user

$sudo-l [sudo] password for Tom:User Tom may run the following commands on this host: (root) / usr/sbin/useradd

3. Use command aliases

In root users

# visudoCmnd_Alias USERADMIN = / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdel%useradmins ALL= (root) USERADMIN

To the Tom terminal that just opened

$sudo-lUser Tom may run the following commands on this host: (root) / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdel

To the Jerry terminal

Sudo-l [sudo] password for Jerry: User Jerry may run the following commands on this host: (root) / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdel$ sudo / usr/sbin/userdel user3

4. User alias

At the root terminal

# useradd Admin# passed Adminpasswd: Admin# visudoCmnd_Alias USERADMINCMNDS = / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdelUser_Alias USERADMINS = Tom,Jerry,AdminUSERADMINS ALL= (root) USERADMINCMNDS

To the Tom terminal

$sudo-lUser Tom may run the following commands on this host: (root) / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdel

To the Jerry terminal

Sudo-l [sudo] password for Jerry: JerryUser Jerry may run the following commands on this host: (root) / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdel

To the Admin terminal

Sudo-l [sudo] password for Admin: AdminUser Jerry may run the following commands on this host: (root) / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdel

5. Host alias

To the root terminal

# visudoHost_Alias USERHOSTS = 192.168.0.0Universe 24 # can be used on this network segment.

6. Label

How to add passwd to the end of a command

At the root terminal

# visudoCmnd_Alias USERADMIN = / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdel, / usr/bin/passwd

After the change, users defined by sudoers can change anyone's password, even the administrator's password, which is too dangerous. So we need to add some content later.

Cmnd_Alias USERADMIN = / usr/sbin/useradd, / usr/sbin/usermod, / usr/sbin/userdel, / usr/sbin/groupadd, / usr/sbin/groupdel, / usr/bin/passwd [a-zA-Z0-9] *,! / usr/bin/passwd root

So that other users cannot change the password of root

To the Tom terminal

$sudo / usr/bin/passwd JerryChanging passwd for user Jerry.New passed:Retype new passwd:passwd: all authentication tokens updated successfully. [Tom@sange ~] $sudo / usr/bin/passwd rootSorry,user Tom is not allowed to execute'/ usr/bin/passwd root' as root on sange.com.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.