Shulou(Shulou.com)05/31 Report--

This article shows you what the advanced application of sudo in Linux server rights management is like, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Sudo Advanced Application of Rights Management in Linux Server

The Linux system modification permissions and default permissions mentioned earlier are both imposed on users to control some permissions on directories or files. In fact, from a security point of view, it is necessary to control the rights of users to execute commands, that is, which users can execute which commands and which commands they cannot execute, so there is the application of sudo.

For sudo rights, that is, to modify the configuration file of / etc/sudoers

[root@Centos ~] # ls-ll / etc/sudoers

-rMurray, Murray. 1 root root 5870 Aug 19 16:53 / etc/sudoers

It can be seen that the default permission of / etc/sudoers is 440 (which is also a relatively secure permission setting for the system). Of course, the Super Admin must have the right to modify the contents of its files, otherwise it would not be so.

One: matters needing attention for directly modifying / etc/sudoers files

1. It is best to use echo > > append when operating, but cat sed can also be implemented (rarely used)

2. Be sure to check the syntax visudo-c after the modification.

3. Make sure that the default permission of / etc/sudoers is 440 (to prevent misuse of permissions)

4. Verify whether the modified configuration is correct in time

5. Make sure you know the root password so that ordinary users can switch through the sudo su-command.

II: sudo configuration file / etc/sudoers

[root@Centos ~] # cat / etc/sudoers

# Sudoers allows particular users to run various commands as

# # the root user, without needing the root password.

# #

# # Examples are provided at the bottom of the file for collections

# # of related commands, which can then be delegated out to particular

# # users or groups.

# #

# # This file must be edited with the 'visudo' command.

# # Host Aliases

# # Groups of machines. You may prefer to use hostnames (perhaps using

# # wildcards for entire domains) or IP addresses instead.

# Host_Alias FILESERVERS = fs1, fs2

# Host_Alias MAILSERVERS = smtp, smtp2

# # User Aliases

# # These aren't often necessary, as you can use regular groups

# # (ie, from files, LDAP, NIS, etc) in this file-just use% groupname

# # rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

When modifying, copy the format of the system as far as possible to make relevant changes to prevent configuration errors and difficult to correct.

After you have successfully modified the authorization of a user, switch to the user and use sudo-l to see which permissions you have.

[yuw001@Centos ~] $sudo-l

[sudo] password for yuw001:

Matching Defaults entries for yuw001 on this host:

Requiretty,! visiblepw, always_set_home, env_reset, env_keep= "COLORS

DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS ", env_keep+=" MAIL

PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE "

Env_keep+= "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Env_keep+= "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Env_keep+= "LC_TIME LC_ALL LANGUAGE LINGUAS _ XKB_CHARSET XAUTHORITY"

Secure_path=/sbin\: / bin\: / usr/sbin\: / usr/bin, logfile=/var/log/sudo.log

User yuw001 may run the following commands on this host:

(root) / bin/ping / bin/hostname, / usr/bin/free, / sbin/route

/ bin/netstat

Remember to add sudo when using the command

[yuw001@Centos ~] $hostname linux

Hostname: you must be root to change the hostname

[yuw001@Centos ~] $/ bin/hostname linux

Hostname: you must be root to change the hostname

[yuw001@Centos ~] $sudo hostname linux

[root@linux ~] # found that the hostname was modified successfully after logging in again

One line of the configuration file is a rule, which is annotated with # and continued with'\'(newline).

III: classification of rules in configuration files

1. Alias type

Alias types are divided into the following categories

A, Host_Alias (host alias)

Generally speaking, host aliases are not set in production environment, and host aliases are not commonly used.

The first ALL of root ALL= (ALL) ALL is the location where the host alias is applied

B, User_Alias (user alias)

If it means a user group, then add% in front of it.

Root ALL= (ALL) ALL root is the application location of the user alias

User_Alias ADMINS = jsmith, mikem

C, Runas_Alias alias

This alias is the specified "user identity", that is, the user to which sudo is allowed to switch

The second (ALL) of root ALL= (ALL) ALL is the location where the user alias is applied.

Runas_Alias OP = root

D, Cmnd_Alias (command alias)

Is to define an alias that can contain the contents of a bunch of commands (a collection of related commands)

The third ALL of root ALL= (ALL) ALL is the application location of the user alias.

Cmnd_Alias DRIVERS = / sbin/modprobe

Description

The user in the user alias must be real in the system, pay attention to the space when writing, the user alias has a special meaning, and the user alias must be capitalized.

Members under the command must use an absolute path, which can be wrapped with'\'

2. Authorization rules

Authorization rules are rules that are executed, and all ALL in authorization must be capitalized

# # Allow root to run any commands anywhere

Root ALL= (ALL) ALL

Yumw ALL= (ALL) / usr/sbin/useradd,/usr/sbin/userdel

# user group sa allow to run commands anywhere

Yuw ALL=/usr/sbin*,/sbin*

Sa ALL= / usrqinxxxxxxxxx

! To prohibit the execution of this order

[sa@linux ~] $sudo-l

User sa may run the following commands on this host:

(root) / usr/bin*, (root) / sbin*, (root)! / sbin/fdisk

[sa@linux ~] $sudo fdisk

Sorry, user sa is not allowed to execute'/ sbin/fdisk' as root on linux.

If you modify the configuration

# user group sa allow to run commands anywhere

Yuw ALL=/usr/sbin*,/sbin*

Sa ALL=! / sbin/fdisk, / usr/sbin*,/sbin*

[sa@linux ~] $sudo-l

User sa may run the following commands on this host:

(root) / usr/bin*, (root) / sbin*, (root)! / sbin/fdisk

[root@linux ~] # su-sa

[sa@linux ~] $sudo fdisk

[sudo] password for sa:

Usage:

Fdisk [options] change partition table

Fdisk [options]-l list partition table (s)

Fdisk-s give partition size (s) in blocks

Options:

-b sector size (512, 1024, 2048 or 4096)

-c switch off DOS-compatible mode

-h print help

-u give sizes in sectors instead of cylinders

-v print version

-C specify the number of cylinders

-H specify the number of heads

-S specify the number of sectors per track

Therefore, the test results show that the matching rules executed by the sa ALL=! / sbin/fdisk, / usr/sbin*,/sbin* command are from back to front, so the subsequent execution of sudo fdisk will not prompt the phenomenon of insufficient permissions.

The above is what the advanced application of sudo in Linux server rights management is like. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.