How to configure sudoers to use 01/16 Update SLTechnology News&Howtos

How to configure sudoers to use

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/01 Report--

This article is about how to configure sudoers. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Sudo is a commonly used tool under linux that allows ordinary users to use superuser privileges, allowing system administrators to let ordinary users execute some or all of the root commands, such as halt,reboot,su, and so on. This not only reduces the login and management time of root users, but also improves security. Sudo is not a substitute for shell, it is for each command. Its main characteristics are as follows:

§sudo can restrict users from running certain commands only on a host.

§sudo provides a rich log of what each user does in detail. It can send logs to the central host or log server.

§sudo uses a timestamp file to perform a similar "ticket check" system. When the user calls sudo and enters its password, the user gets a ticket with a lifetime of 5 minutes (this value can be changed at compile time).

§the configuration file for sudo is the sudoers file, which allows system administrators to centrally manage the user's permissions and hosts. Its location is / etc/sudoers by default, and the attribute must be 0411.

The use of sudo

Permissions: there are users present in / etc/sudoers

Usage: sudo-V

Sudo-h

Sudo-l

Sudo-v

Sudo-k

Sudo-s

Sudo-H

Sudo [- b] [- p prompt] [- u username/#uid]-s

Usage: sudo command

Description: execute instructions as a system administrator, that is, instructions executed through sudo seem to be executed by root himself

Parameters:

-V displays the version number

-h will display the version number and instructions for the use of the instructions.

-l shows the permissions of himself (the user who executes the sudo)

-v because sudo will ask for the password when it is executed for the first time or not within N minutes (N default is five). This parameter is re-confirmed. If it exceeds N minutes, the password will also be asked.

-k will force the user to ask for a password the next time sudo is executed (with or without more than N minutes)

-b the instructions to be executed are executed in the background

-p prompt can change the prompt for asking password, where% u will be replaced with the user's account name, and% h will display the host name

-u username/#uid does not add this parameter, which means that the instruction is to be executed as root. If this parameter is added, the instruction can be executed as username (# uid is the user number of the username)

-s executes the shell specified by SHELL in the environment variable, or the shell specified in / etc/passwd

-H specifies the HOME (home directory) in the environment variable as the user's home directory to change identity (if the-u parameter is not added, it is the system administrator root)

Instructions to be executed by command as a system administrator (or change to someone else with-u)

Example:

Sudo-l lists current permissions

Sudo-V lists the version information of sudo

Instruction name: sudoers (this command cannot be found under fc5, but its usage can be found with man. )

Used to display users who can use sudo

Configuration of sudoers

Sudoers is the main configuration file for sudo, linux is usually under the / etc directory, if solaris is not installed by default, sudo is not installed by default, it is usually installed in the etc directory of the installation directory after compilation, but no matter where the sudoers file is located, sudo provides a command to edit the file: visudo to modify the file. It is highly recommended to use this command to modify sudoers, as it will help you verify that the file configuration is correct, and if not, it will prompt you which section of the configuration is wrong when saving exit.

Back to the point, here's how to configure sudoers

First write the default configuration of sudoers:

# # #

# sudoers file.

# This file MUST be edited with the 'visudo' command as root.

# See the sudoers man page for the details on how to write a sudoers file.

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification

Root ALL= (ALL) ALL

# Uncomment to allow people in group wheel to run all commands

#% wheel ALL= (ALL) ALL

# Same thing without a password

#% wheel ALL= (ALL) NOPASSWD: ALL

# Samples

#% users ALL=/sbin/mount / cdrom,/sbin/umount / cdrom

#% users localhost=/sbin/shutdown-h now

1. The simplest configuration allows the ordinary user support to have all the permissions of root

After executing visudo, you can see that there is only one configuration by default:

Root ALL= (ALL) ALL

Then you can add another configuration below:

Support ALL= (ALL) ALL

In this way, the ordinary user support will be able to execute all commands with root permissions

After logging in as the support user, execute:

Sudo su-

Then enter the password of the support user, and you can switch to the root user.

two。 Let the ordinary user support only execute certain commands that root can execute on certain servers.

First of all, you need to configure some Alias, so that when configuring permissions below, it will be more convenient, without having to write a large number of configurations. Alias is mainly divided into four types.

Host_Alias

Cmnd_Alias

User_Alias

Runas_Alias

1) configure Host_Alias: this is the list of hosts

Host_Alias HOST_FLAG = hostname1, hostname2, hostname3

2) configure Cmnd_Alias: a list of commands that are allowed to be executed, preceded by! Indicates that this command cannot be executed.

The command must use the absolute path to avoid the execution of commands of the same name in other directories, causing security risks, so the absolute path is also used!

Cmnd_Alias COMMAND_FLAG = command1, command2, command3,! command4

3) configure User_Alias: it is a list of users with sudo permission

User_Alias USER_FLAG = user1, user2, user3

4) configure Runas_Alias: it is a list of the identity in which the user executes (for example, root or oracle)

Runas_Alias RUNAS_FLAG = operator1, operator2, operator3

5) configure permissions

The format for configuring permissions is as follows:

USER_FLAG HOST_FLAG= (RUNAS_FLAG) COMMAND_FLAG

If password authentication is not required, configure it in this format

USER_FLAG HOST_FLAG= (RUNAS_FLAG) NOPASSWD: COMMAND_FLAG

Example configuration:

# sudoers file.

# This file MUST be edited with the 'visudo' command as root.

# See the sudoers man page for the details on how to write a sudoers file.

# Host alias specification

Host_Alias EPG = 192.168.1.1, 192.168.1.2

# User alias specification

# Cmnd alias specification

Cmnd_Alias SQUID = / opt/vtbin/squid_refresh,! / sbin/service, / bin/rm

Cmnd_Alias ADMPW = / usr/bin/passwd [A-Za-z] *,! / usr/bin/passwd,! / usr/bin/passwd root

# Defaults specification

# User privilege specification

Root ALL= (ALL) ALL

Support EPG= (ALL) NOPASSWD: SQUID

Support EPG= (ALL) NOPASSWD: ADMPW

# Uncomment to allow people in group wheel to run all commands

#% wheel ALL= (ALL) ALL

# Same thing without a password

#% wheel ALL= (ALL) NOPASSWD: ALL

# Samples

#% users ALL=/sbin/mount / cdrom,/sbin/umount / cdrom

#% users localhost=/sbin/shutdown-h now

# # #

/ etc/sudoers is the configuration file for sudo, and its property must be 440. When I modified the access to the sudoers file with sudo chmod 777 / etc/sudoers, sudo was no longer available. Then you want to modify the access to the file sudoers through sudo chmod 440 / etc/sudoers, or when using sudo, the result prompts: sudo: / etc/sudoers is mode 0777, should be 0440. So I shut myself out of sudo. It is no longer possible to cut to root users through sudo su or sudo-I. You can also switch to root with su root. This allows you to modify the access permissions of the / etc/sudoers file. The problem will be solved.

Later, I found an analysis of the sudoers file on the Internet, and it was posted here.

Sudo is a tool that allows system administrators to let ordinary users execute some or all of the root commands, such as halt,reboot,su, and so on. This not only reduces the login and management time of root users, but also improves security. Sudo is not a substitute for shell, it is for each command. Its main characteristics are as follows:

§Sudo can restrict users from running certain commands only on a host.

§Sudo provides a rich log of what each user does in detail. It can send logs to the central host or log server.

§Sudo uses a timestamp file to perform a similar "ticket check" system. When the user calls sudo and enters its password, the user gets a ticket with a lifetime of 5 minutes (this value can be changed at compile time).

§the configuration file for Sudo is the sudoers file, which allows system administrators to centrally manage the user's permissions and hosts. Its location is / etc/sudoers by default, and the attribute must be 0411.

Edit profile command: visudo

Default profile location: / etc/sudoers

[root@localhost ~] # cat / etc/sudoers

# sudoers file.

# This file MUST be edited with the 'visudo' command as root.

# See the sudoers man page for the details on how to write a sudoers file.

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification

Root ALL= (ALL) ALL

# Uncomment to allow people in group wheel to run all commands

#% wheel ALL= (ALL) ALL

# Same thing without a password

#% wheel ALL= (ALL) NOPASSWD: ALL

# Samples

#% users ALL=/sbin/mount / cdrom,/sbin/umount / cdrom

#% users localhost=/sbin/shutdown-h now

[root@localhost ~] #

You can edit the sudoers configuration file with visudo, but you can also do this directly by modifying the sudoers file, but it's best to take a look at its sample.sudoers file before editing, which has a fairly detailed example to refer to.

# part I: user definition, which divides users into three categories: FULLTIMERS, PARTTIMERS and WEBMASTERS.

User_Alias FULLTIMERS = millert, mikef, dowdy

User_Alias PARTTIMERS = bostley, jwfox, crawl

User_Alias WEBMASTERS = will, wendy, wim

# the second part classifies the operation types.

Runas_Alias OP = root, operator

Runas_Alias DB = oracle, sybase

# the third part, classify the hosts. These are randomly distributed for the purpose of better management.

Host_Alias SPARC = bigtime, eclipse, moet, anchor:\

SGI = grolsch, dandelion, black:\

ALPHA = widget, thalamus, foobar:\

HPPA = boa, nag, python

Host_Alias CUNETS = 128.138.0.0amp 255.255.0.0

Host_Alias CSNETS = 128.138.243.0, 128.138.204.0 take 24, 128.138.242.0

Host_Alias SERVERS = master, mail, www, ns

Host_Alias CDROM = orion, perseus, hercules

The fourth part defines the command and the path of the command. The command must use the absolute path to avoid the execution of commands of the same name in other directories, causing security risks, so the absolute path is also used!

Cmnd_Alias DUMPS = / usr/bin/mt, / usr/sbin/dump, / usr/sbin/rdump,\

/ usr/sbin/restore, / usr/sbin/rrestore

Cmnd_Alias KILL = / usr/bin/kill

Cmnd_Alias PRINTING = / usr/sbin/lpc, / usr/bin/lprm

Cmnd_Alias SHUTDOWN = / usr/sbin/shutdown

Cmnd_Alias HALT = / usr/sbin/halt, / usr/sbin/fasthalt

Cmnd_Alias REBOOT = / usr/sbin/reboot, / usr/sbin/fastboot

Cmnd_Alias SHELLS = / usr/bin/sh, / usr/bin/csh, / usr/bin/ksh,\

/ usr/local/bin/tcsh, / usr/bin/rsh,\

/ usr/local/bin/zsh

Cmnd_Alias SU = / usr/bin/su

# here, different policies are adopted for different users, for example, all syslog are output directly through auth by default. The FULLTIMERS group does not have to see lecture (the message generated by the first run); the user millert does not have to enter a password when using sudo; and the path to logfile is in / var/log/sudo.log and each line of log must include years.

Defaults syslog=auth

Defaults:FULLTIMERS! lecture

Defaults:millert! authenticate

Defaults@SERVERS log_year, logfile=/var/log/sudo.log

Members of the # root and wheel groups have any rights. If you want to define a group of users, you can add% to the group name and set it.

Root ALL = (ALL) ALL

% wheel ALL = (ALL) ALL

# FULLTIMERS can run any command on any host without entering your own password

FULLTIMERS ALL = NOPASSWD: ALL

# PARTTIMERS can run any command on any host, but you must first verify your password.

PARTTIMERS ALL = ALL

# jack can run any command in the defined CSNET (the subnet of 128.138.243.0, 128.138.242.0 and 128.138.204.0), but note that the first two do not need to match the subnet mask, and the last one must match the mask.

Jack CSNETS = ALL

# lisa can run any command on a host in a subnet defined as CUNETS (128.138.0.0).

Lisa CUNETS = ALL

# user operator can run DUMPS,KILL,PRINTING,SHUTDOWN,HALT,REBOOT and all commands in / usr/oper/bin.

Operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\

/ usr/oper/bin/

# joe can run the su operator command

Joe ALL = / usr/bin/su operator

# pete can change passwords for users other than root.

Pete HPPA = / usr/bin/passwd [A murz] *,! / usr/bin/passwd root

# bob can run how-to commands on SPARC and SGI machines like root and operator in the OP user group.

Bob SPARC = (OP) ALL: SGI = (OP) ALL

# jim can run any command in the biglab netgroup. The default "+" of Sudo is the prefix of a netgroup.

Jim + biglab = ALL

# users in secretaries help manage printers and can run adduser and rmuser commands.

+ secretaries ALL = PRINTING, / usr/bin/adduser, / usr/bin/rmuser

# fred can run oracle or sybase database directly.

Fred ALL = (DB) NOPASSWD: ALL

# john can be on an ALPHA machine, and su is available to everyone except root.

John ALPHA = / usr/bin/su [! -] *,! / usr/bin/su * root*

# jen can run any command on a machine except the SERVERS host group.

Jen ALL,! SERVERS = ALL

# jill can run all commands in / usr/bin/ except the su and shell commands on SERVERS.

Jill SERVERS = / usr/bin/,! SU,! SHELLS

# steve can run any command in / usr/local/op_commands/ on the CSNETS host as a normal user.

Steve CSNETS = (operator) / usr/local/op_commands/

# matt can run the kill command on his personal workstation.

Matt valkyrie = KILL

Users in the # WEBMASTERS user group can run any command with the user name of www or can su www.

WEBMASTERS www = (www) ALL, (root) / usr/bin/su www

# any user can mount or umount a cd-rom on the CDROM host without entering a password.

ALL CDROM = NOPASSWD: / sbin/umount / CDROM,\

/ sbin/mount-o nosuid\, nodev / dev/cd0a / CDROM

Third, use

Instruction name: sudo

Permissions: there are users who appear in / etc/sudoers