Shulou(Shulou.com)06/01 Report--

This article will explain in detail the skills of using the Sudo command in linux. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

To put it simply, sudo is a privilege management mechanism, and administrators can authorize some ordinary users to perform some operations performed by root without knowing the password of root. Strictly speaking, sudo allows an authorized user to run a command in the role of superuser or other user.

1. Working mode understanding

A brief description of its use workflow and profile configuration!

[1] understand the workflow of sudo commands

Sudo reads and parses the / etc/sudoers file to find the user who invoked the command and its permissions.

The user who called the command is then prompted for a password, or you can skip password validation with the NOPASSWD flag.

After that, sudo creates a child process and calls setuid () to switch to the target user.

At best, it executes the shell or command given by the parameter in the above child process.

[2] understand the sudo command authorization configuration USER/GROUP HOST= (USER [: GROUP]) [NOPASSWD:] COMMANDSUSER/GROUP: indicates the user or group that needs to be authorized; if it is a group, it needs to start with% HOST: indicates which host is allowed to log in to run the sudo command; ALL means to allow access from any terminal or machine (USER [: GROUP]): indicates a user or group that can be switched using sudo, and the group may not be specified ALL indicates that all users of the system can be switched to NOPASSWD: if specified, the user or group does not have to enter the password COMMANDS: means to run the specified command when using sudo ALL means allow all commands # allow sudo group to execute all commands% sudo ALL= (ALL:ALL) ALL# allow users to execute all commands And there is no need to enter the password escape ALL= (ALL) NOPASSWD: ALL# only allows the user to execute echo, the ls command escape ALL= (ALL) NOPASSWD: / bin/echo / bin/ls# the user running this machine executes the shutdown command escape localhost=/sbin/shutdown-h now# allows users in the users user group to use the mount, unmount, chrom command% users ALL=/sbin/mount / mnt/cdrom like root users / sbin/umount / mnt/cdrom [3] configure Defaults option # specify the number of times the user attempts to enter a password Default is 3Defaults passwd_tries=5# setting password timeout, default is 5 minutes Defaults passwd_timeout=2 default sudo asks users for their own passwords, adding targetpw or rootpw configuration allows sudo to ask root passwords Defaults targetpw# specifies custom log file Defaults logfile= "/ var/log/sudo.log" # hostname and four-digit year to be recorded in the custom log file You can add log_host and log_year parameters Defaults log_host, log_year Logfile= "/ var/log/sudo.log" # maintains the current user's environment variable Defaults env_keep + = "LANG LC_ADDRESS LC_CTYPE COLORS DISPLAY HOSTNAME EDITOR" Defaults env_keep + = "ftp_proxy http_proxy https_proxy no_proxy" # places a secure PATH environment variable Defaults secure_path= "/ usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 2. Summary of using skills

Mainly introduces the use of sudo-related commands and problem handling skills!

[1] how to change the visudo editor from nano to vim?

When I use the visudo command, it always opens it with a nano editor, which is awkward and uncomfortable for users who are used to using vi or vim. Therefore, how to better change the visudo editor from nano to vim becomes very important.

The best solution is to call the command and permanently change the terminal's editor into a vim editor once and for all. We just need to execute the following command, enter the editor serial number we need and press enter. The next time the visudo command is executed, the file will be opened using the vim editor.

# because / etc/sudoers ordinary users cannot open and use $sudo update-alternatives-- config editorThere are 4 choices for the alternative editor (providing / usr/bin/editor) .Selection Path Priority Status---* 0 / bin/nano 40 auto mode1 / bin/ed-100 manual mode2 / bin/nano 40 manual mode3 / usr/bin/vim.basic 30 manual mode4 / usr/bin/vim.tiny 10 manual modePress enter to keep the current choice [*] Or type selection number: 3

The second solution is to modify the default editor of the current terminal through the environment variable.

# in a .zshrc or .profile file, $export EDITOR=vim;# wants to execute the default editor for visudo $sudo EDITOR=vim visudo# or modify / etc/sudoers file Defaults editor=/usr/bin/vim [2] Vim how to force a read-only file to be saved?

When using vim, when opening a file that only the root user has permission to operate as a normal user, when saving after editing, it is found that the file does not have permission to modify. Finally finished editing the file, but can not save, can only give up, and then quit, and then open with root permissions, re-editing, is in pain! Is there a good way to solve this problem? Ahem, there must be.

# Vim command mode can be forced to save # w: means to save a file #!: means to execute an external command # tee: means to redirect data to a given file and screen #%: when executing an external command,% will be expanded to the current file name: W! sudo tee% the above perfectly solves the problem that read-only files cannot be saved, but after all, the command is still a bit long. To avoid typing a long list of commands at a time, map it to a simple command and add it to .vimrc. Like this, simply run: wicked! Then, the second half of the command > / dev/null function is to explicitly discard the contents of standard output. "Allow saving of files as sudo when I forgot to start vim using sudo.cmap Allow saving of files as sudo when I forgot to start vim using sudo.cmap! W! sudo tee > / dev/null% [3] how to edit files more safely

Sudoedit is a built-in command that allows users to edit files safely. According to the sudo man page, sudoedit is equivalent to using the-e command line option to execute sudo.

So what does this command do? it first creates a temporary copy of the file you want to edit. The command then searches the SUDO_EDITOR,VISUAL and EDITOR environment variables (in this order) to determine which editor should be invoked to open the temporary copy you just created. After the user completes the modification, the changes are copied back to the original file.

# Sudo command man page-e,-- editEdit one or more files instead of running a command. In lieu of a path name,the string "sudoedit" is used when consulting the security policy. If the useris authorized by the policy, the followingsteps are taken:1. Temporary copies are made of the files to be edited withthe owner set to the invoking user.2. The editor specified by the policy is run to edit thetemporary files. The sudoers policy uses theSUDO_EDITOR, VISUAL and EDITOR environment variables (inthat order). If none of SUDO_EDITOR, VISUAL or EDITORare set, the first program listed in the editorsudoers (5) option is used.3. If they have been modified, the temporary files arecopied back to their original location and the temporaryversions are removed.If the specified file does not exist, it will be created. Note that unlike mostcommands run by sudo, the editor is run with the invoking user is environmentunmodified. If, for some reason, sudo is unable to update a file with its editedversion, the user will receive a warning and the edited copy will remain in atemporary file. [4] how to make sudo conversation time as it pleases?

The sudo command is a permission delegated command, which is very common in a production environment, and the sudo command session time is 15 minutes by default. To set the value of the sudo password timeout, you need to use the passwd_timeout parameter.

You can set it to any time you want in minutes, and it will wait until it times out. If you want to pop up the password prompt for each sudo command executed, you can also set the time to 0 or permanently disable the password prompt by setting the value-1.

# set timeout time

# means that the sudo password prompt will expire 20 minutes after the user uses it

Defaults env_reset,timestamp_timeout=20 [5] how to grant server permissions more securely?

How do we manage the server, developers or other people need to log on to the server for environment debugging or problem recurrence and so on. At this point, we need to give the corresponding user login access. But if we edit the / etc/sudoers file directly, then I need to clean it up manually after the other party has finished using it. If we forget, the developer or others will always be able to log on to the server, with a certain degree of security problems.

Unfortunately, for temporary authorization, there is no configuration in the / etc/sudoers file, and you can authorize a user or user group for a specified range of time. When the user reaches the specified point in time, the user will be refused to log in again. In response to this situation, we can perfectly solve the above problems through the mechanism of crontab scheduled tasks and / etc/sudoers.d directory.

We regularly wipe out the authorization profiles of users or user groups in the / etc/sudoers.d/ directory through the scheduled execution directory of scheduled tasks. For example, if we need to wipe out today's temporarily authorized users or users on a regular daily basis, we can create a rm-rf command under the / etc/cron.daily directory to delete the / etc/sudoers.d/ directory, which will be deleted automatically at a fixed time. For authorized users, we use to create a separate configuration file under the / etc/sudoers.d/ directory instead of directly modifying the / etc/sudoers file.

# Crontab has multiple timing mechanisms # the following represents daily, hourly, monthly, Execute $ls-dl / etc/cron.* regularly every week | grep-v cron.d$drwxr-xr-x 2 root root 4096 May 15 06:18 / etc/cron.dailydrwxr-xr-x 2 root root 4096 Feb 14 2019 / etc/cron.hourlydrwxr-xr-x 2 root root 4096 Feb 14 2019 / etc/cron.monthlydrwxr-xr-x 2 root root 4096 Jun 18 09:57 / etc/cron.weekly# create a separate authorization profile $ls-lh / etc/sudoers.d/- RMurray r-1 root root 666 Oct 6 2017 lisi-r--r- 1 root root 958 Jan 18 2018 zhangsan# View the contents of the authorization profile $cat / etc/sudoers.d/zhangsanALL ALL = (root) NOPASSWD: zhangsan [6] how to solve the problem that the sudo command cannot find environment variables?

When we use the sudo command, we often encounter that when we switch users, we find that the previously set environment variables are missing. This is because we will switch users after we execute the sudo command, and if we retain the environment variable, there will be some security problems, and the system will reset the environment variable to the safe environment variable by default. All previously set variables are invalidated, and only a few environment variables specified in the configuration file can be saved.

We can look at the sudo configuration file / etc/sudoers to find out why it works. After we execute the following command, we can see the following input (which may not be the same as mine). Env_reset indicates that the environment variable is reset by default, so the variable we customize will expire after the sudo command is executed, and the variable value will not be obtained correctly. While env_keep means that some environment variables are not reset, the variables that need to be retained are written in double quotation marks, and the variables that need to be retained can be appended by themselves. Finally, there is the secure_path variable, whose function is that the included path will be used as a PATH variable for the sudo environment. If some commands cannot be found in the sudo environment, you can add the paths to those commands to the configuration item.

$sudo sed'/ ^ # / dscape / ^ $/ d' / etc/sudoersDefaults env_resetDefaults env_keep = "COLORS IDSPLAY HOSTNAME HISTSIZE LS_COLORS" Defaults env_keep + = "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS" Defaults secure_path= "/ usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

Once we know the reason, we can deal with the above situation in an unnecessary way to solve the problem that the sudo command cannot find the environment variable.

The first solution is to use the-E parameter when using it. With the-E option added, the user can retain the existing environment variables of the current user during sudo execution without being reset by sudo. In addition, if the user does not have permission for the specified environment variable, an error will be reported. It should be noted that in the internal test machine, it is used when the security requirements are not high.

$sudo sudo-E

The second solution is to modify the sudo configuration file. You can specify the environment variables and paths that need to be retained in the sudo environment by modifying the env_keep and secure_path configuration items in the / etc/sudoers file. Of course, we can also remove the variable! env_reset of the configuration file so that there will be no restrictions.

$sudo vim / etc/sudoersDefaults! env_reset about "what are the skills of using Sudo commands in linux?" this article ends here. I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.