Shulou(Shulou.com)06/03 Report--

Su is the abbreviation of "s'witch user", which means to switch users.

The difference between the su and su instructions plus the "-" parameter:

Su instruction without any parameters, the default switch to root, but did not go to the root user home directory, although switched to the root user, but did not switch to the root login environment (shell, environment variable), can not get the environment variable. Su plus the parameter "-" is to switch to the login environment of user root and obtain the environment variable and execution permission of root (switch to user variable)

Su has no restrictions on permissions after switching to the ultimate permission root (su switches to root users by default). Sudo can delegate some ultimate permissions, and the user does not need to know the root password. The execution process is that the current user switches to root, then executes the command as root, and returns the current user directly after execution. Authorization is done through the sudo configuration file "/ etc/sudoers".

Sudo can restrict users from running certain commands only on a host.

Sudo provides rich logs that record in detail what each user does and can be transferred to the central host or log server

Sudo uses timestamped files to perform a similar "ticket checking" system. When the user calls sudo and enters its password, the user gets a ticket with a survival period of 5 minutes (this value can be specified at compile time)

The configuration file for sudo is the sudoers file, which allows the system administrator to centrally manage the user's permissions and use the host. Location / etc/sudoers, whose attribute must be 0411.

The sudo command is used to execute commands as other identities. The default identity is root.

Sudo differs from su in that sudo only grants permissions to users when needed, reducing the possibility that users will damage the system due to incorrect execution, and sudo can also be used to execute commands as other users. In addition, sudo can record commands executed by users, as well as failed privilege acquisition

Configuration file for sudo:

The configuration file of sudo is "/ etc/sudoers". It is not strongly recommended to edit this file directly, but through visudo, because saving after editing with visudo will be syntactically checked, and problems will be prompted to avoid errors.

There are four aliases recorded in the configuration file:

Host_Alias

Cmnd_Alias

User_Alias

Runas_Alias

How to use 2:sudo

First, let's analyze some fields.

This sentence means:

User lifeng can run the command / usr/sbin/useradd as user root on the server mail.

Add this line of lifeng ALL=/usr/sbin/useradd

4. Syntax:

Sudo [- Vhl LvkKsHPSb] │ [- p prompt] [- c class │ -] [- an auth_type] [- u username │ # uid] command

5. Parameters:

-V

Show version number

-h

The version number and instructions for the use of the instructions are displayed.

-l

Show the permissions of yourself (the user who executes sudo)

-v

Because sudo will ask for the password when it is executed for the first time or if it is not executed within N minutes (N default is five). This parameter is re-confirmed. If it exceeds N minutes, the password will also be asked.

-k

The user will be forced to ask for a password the next time sudo is executed (with or without more than N minutes)

-b

The instruction to be executed is executed in the background

-p

Prompt can change the prompt for asking password, where% u will be replaced with the user's account name, and% h will display the host name.

-u

Username/#uid does not add this parameter, which means that the instruction is to be executed as root. If this parameter is added, the instruction can be executed as username (# uid is the user number of the username)

S

Execute the shell specified by SHELL in the environment variable, or the shell specified in / etc/passwd

-H

Specify the HOME (home directory) in the environment variable as the user's home directory to change your identity (if you do not add the-u parameter, it is the system administrator root)

Command

Instructions to be executed as a system administrator (or change to someone else with-u)

Sudo-I switch user identity to root

Log tracking:

2.1. Create a sudo.log file

Touch / var/log/sudo.log

Add a line at the end of the 2./etc/rsyslog.conf configuration file

You can't use the space bar in the space of local2.debug / var/log/sudo.log #, you must use the tab key.

At the end of the 3./etc/ sudoers configuration file, add the following

Defaults logfile=/var/log/sudo.log

Defaults loglinelen=0

Defaults! syslog

4. Restart the syslog service

[root@localhost .ssh] # service rsyslog restart

Or / etc/init.d/rsyslog restart

5. Determine the process

[root@localhost .ssh] # ps-aux | grep rsyslog

6. test

The test account uses the sudo command, and the root user checks whether there is a record.

[root@localhost .ssh] # tail-f / var/log/sudo.log

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.