Shulou(Shulou.com)06/01 Report--

This article mainly introduces what are the skills for using Sudo commands in linux, which can be used for reference by interested friends. I hope you can learn a lot after reading this article.

Sudo stands for "superuser do", which allows authenticated users to run commands as other users. Other users can be regular users or super users. However, most of the time we use it to elevate the power to run commands instead of using root users directly. The sudo command is used in conjunction with the security policy, which can be configured through the file / etc/sudoers. Its security policy is highly extensible and supports plug-in extension. By default, / etc/sudoers cannot be edited directly by anyone, because it has permissions of440. Although you can also give it write permission before editing, it is recommended that you use the visudo command to edit the file.

1. Working mode understanding

A brief description of its use workflow and profile configuration!

[1] understand the workflow of sudo commands

Sudo reads and parses the / etc/sudoers file to find the user who invoked the command and its permissions.

The user who called the command is then prompted for a password, or you can skip password validation with the NOPASSWD flag.

After that, sudo creates a child process and calls setuid () to switch to the target user.

At best, it executes the shell or command given by the parameter in the above child process.

[2] understand sudo command authorization configuration

USER/GROUP HOST= (USER [: GROUP]) [NOPASSWD:] COMMANDS

USER/GROUP: indicates the user or group that needs to be authorized; if it is a group, it needs to start with%

HOST: indicates which hosts are allowed to log in to run sudo commands; ALL means to allow access from any terminal or machine

(USER [: GROUP]): indicates the users or groups that can be switched using sudo, and the group may not be specified; ALL represents all users who can switch to the system

NOPASSWD: if specified, the user or group does not have to enter a password when using sudo

COMMANDS: means to run the specified command; ALL means to allow all commands to be executed

# allow sudo group to execute all commands% sudo ALL= (ALL:ALL) ALL # allow users to execute all commands And there is no need to enter the password escape ALL= (ALL) NOPASSWD: ALL # only allows the user to execute echo, the ls command escape ALL= (ALL) NOPASSWD: / bin/echo / bin/ls # users running the machine execute the shutdown command escape localhost=/sbin/shutdown-h now # allows users in the users user group to use the mount, unmount, chrom commands% users ALL=/sbin/mount / mnt/cdrom, / sbin/umount / mnt/cdrom like root users

[3] configure Defaults option

# specify the number of times a user attempts to enter a password. Default is 3 Defaults passwd_tries=5 # set password timeout, default is 5 minutes Defaults passwd_timeout=2 default sudo asks users for their own password, add targetpw or rootpw configuration allows sudo to ask root password Defaults targetpw # specify custom log file Defaults logfile= "/ var/log/sudo.log" # to record hostname and four-digit year in custom log file You can add log_host and log_year parameters Defaults log_host, log_year Logfile= "/ var/log/sudo.log" # maintains the current user's environment variable Defaults env_keep + = "LANG LC_ADDRESS LC_CTYPE COLORS DISPLAY HOSTNAME EDITOR" Defaults env_keep + = "ftp_proxy http_proxy https_proxy no_proxy" # places a secure PATH environment variable Defaults secure_path= "/ usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 2. Summary of using skills

Mainly introduces the use of sudo-related commands and problem handling skills!

[1] how to change the visudo editor from nano to vim?

When I use the visudo command, it always opens it with a nano editor, which is awkward and uncomfortable for users who are used to using vi or vim. Therefore, how to better change the visudo editor from nano to vim becomes very important.

The best solution is to call the command and permanently change the terminal's editor into a vim editor once and for all. We just need to execute the following command, enter the editor serial number we need and press enter. The next time the visudo command is executed, the file will be opened using the vim editor.

# because / etc/sudoers ordinary users cannot open and use $sudo update-alternatives-- config editor There are 4 choices for the alternative editor (providing / usr/bin/editor). Selection Path Priority Status-* 0 / bin/nano 40 auto mode 1 / bin/ed-100 Manual mode 2 / bin/nano 40 manual mode 3 / usr/bin/vim.basic 30 manual mode 4 / usr/bin/vim.tiny 10 manual mode Press enter to keep the current choice [*] Or type selection number: 3

The second solution is to modify the default editor of the current terminal through the environment variable.

# in .zshrc or .profile file $export EDITOR=vim; # you want to execute $sudo EDITOR=vim visudo # for visudo or modify the default editor Defaults editor=/usr/bin/vim for / etc/sudoers file

[2] how does Vim force read-only files to be saved?

When using vim, when opening a file that only the root user has permission to operate as a normal user, when saving after editing, it is found that the file does not have permission to modify. Finally finished editing the file, but can not save, can only give up, and then quit, and then open with root permissions, re-editing, is in pain! Is there a good way to solve this problem? Ahem, there must be.

# Vim command mode can be forced to save # w: means to save the file #!: means to execute an external command # tee: to redirect data to a given file and screen #%: when executing an external command,% will be expanded to the current file name: W! sudo tee%

The above method perfectly solves the problem that read-only files cannot be saved, but after all, the command is still a bit long, to avoid typing a long list of commands at a time, you can map it to a simple command and add it to .vimrc. Like this, simply run: wicked! Then, the second half of the command > / dev/null function is to explicitly discard the content of standard output.

"Allow saving of files as sudo when I forgot to start vim using sudo. Cmap walled! W! sudo tee > / dev/null%

[3] how to edit files more securely?

Sudoedit is a built-in command that allows users to edit files safely. According to the sudo man page, sudoedit is equivalent to using the-e command line option to execute sudo.

So what does this command do? it first creates a temporary copy of the file you want to edit. The command then searches the SUDO_EDITOR,VISUAL and EDITOR environment variables (in this order) to determine which editor should be invoked to open the temporary copy you just created. After the user completes the modification, the changes are copied back to the original file.

# Sudo command manual page-e,-- edit Edit one or more files instead of running a command. In lieu of a path name, the string "sudoedit" is used when consulting the security policy. If the user is authorized by the policy, the followingsteps are taken: 1. Temporary copies are made of the files to be edited with the owner set to the invoking user. 2. The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers (5) option is used. 3. If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed. If the specified file does not exist, it will be created. Note that unlike most commands run by sudo, the editor is run with the invoking user is environment unmodified. If, for some reason, sudo is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.

[4] how to make the sudo conversation time as it pleases?

The sudo command is a permission delegated command, which is very common in a production environment, and the sudo command session time is 15 minutes by default. To set the value of the sudo password timeout, you need to use the passwd_timeout parameter.

You can set it to any time you want in minutes, and it will wait until it times out. If you want to pop up the password prompt for each sudo command executed, you can also set the time to 0 or permanently disable the password prompt by setting the value-1.

# setting timeout time # means that the sudo password prompt will expire Defaults env_reset,timestamp_timeout=20 20 minutes after the user uses it

[5] how to grant server permissions more securely?

How do we manage the server, developers or other people need to log on to the server for environment debugging or problem recurrence and so on. At this point, we need to give the corresponding user login access. But if we edit the / etc/sudoers file directly, then I need to clean it up manually after the other party has finished using it. If we forget, the developer or others will always be able to log on to the server, with a certain degree of security problems.

Unfortunately, for temporary authorization, there is no configuration in the / etc/sudoers file, and you can authorize a user or user group for a specified range of time. When the user reaches the specified point in time, the user will be refused to log in again. In response to this situation, we can perfectly solve the above problems through the mechanism of crontab scheduled tasks and / etc/sudoers.d directory.

We regularly wipe out the authorization profiles of users or user groups in the / etc/sudoers.d/ directory through the scheduled execution directory of scheduled tasks. For example, if we need to wipe out today's temporarily authorized users or users on a regular daily basis, we can create a rm-rf command under the / etc/cron.daily directory to delete the / etc/sudoers.d/ directory, which will be deleted automatically at a fixed time. For authorized users, we use to create a separate configuration file under the / etc/sudoers.d/ directory instead of directly modifying the / etc/sudoers file.

# Crontab has multiple timing mechanisms # the following represents daily, hourly, monthly, Execute $ls-dl / etc/cron.* regularly every week | grep-v cron.d$ drwxr-xr-x 2 root root 4096 May 15 06:18 / etc/cron.daily drwxr-xr-x 2 root root 4096 Feb 14 2019 / etc/cron.hourly drwxr-xr-x 2 root root 4096 Feb 14 2019 / etc/cron.monthly drwxr-xr-x 2 root root 4096 Jun 18 09:57 / etc/cron.weekly # create a separate authorization profile $ls-lh / Etc/sudoers.d/-RMurray r-1 root root 666 Oct 6 2017 lisi-Rmuri r-1 root root 958 Jan 18 2018 zhangsan # View the contents of the authorization profile $cat / etc/sudoers.d/zhangsan ALL ALL = (root) NOPASSWD: zhangsan

[6] how to solve the problem that the sudo command cannot find the environment variable?

When we use the sudo command, we often encounter that when we switch users, we find that the previously set environment variables are missing. This is because we will switch users after we execute the sudo command, and if we retain the environment variable, there will be some security problems, and the system will reset the environment variable to the safe environment variable by default. All previously set variables are invalidated, and only a few environment variables specified in the configuration file can be saved.

We can look at the sudo configuration file / etc/sudoers to find out why it works. After we execute the following command, we can see the following input (which may not be the same as mine). Env_reset indicates that the environment variable is reset by default, so the variable we customize will expire after the sudo command is executed, and the variable value will not be obtained correctly. While env_keep means that some environment variables are not reset, the variables that need to be retained are written in double quotation marks, and the variables that need to be retained can be appended by themselves. Finally, there is the secure_path variable, whose function is that the included path will be used as a PATH variable for the sudo environment. If some commands cannot be found in the sudo environment, you can add the paths to those commands to the configuration item.

$sudo sed'/ ^ # / dscape / ^ $/ d' / etc/sudoers Defaults env_reset Defaults env_keep = "COLORS IDSPLAY HOSTNAME HISTSIZE LS_COLORS" Defaults env_keep + = "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS" Defaults secure_path= "/ usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

Once we know the reason, we can deal with the above situation in an unnecessary way to solve the problem that the sudo command cannot find the environment variable.

The first solution is to use the-E parameter when using it. With the-E option added, the user can retain the existing environment variables of the current user during sudo execution without being reset by sudo. In addition, if the user does not have permission for the specified environment variable, an error will be reported. It should be noted that in the internal test machine, it is used when the security requirements are not high.

$sudo sudo-E

The second solution is to modify the sudo configuration file. You can specify the environment variables and paths that need to be retained in the sudo environment by modifying the env_keep and secure_path configuration items in the / etc/sudoers file. Of course, we can also remove the variable! env_reset of the configuration file so that there will be no restrictions.

$sudo vim / etc/sudoers Defaults! env_reset thank you for reading this article carefully. I hope the article "what are the skills for using Sudo commands in linux" shared by the editor will be helpful to you. At the same time, I hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.