Shulou(Shulou.com)06/02 Report--

The content of this article mainly focuses on how to analyze the configuration of sudo and its configuration file / etc/sudoers under Linux. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

1.sudo introduction

Sudo is a commonly used tool under linux that allows ordinary users to use superuser privileges, allowing system administrators to let ordinary users execute some or all of the root commands, such as halt,reboot,su, and so on. This not only reduces the login and management time of root users, but also improves security. Sudo is not a substitute for shell, it is for each command.

Its main characteristics are as follows:

Sudo can restrict users from running certain commands only on a host.

Sudo provides a rich log of what each user does in detail. It can send logs to the central host or log server.

Sudo uses a timestamp file to perform a similar "ticket check" system. When the user calls sudo and enters its password, the user gets a ticket with a lifetime of 5 minutes (this value can be changed at compile time).

The configuration file for sudo is the sudoers file, which allows system administrators to centrally manage the user's permissions and hosts. Its location is / etc/sudoers by default, and the attribute must be 0411.

two。 Configuration file / etc/sudoers

Its main configuration file is usually under sudoers,linux / etc directory, if it is solaris, sudo is not installed by default, it is usually installed in the etc directory of the installation directory after compilation, but no matter where the sudoers file is, sudo provides a command to edit the file: visudo to modify the file. It is highly recommended to use this command to modify sudoers, as it will help you verify that the file configuration is correct, and if not, it will prompt you which section of the configuration is wrong when saving exit.

To get back to the point, here's how to configure sudoers. First, write the default configuration of sudoers:

# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # User privilege specification root ALL= (ALL) ALL # Uncomment to allow people in group wheel to run all commands #% wheel ALL= (ALL) ALL # Same thing without a password #% wheel ALL= (ALL) NOPASSWD: ALL # Samples #% users ALL=/sbin/mount / cdrom / sbin/umount / cdrom #% users localhost=/sbin/shutdown-h now #

1. The simplest configuration allows the ordinary user support to have all the permissions of root

After executing visudo, you can see that there is only one configuration by default:

Root ALL= (ALL) ALL

Then you can add another configuration below:

Support ALL= (ALL) ALL

In this way, the ordinary user support will be able to execute all commands with root permissions

After logging in as the support user, execute:

Sudo su-

Then enter the password of the support user, and you can switch to the root user.

two。 Let the ordinary user support only execute certain commands that root can execute on certain servers.

First of all, you need to configure some Alias, so that when configuring permissions below, it will be more convenient, without having to write a large number of configurations. Alias is mainly divided into four types.

Host_Alias Cmnd_Alias User_Alias Runas_Alias

1) configure Host_Alias: this is the list of hosts

Host_Alias HOST_FLAG = hostname1, hostname2, hostname3

2) configure Cmnd_Alias: this is the list of commands allowed to be executed

Cmnd_Alias COMMAND_FLAG = command1, command2, command3

3) configure User_Alias: it is a list of users with sudo permission

User_Alias USER_FLAG = user1, user2, user3

4) configure Runas_Alias: it is a list of the identity in which the user executes (for example, root or oracle)

Runas_Alias RUNAS_FLAG = operator1, operator2, operator3

5) configure permissions

The format for configuring permissions is as follows:

USER_FLAG HOST_FLAG= (RUNAS_FLAG) COMMAND_FLAG

If password authentication is not required, configure it in this format

USER_FLAG HOST_FLAG= (RUNAS_FLAG) NOPASSWD: COMMAND_FLAG

Example configuration:

# sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification Host_Alias EPG = 192.168.1.1, 192.168.1.2 # User alias specification # Cmnd alias specification Cmnd_Alias SQUID = / opt/vtbin/squid_refresh, / sbin/service / bin/rm # Defaults specification # User privilege specification root ALL= (ALL) ALL support EPG= (ALL) NOPASSWD: SQUID # Uncomment to allow people in group wheel to run all commands #% wheel ALL= (ALL) ALL # Same thing without a password #% wheel ALL= (ALL) NOPASSWD: ALL # Samples #% users ALL=/sbin/mount / cdrom / sbin/umount / cdrom #% users localhost=/sbin/shutdown-h now # thanks for reading I believe you have a certain understanding of "how to analyze the configuration of sudo and its configuration file / etc/sudoers under Linux". Go ahead and practice it. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.