Shulou(Shulou.com)06/01 Report--

In the linux system, some ordinary users need to use root accounts to perform some operations, but we can't give the root password to ordinary users, so we have sudo.

Sudo can temporarily switch to a specified account to operate.

How to use it:

Sudo [- u user account] commands to be executed. When switching to root, you can execute sudo commands directly.

Sudo-l: lists all commands that can be executed

Conditions of use:

You must execute visudo as root and add users who need to execute sudo commands

When you execute visudo, you actually modify the / etc/sudoers file

Why use visudo instead of vim / etc/sudoers directly? This is the factor visudo can check the syntax after the modification is completed.

Use visudo-c for syntax checking. When there is a syntax error in the sudoers file, all sudo commands cannot be used

Modify the configuration:

[root@web1 ~] # visudo

Root ALL= (ALL) ALL Host_Alias FILESERVERS = fs1,fs2

User role aliases that can be switched-- > Runas_Alias OP = root

Command alias-- > Cmnd_Alias SERVICES = / sbin/service,/sbin/chkconfig

When do I use an alias?

A: when there are generally multiple system users at work and need to classify and manage users at different levels

Actual instance of alias:

Job requirements:

Developer: User_Alias KAIFA_ADMINS = kaifa01,kaifa02

Command permission: KAFACMD

Identity permission: KAIFA_ADMINS

Operation staff: User_Alias OLD_ADMINS = oldboy,oldgirl,%sa

Command permission: USERCMD,NETMAGCMD,CTRLCMD,DISKCMD

Identity permission: OP1

Network engineer: User_Alias OLD_NETADMINS = leo,maya

Command permission: NETMAGCMD

Identity permission: OP2

# user grouping-> people in the same position are put in a group

User_Alias OLD_ADMINS = oldboy,oldgirl,%sa

User_Alias OLD_NETADMINS = leo,maya

User_Alias KAIFA_ADMINS = kaifa01,kaifa02

# similar command grouping

Cmnd_Alias USERCMD = / usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd [A-Za-z] *, / bin/chown,/bin/chmod

Cmnd_Alias DISKCMD = / sbin/fdisk,/sbin/parted

Cmnd_Alias NETMAGCMD = / sbin/ifconfig,/etc/init.d/network

Cmnd_Alias CTRLCMD = / usr/sbin/reboot,/usr/sbin/halt

Cmnd_Alias KAFACMD = / bin/grep,/usr/bin/tail,/bin/cat

# roles

Runas_Alias OP1 = root,oldboy

Runas_Alias OP2 = root,oldgirl

# Licensing

KAIFA_ADMINS ALL= (OP1) KAFACMD

OLD_ADMINS ALL= (OP1) USERCMD,DISKCMD,NETMAGCMD,CTRLCMD

OLD_NETADMINS ALL= (OP2) NETMAGCMD

Sudo audit:

Record only the commands that the user executes when using sudo

You only need to add the following to the / etc/sudoers file to achieve sudo audit

Echo "Defaults logfile=/var/log/sudo.log" > > / etc/sudoers

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.