#su [OPTION] USERNAME switch users
[OPTION]
-Change the current working environment PWD
Null default switch to root user
By default, SU only switches paht and users to username and does not change pwd. Use-and landing in username is essentially the same.
#sudo [OPTION] COMMAND
A user executes a command from a host with the permission of another user without switching users.
[OPTION]
-L lists all sudo class commands that the current user can use.
-K Clear the authentication, the next use needs to enter the password. By default, the password is not prompted for 5 minutes after the first password is entered.
/etc/sudoers
sudo configuration file with permissions of 440.
With the exception of the additional configuration entries, each line defines a sudo entry with the following structure:
WhoWhichhost=[flag:] (RUNAS) COMMAND
Alias:
Similar to groups, aliases can only use uppercase letters. Defined before use.
Use! indicates inverse.
1. User Alias User_alias
User_alias name=username|%group| Otheruserlist
USERNAME the user on the current system.
%group user group, with% boot.
Otheruserlsit the list of other aliases.
2. Host Alias Host_alias
Host_alias host=host| ipadd| ip/netmask|+group| Otherhostlist
Host hostname
Ipadd IP Address
Ip/netmask IP address/subnet mask
+group host group, with + boot.
Otherhostlist List of other aliases
3. Which user to run Runas_alias
Runas_alias runas=username| #UID |%group|+netgroup| Ohterrunaslist
USERNAME User Name
#UID UID, with # boot.
%group group name, with% boot.
Otherrunaslist List of other aliases
4. Command Cmnd_alias
Cmnd_alias cmnd=command| commdir| Othercmndlist
command commands, use absolute paths.
Commdir directory, containing all commands in this directory
Othercmndlist List of other aliases
FLAG (TAG):
NOPASSWD user does not need to enter a password
PASSWD Need a password
The associated operation log can be viewed in/var/log/secure. This log file has a permission of 600 and only allows root view.
For example:
1.hadoop user uses ROOT to execute Useradd
#vimsudo
Hadoop all= (Root)/usr/sbin/useradd,/usr/sbin/usermod
hadoop$ Sudo/usr/sbin/useradd Tom
[sudo] passowrd for Hadoop:
hadoop$
2. Remove the user authentication for Hadoop and change the configuration file to Useradd without the need for a password, usermod need a password.
#sudo-K
#vimsudo
Hadoop all=nopasswd: (Root)/usr/sbin/useradd,passwd:/usr/sbin/usermod
3. Create an alias group and prevent the root password from being modified:
#visudo
User_alias Useradmin=hadoop,%hadoop,%useradmin
Cmnd_alias useradmincmd=/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel,/usr/bin/passwd[a-za-z]*,!/usr/ BIN/PASSWD Root
The [a-za-z]*] here is similar to the file name wildcard, not a regular expression.
Useradmin All=nopasswd:useradmincmd
#visudo [OPTION] to edit a dedicated command for the sudo configuration file, you can check for configuration file errors.
[OPTION]
-F file specifies additional sudoers files
#man sudoers View specific definitions for/etc/sudoers.
This article is from "Small Private blog" blog, please be sure to keep this source http://ggvylf.blog.51cto.com/784661/1618399
The Linux su sudo command is detailed