A detailed explanation of sudo usage and sudoers configuration in Linux

Sudo is a common tool that allows ordinary users to use Superuser privileges under Linux, allowing the system administrator to allow ordinary users to perform some or all of the root commands, such as HALT,REBOOT,SU, and so on. This will not only reduce the root user login and management time, but also improve security. sudo is not a substitute for the shell, it is oriented to each command. There are several main features of it:

1.sudo can restrict the user from running certain commands on a single host.

2.sudo provides a rich log of what each user has done in detail. It can upload logs to a central host or log server.

3.sudo uses a timestamp file to perform a similar "check-in" system. When the user invokes sudo and enters its password, the user obtains a 5-minute lifetime ticket (this value can be changed at compile time).

The 4.sudo configuration file is the Sudoers file, which allows administrators to centralize the administration of user permissions and the host used by the system administrator. The location of the default is/etc/sudoers, and the attribute must be 0411.

The use of sudo

Permission: A user who appears in the/etc/sudoers

Use mode: sudo-v

Sudo-h

Sudo-l

Sudo-v

Sudo-k

Sudo-s

Sudo-h

sudo [-b] [-P prompt] [-u username/#uid]-S

Usage: sudo command

Description: Executes the instruction as the System Manager, that is, the command executed through sudo is like root in person.

Parameters:

-V Display version number

-H shows how the version number and instructions are used

-L Displays the permissions of its own (executing sudo's users)

-V because Sudo does not execute in the first execution or in n minutes (n preset five) asks the password, this parameter is a redo confirmation, if more than n minutes, will also ask the password

-K will force the user to ask the password the next time sudo is executed (no more than N minutes)

-B The instructions to be executed are placed in the background execution

-P Prompt can change the prompt for the password, where%u will be substituted to the user's account name,%H will display the host name

This paper url:http://www.bianceng.cn/os/linux/201410/45603.htm

-U username/#uid without this parameter, the representative is to execute the instruction as root, and with this parameter, you can execute the instruction as username (#uid the user number of the username)

-S executes the shell specified by the shell in the environment variable, or the shell specified in the/etc/passwd

-h Specifies the home directory in the environment variable as the user's home directory to change identity (e.g., no-u parameter is System Manager root)

command to be executed as a system administrator (or change with-u to someone else)

Example:

SUDO-L Lists the current permissions

SUDO-V List sudo version information

Directive Name: sudoers (This command cannot be found under FC5, but it can be traced using man.) ）

Used to show users who can use sudo

Configuration of Sudoers

Sudoers is the main configuration of sudo, Linux is usually under the/etc directory, if it is Solaris, default does not install sudo, compiled after installation is usually in the installation directory of the ETC directory, but no matter where the sudoers file, sudo provides a command to edit the file: Visudo to modify the file. It is highly recommended to use this command to modify sudoers, because it will help you verify that the file configuration is correct, if not correct, you will be prompted when the save exit which configuration error.

To get to the bottom of this, here's how to configure Sudoers

First write the default configuration for sudoers:

#############################################################

# sudoers file.

#

# This file must is edited with the ' Visudo ' command as root.

#

# and the Sudoers man page is for the details on how to write a sudoers file.

#

# Host alias Specification

# User alias Specification

# CMND alias Specification

# Defaults Specification

# User Privilege Specification

Root all= (All)

# Uncomment to allow people in group wheel to run all commands

#%wheel all= (All)

# Same thing without a password

#%wheel all= (All) Nopasswd:all

# Samples

#%users All=/sbin/mount/cdrom,/sbin/umount/cdrom

#%users Localhost=/sbin/shutdown-h Now

##################################################################

1. The simplest configuration, let ordinary user support have root all rights

After performing the Visudo, you can see that there is only one configuration by default:

Root all= (All)

Then you can add a second configuration below:

Support All= (All)

In this way, normal user support can perform all commands for root permissions

After logging in as a support user, execute:

sudo su-

Then enter the support user's own password, you can switch to the root user

2. Let ordinary users support only on a few servers, the execution of some of the commands root can be executed

First you need to configure some alias, so that when you configure permissions below, it will be easier not to write large sections of the configuration. The alias is mainly divided into 4 kinds

Host_alias

Cmnd_alias

User_alias

Runas_alias

1) configuration Host_alias: Is the list of hosts

Host_alias Host_flag = hostname1, hostname2, Hostname3

2 Configure Cmnd_alias: The list of commands that are allowed to execute, Plus! Indicates that the command cannot be executed.

command must use absolute path, avoid other directories with the same name command is executed, causing security risks, so use the time is also using absolute path!

Cmnd_alias Command_flag = Command1, Command2, Command3,!command4

3) Configure User_alias: Is the list of users with sudo permissions

User_alias User_flag = user1, User2, User3

4 Configure Runas_alias: Is the list of what the user performs (for example, root, or Oracle)

Runas_alias Runas_flag = Operator1, Operator2, Operator3

5) Configure permissions

The configuration permissions are formatted as follows:

User_flag host_flag= (Runas_flag) Command_flag

If you do not need password validation, then configure it in this format

User_flag host_flag= (Runas_flag) Nopasswd:command_flag

Configuration Example:

############################################################################

# sudoers file.

#

# This file must is edited with the ' Visudo ' command as root.

#

# and the Sudoers man page is for the details on how to write a sudoers file.

#

# Host alias Specification

Host_alias EPG = 192.168.1.1, 192.168.1.2

# User alias Specification

# CMND alias Specification

Cmnd_alias SQUID =/opt/vtbin/squid_refresh,!/sbin/service,/BIN/RM

Cmnd_alias ADMPW =/usr/bin/passwd [a-za-z]*,!/usr/bin/passwd,!/usr/bin/passwd root

# Defaults Specification

# User Privilege Specification

Root all= (All)

Support Epg= (All) nopasswd:squid

Support Epg= (All) NOPASSWD:ADMPW

# Uncomment to allow people in group wheel to run all commands

#%wheel all= (All)

# Same thing without a password

#%wheel all= (All) Nopasswd:all

# Samples

#%users All=/sbin/mount/cdrom,/sbin/umount/cdrom

#%users Localhost=/sbin/shutdown-h Now

###############################################################

This article is from "Richard's notes-accumulate micro Cheng" blog, please be sure to keep this source http://zxf261.blog.51cto.com/701797/748756