A detailed guide to the application of the sudo command

Contact with the Linux friends should all contact sudo this command, especially just a contact with Ubuntu friends, as long as the system to execute special commands need to add +sudo command before the command to execute the command, sudo to what is a artifact it? sudo is a command that governs everything. It literally means "super user can do it!" "(Super User do!) can also use Su-" switch User ", but the use of Su way easy to leak the system user password, resulting in system insecurity, because the root user permissions are too large, in the actual production process rarely use the root user directly login system, Instead, use a normal user login system, but if the normal user needs to perform routine maintenance operations on the system by Su to the root user, in order to improve security, you can use sudo to authorize a user to run certain commands as a certain user on a host, thereby reducing the root user password to know people and improving system security.

The advantages of sudo:
① authorizes the specified user to run the specified management command on the specified host;
②sudo Audit Security: Some administrative commands are authorized to be used by some ordinary users, and can also be qualified to execute such commands only on certain hosts, and the operation process will be recorded and logged for later audit;

③ "Ticket System": Time-sensitive authentication, the first time the user executes the sudo command will require a password to verify the user identity, after successful users will get a fixed survival time of the "token" (The token default survival time of 5 minutes)

sudo common parameters:

# #参数-V Display version number-H displays the version number and instruction usage description-L will display the permissions for itself (the user who executed sudo)-V because Sudo does not execute at the first execution or in n minutes (n preset is five) will ask the password, this parameter is to do it again Confirm that if more than n minutes, the password-K will force the user to ask the password at the next execution of sudo (regardless of whether there is no more than n minutes)--the instruction to be executed in the background execution

The process of using sudo:

Sudo's authorization file:/etc/sudoers, only administrators can edit
1. Ways to implement sudo authorization
① using Vim to open the edit:
Text coloring can be achieved, but syntax errors cannot be detected, and it is not recommended
②visudo: Dedicated sudoers text Editing tool
can detect prompt syntax error after configuration is complete, we recommend using this editing tool for/etc/sudoers editing
Help document: Man Visudo;man visudoers

③ define sudo authorization,/etc/sudoers
Syntax: Who which_host= (whom) command
Who can execute those commands on those hosts in whose capacity?

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7F/54/wKiom1cZ4JWCjuNcAAFmWYb3Z-A337.jpg "title=" Soduconf.jpg "alt=" Wkiom1cz4jwcjuncaafmwyb3z-a337.jpg "/>

sudo configuration file alias app:

Alias: alias (all defined in uppercase letters)
Host_alias: Defining host aliases, using, separating
User_alias: Defines a user alias, which can be either a user name or a group name (% group name)
Cmnd_alias: Define command aliases, you can define commands that cannot be executed, use! /USR/BIN/PASSWD Root
Runas_alias: Definitions are executed with those users
NOPASSWD: Define user to execute command without entering password
PASSWD: Define a user to enter a password when executing a command

sudo case application:

1. Authorize Samlee users to add user rights, modify password permissions, but cannot modify the root password ( prevent users from modifying the root password ):
   

[Email protected] ~]# Visudo Samlee all= (Root)/usr/sbin/useradd,/USR/BIN/PASSWD,! /USR/BIN/PASSWD Root

To use the Samlee login test:

[[email protected] ~]$ sudo useradd samleetest #创建用户没有问题 [sudo] password for samlee: [[email protected] ~]$ sudo passwd Root #无法修改root密码Sorry, user Samlee is not allowed to execute '/usr/bin/passwd root ' as root on Rsyncmaster.samle E.com. [Email protected] ~]$ TAIL/ETC/PASSWD | grep samleetest #查看添加的用户samleetest: X:503:503::/home/samleetest:/bin/bash

2.sudo alias definition and alias invocation

[Email protected] ~]# Visudo user_alias useradmin = Samlee,%adminhost_alias HOST = 172.16.0.0/16,127.0.0.1runas_alias AD MIN = rootcmnd_alias Command =/sbin/ifconfig,/bin/pinguseradmin host= (ADMIN) command

Samlee User Login test Specifies the relevant command:

#建立测试用户及测试组 [[email protected] ~]# groupadd admin[[email protected] ~]#  useradd -g admin admin[[email protected] ~]# passwd admin# using Samlee user test: [[ Email protected] ~]$ sudo ifconfigeth0      link encap: ethernet  hwaddr 00:0c:29:d3:e4:53             inet addr:172.16.100.7  Bcast:172.16.255.255  Mask:255.255.0.0           inet6 addr: fe80::20c:29ff:fed3:e453/64  scope:link          up broadcast running  multicast  mtu:1500  metric:1           rx packets:61839 errors:0 dropped:0 overruns:0 frame:0            tx packets:60930 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000            RX bytes:6300546  (6.0 MIB)   tx bytes:11935948   (11.3 MIB) Lo        link encap:local loopback             inet addr:127.0.0.1   mask:255.0.0.0          inet6 addr: ::1/128  scope:host          up loopback running   mtu:16436  metric:1          rx packets :4 errors:0 dropped:0 overruns:0 frame:0           tx packets:4 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:0           RX  bytes:240  (240.0 b)   TX bytes:240  (240.0 b) #使用admin组用户测试:[[email  Protected] ~]$ sudo ifconfigeth0      link encap:ethernet   HWaddr 00:0C:29:D3:E4:53             inet addr:172.16.100.7  Bcast:172.16.255.255  Mask:255.255.0.0           inet6 addr: fe80::20c:29ff:fed3:e453/64 scope: Link          up broadcast running multicast   MTU:1500  Metric:1          RX  Packets:62130 errors:0 dropped:0 overruns:0 frame:0          tx  packets:61216 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000            RX bytes:6324018  (6.0 MIB)   TX bytes:11965210  (11.4  MiB) lo        link encap:local loopback             inet addr:127.0.0.1  Mask:255.0.0.0           inet6 addr: ::1/128 Scope:Host           UP LOOPBACK RUNNING  MTU:16436   metric:1          rx packets:4 errors:0  dropped:0 overruns:0 frame:0          tx packets:4 errors:0  Dropped:0 overruns:0 carrier:0          collisions :0 txqueuelen:0           rx bytes:240  ( 240.0 B)   TX bytes:240  (240.0 b)

This article is from the "Opensamlee" blog, make sure to keep this source http://gzsamlee.blog.51cto.com/9976612/1766795

A detailed guide to the application of the sudo command