Applying Su and sudo to Linux systems

In daily operation in order to avoid some mis-operation, more secure management system, usually use the user identity is ordinary users, rather than root. When you need to perform some administrator command operation, then switch to the root user to execute.

The way a normal user switches to the root user is: Su and sudo.

1 , Su-

(su is switch user, which is shorthand for switching users)

Format:su-l USERNAME(-l for login, that is, shorthand for landing)

-L can omit L, so this command is often written as Su-username

If you do not specify username (user name), the default is root, so the command to switch to root is: su-root or direct Su-

Example 1 : Normal User user1 know Root account login password, require user user1 view/etc/shadow without logging off file.

For example, when you try to view the file/etc/shadow, you are prompted to deny access, at which point the Su-command is switched to root, and you can view it normally.

You can then return to the original user by command exit or logout, or by using the shortcut key cry+d.

2 : Su- with the su

The user can also directly use the command Su USERNAME with the SU Switch, which differs from the Su-username as follows:

Su-username switch users to a new user's working environment

SU username Switch user, do not change the original user's working directory, and other environment variables directory

For example, show the results of TWO commands:

3 , sudo

When using SU switch user to know the corresponding user's login password, even if switch to root user identity, need to understand the root user login password. As the root user administrator, how can I authorize other ordinary users to perform root command operations without needing to know the root password? You can use sudo at this point.

sudo is a privilege management mechanism that relies on/etc/sudoers, which defines which user is authorized to perform the administrative commands as an administrator;

Format:sudo-u USERNAME COMMAND

When a normal user executes a command by using sudo as root, the-uusername behind sudo can be omitted, that is, sudo COMMAND means sudo is executed by the root user

By default, only the root user can execute the sudo command. The root user is required to edit sudo's profile/etc/sudoers by using the Visudo command to authorize other ordinary users to execute the sudo command.

For example, if you use a normal user account User4 to execute command tail/etc/shadow as root using sudo, you are prompted that USER4 is not defined in the Sudoers file and cannot execute this command.

sudo命令 语法：sudo [-bhHpV][-s ][-u <用户>][指令] 或 sudo [-klv] 参数： -b 　在后台执行指令。 -h 　显示帮助。 -H 　将HOME环境变量设为新身份的HOME环境变量。 -k 　结束密码的有效期限，也就是下次再执行sudo时便需要输入密码。 -l 　列出目前用户可执行与无法执行的指令。 -p 　改变询问密码的提示符号。 -s 　执行指定的shell。 -u <用户> 　以指定的用户作为新的身份。若不加上此参数，则预设以root作为新的身份。 -v 　延长密码有效期限5分钟。 -V 　显示版本信息。 -S   从标准输入流替代终端来获取密码

4,sudoers

The configuration file for sudo is:/etc/sudoers.

The sudoers file allows the specified user to run various commands as root, without needing to know the root user's login password. This file must be edited using the Visudo command. (The Visudo command can provide basic sanitychecks and check for parse errors, which provides a quick correctness validity check, as well as a syntax check feature)

View the Sudores file, which has a line that defines allowing the root user to log on from any host, using sudo to switch to any user's identity and execute all commands.

View the sudoers file, which has two lines, as defined by the configuration of the sudo command that the group can use.

Example 2 : Set Normal user User4 so that it can use sudo command to Root user identity modifies all other user login passwords, but cannot modify root User Login Password

Before it is authorized, User4 uses sudo to modify the User1 password with the root user, prompting that USER4 is not defined in the Sudoers file and cannot be executed, and this event will be reported to. Such as:

Execute the visudo command, edit the sudoers file, add a line: The user account is User4, you can log in from any host, execute three commands (execute the passwd command as root without adding a user name, which means to modify the root user's password, This is the function of the first command), for example, User4 can modify the login password of all users except the root user.

After that, User4 can successfully modify the User1 password by sudo as root (without needing to know the root password, just enter its own password), and cannot modify the root password, such as:

Example 3 : Set up group Administrators all members can be used with sudo with Root the user's identity executes all commands and does not need to verify their account password.

Edit the Sudoers file with the Visudo command, adding the following line, which completes the configuration.

After that, the member can execute all commands with the root user with sudo and no need to verify their own account password User1. Such as:

attached: Mans in the document su and the sudo the explanation:

Su-run a shell with substitute user Andgroup IDs

Run the shell as an alternative user. (that is, after Su, the user identity on the current shell has shifted)

Sudo-excute a command as another user.

sudo allows a permitted user to execute Acommand as the superuser or another user, as specified by security policy.

Executes the command as a different user. sudo, as specified in the security policy, allows authorized users to execute commands as Superuser or other users. (That is, sudo, just temporarily executes the command as a different user and does not switch identities)

Su-c

Of course, SU can also temporarily execute commands with other users without switching user identities.

With the option-C, you can use root to execute commands temporarily, such as:

/BIN/SU-

At the same time, you can also configure the Sudoers file, authorized other ordinary users, can be switched to other users to execute the command, without having to add sudo every time. For example, simply define a normal user in the sudoers file User4

After that, the user user4 only need to execute sudo su once-to switch to root identity

Note: the instance environment is VMware Workstation 9, CentOS 6.4

Reprinted from: http://zebralinux.blog.51cto.com/8627088/1369301

Applying Su and sudo to Linux systems