Sudo originated in the early 1980s s and was developed by the State University of New York in Buffalo, followed by the University of Colorado for in-depth development. Website: http://www.gratisoft.us/sudo/
Sudo is a tool that allows the system administrator to allow common users to execute some or all of the root commands, such as halt, reboot, and Su. This not only reduces the login and management time of the root user, but also improves the security. Sudo is not a substitute for shell. It is intended for every command. It has the following features:
§ Sudo can restrict users from running certain commands only on a host.
§ Sudo provides a wide range of logs that detail what each user has done. It can upload logs to the central host or log server.
§ Sudo uses a timestamp file to execute a similar "ticket checking" system. When the user calls sudo and enters its password, the user receives a 5-minute ticket (this value can be changed during compilation ).
§ The sudo configuration file is a sudoers file, which allows the system administrator to centrally manage user permissions and hosts used. It is stored in/etc/sudoers by default, and the attribute must be 0411.
1. Installation
Check whether sudo is installed:
[Root @ localhost ~] # Rpm-Q sudo
Sudo-1.6.8p12-4.1
If not, download the software package for installation:
For most systems, sudo configurations are relatively simple:
0) $> Cd/; CP sudo-1.6.8p12.tar.gz/
1) $> tar vxzf sudo-1.6.8p12.tar.gz
2) If you are upgrading from a lower version, read the upgrade file carefully before upgrading.
3) If you have run 'configure 'for another host before compilation, you must use make distclean to clear the 'config. cache' file. Otherwise, 'configure 'cannot run any more. You can also directly 'rm config. cache '.
4) read 'OS dependent note' to check whether your system is supported.
5) $> Cd sudo-8p12
6) read the configure file and carefully check the 'available configure options' section to see if special options are required. There are many options here, but there are several major configuration parameters:
-- With-Pam supports Pam. When this option is used, a valid/etc/PAM. d/sudo file is required.
-- Cache-file = file: Save the test result cached to the file.
-- Help print help.
-- No-create: Do not output the. o file
-- Quiet, -- silent does not print 'checking... 'Information
-- Exec-Prefix = eprefix: Set the directory containing the sudo and mongodo commands.
-- Bindir = dir install the sudo command to eprefix/bin
-- Sbindir = dir install the mongodo command to eprefix/bin
-- Sysconfdir = dir install the sudoers configuration file to Dir. The default value is/etc.
-- Mandir = dir install the man file to Dir. The default value is/man.
-- With-CC = path specifies the path of the C compiler you want to use.
-- With-skey supports S/key OTP (password used at one time)
-- With-Opie supports NRL Opie OTP (password used at one time)
-- Disable-shadow does not support the option switch of the shadow password system. By default, sudo compiles and uses the shadow password.
-- With-sudoers-mode = mode sudoers configuration file mode. The default value is 0440.
-- With-sudoers-UID: Owner ID of the sudoers configuration file. The default value is 0.
-- With-sudoers-gid: Group ID of the owner of the sudoers configuration file. The default value is 0.
-- Password is not required for without-passwd user authentication.
-- With-logging = type: the log type can be 'syslog ', 'file', or both.
-- With-logpath = path: log storage path and file name. The default value is/var/log/sudo. log.
-- Umask is used to run the root command. The default umask is 0022.
-- With-passwd-tries = tries sudo indicates the number of times the password is entered before the log is written. The default value is 3.
-- With-Timeout = minutes sudo indicates the time before the password is entered. The default value is 5 minutes.
-- With-password-Timeout = the validity period of the Minutes password. The default value is 5 minutes. 0 indicates that the password is always valid.
-- Without-Lecture: The first time sudo is run, the lecture information is not printed.
-- The disable-root-sudo root user cannot run sudo.
-- Enable-log-Host record host to log file
-- When a disable-path-Info error occurs, the sudo path is not displayed.
For example, enter :. /configure -- With-Timeout = 10 -- without-lecture -- disable-root-sudo -- disable-path-info -- sysconfdir =/home/config/-- bindir =/bin -- sbindir = /sbin
7) make
8) make install
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>
Ii. configuration,
Edit the configuration file command: mongodo
Default Configuration File Location:/etc/sudoers
[Root @ localhost ~] # Cat/etc/sudoers
# Sudoers file.
#
# This file must be edited with the 'mongodo 'command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias Specification
# User alias Specification
# Cmnd alias Specification
# Defaults Specification
# RunAs alias Specification
# User Privilege Specification
Root all = (all) All
# Uncomment to allow people in group wheel to run all commands
# % Wheel all = (all) All
# Same thing without a password
# % Wheel all = (all) nopasswd: All
# Samples
# % Users all =/sbin/Mount/CDROM,/sbin/umount/CDROM
# % Users localhost =/sbin/shutdown-H now
[Root @ localhost ~] #
You can use mongodo to edit the sudoers configuration file, but you can also directly modify the sudoers file. However, you 'd better check its sample before editing. sudoers file, which contains a very detailed example for reference.
# Part 1: user defined. Users are divided into three categories: fulltimers, parttimers, and webmasters.
User_alias fulltimers = millert, mikef, dowdy
User_alias parttimers = bostley, Hangzhou Fox, crawl
User_alias webmasters = Will, Wendy, Wim
# Part 2: classify operation types.
Runas_alias op = root, Operator
Runas_alias DB = Oracle, Sybase
# Part 3: classify hosts. These are all randomly divided for better management.
Host_alias iSCSI = bigtime, Eclipse, MOET, anchor :\
SGI = grolsch, Dandelion, Black :\
Alpha = widget, thalamus, foobar :\
Hppa = BOA, nag, Python
Host_alias cunets = 128.138.0.0/255.255.0.0
Host_alias csnets = 128.138.243.0, 128.138.204.0/24,128.138 .242.0
Host_alias servers = Master, mail, WWW, NS
Host_alias CDROM = Orion, Perseus, Hercules
# Part 4 defines the command and command path. The command must use an absolute path to avoid the execution of commands with the same name in other directories, resulting in security risks. Therefore, the absolute path is also used!
Cmnd_alias dumps =/usr/bin/mt,/usr/sbin/dump,/usr/sbin/rdump ,\
/Usr/sbin/restore,/usr/sbin/rrestore
Cmnd_alias kill =/usr/bin/kill
Cmnd_alias printing =/usr/sbin/LPC,/usr/bin/lprm
Cmnd_alias shutdown =/usr/sbin/Shutdown
Cmnd_alias halt =/usr/sbin/halt,/usr/sbin/fasthalt
Cmnd_alias reboot =/usr/sbin/reboot,/usr/sbin/fastboot
Cmnd_alias shells =/usr/bin/sh,/usr/bin/CSH,/usr/bin/ksh ,\
/Usr/local/bin/tcsh,/usr/bin/rsh ,\
/Usr/local/bin/zsh
Cmnd_alias su =/usr/bin/su
# Different policies are used for different users. For example, by default, all syslogs are output directly through Auth. The fulltimers group does not need to see lecture (the message generated during the first running); millert does not need to enter a password when using sudo; and the path of logfile is/var/log/sudo. log and each line of log must contain the year.
Defaults syslog = auth
Ults: fulltimers! Lecture
Ults: millert! Authenticate
Defaults @ servers log_year, logfile =/var/log/sudo. Log
# Members of the root and wheel groups have any rights. If you want to define a group of users, you can add % before the group name to set it.
Root all = (all) All
% Wheel all = (all) All
# Fulltimers can run any command on any host without entering its own password
Fulltimers all = nopasswd: All
# Parttimers can run any command on any host, but you must first verify your password.
Parttimers all = all
# Jack can run any command in the defined csnet (128.138.243.0, 128.138.242.0 and 128.138.204.0/24 subnets), but note that the first two do not need to match the subnet mask, and the next one must match the mask.
Jack csnets = all
# Lisa can run any command on the host defined as cunets (128.138.0.0) subnet.
Lisa cunets = all
# The user operator can run dumps, kill, printing, shutdown, halt, reboot, and all the commands in/usr/release/bin.
Operator all = dumps, kill, printing, shutdown, halt, reboot ,\
/Usr/logs/bin/
# Joe can run the su operator command
Joe all =/usr/bin/su Operator
# Pete can change the password for users other than root.
Pete hppa =/usr/bin/passwd [A-Z] *,! /Usr/bin/passwd Root
# Bob can run commands in the same way as root and operator in the op user group on both the iSCSI and SGI machines.
Bob iSCSI = (OP) All: SGI = (OP) All
# Jim can run any command in the biglab network group. By default, "+" is the prefix of a network group.
Jim + biglab = all
# In secretaries, users can help manage printers and run the adduser and rmuser commands.
+ Secretaries all = printing,/usr/bin/adduser,/usr/bin/rmuser
# Fred can directly run Oracle or Sybase databases.
Fred all = (db) nopasswd: All
# John can run the su command on the Alpha machine to all users except root.
John alpha =/usr/bin/su [! -] *,! /Usr/bin/Su * root *
# Jen can run any command on machines except the servers Host group.
Jen all ,! Servers = all
# Jill can run all the commands except the Su and shell commands in/usr/bin/on servers.
Jill servers =/usr/bin /,! Su ,! Shells
# Steve can run any command in/usr/local/op_commands/on the csnets host as a common user.
Steve csnets = (operator)/usr/local/op_commands/
# Matt can run the kill command on his personal workstation.
Matt Valkyrie = kill
# Users in the webmasters user group can run any command with the WWW user name or su www.
Webmasters WWW = (WWW) All, (Root)/usr/bin/su WWW
# Any user can mount or umount a CD-Rom on the CDROM host without entering a password.
All CDROM = nopasswd:/sbin/umount/CDROM ,\
/Sbin/Mount-O nosuid \, nodev/dev/cd0a/CDROM
3. Use
Command name: sudo
User Permissions: users in/etc/sudoers
Usage: Sudo-V
Sudo-H
Sudo-l
Sudo-V
Sudo-K
Sudo-S
Sudo-H
Sudo [-B] [-P prompt] [-u username/# uid]-S
Usage: sudo command
Note: execute commands as system administrators. That is to say, commands executed through sudo are like commands executed by the root user.
Parameters:
-V: display version number
-H: the version number and instructions are displayed.
-L display the permissions of the user (the user who executes SUDO)
-V because sudo is not executed during the first execution or within n minutes (N is set to 5), the password is asked. this parameter is re-confirmed. If it exceeds n minutes, will also ask the password
-K will force the user to ask the password for the next sudo execution (whether or not the password exceeds n minutes)
-B: Execute the command in the background.
-P prompt can change the password prompt, where % u is replaced by the user's account name, and % H displays the Host Name
-U username/# The UID does not contain this parameter, which indicates that the command is to be executed as root, but this parameter is added, commands can be executed as username (# uid is the user number of this username)
The shell specified by the shell in the-s execution environment variable, or the shell specified in/etc/passwd
-H: Specify the home directory in the environment variable as the user's home directory for identity change (if the-u parameter is not added, the system administrator root is used)
Command the command to be executed as a system administrator (or changed to another person as a-U)
Example:
Sudo-l lists the current Permissions
Sudo-V lists sudo version information
Command name: sudoers (the command cannot be found under fc5, but man can check its usage .)
Used to display users who can use sudo
http://www.douban.com/group/topic/5530850/