Differences between linux su and sudo commands: linuxsusudo commands
I. Use the su command to temporarily switch user identities1. Conditions and power of su
The su command is a tool for switching users. How can this problem be solved? For example, if we log on as a normal user beinan, but want to add a user task and execute useradd, The beinan user does not have this permission, and this permission is exactly owned by the root user. There are two solutions. One is to log out of the beinan user and log in again as the root user, but this method is not the best. The other is that we do not need to log out of the beinan user, you can use su to switch to the root directory to add users. After the task is completed, exit root. We can see that, of course, using su switching is a better way;
Su allows users to switch between users. If the super-Permission User root switches to a common or virtual user without a password, what is power? That's it! The password verification is required for normal users to switch to other users;
2. su usage:
Su [OPTION parameter] [user]
-,-L, -- log on to login and change to the switched user environment;
-C, -- commmand = COMMAND: execute a COMMAND and then exit the switched user environment;
For more details, see man su;
3. Examples of su:
1) su does not add any parameters
The default value is to switch to the root user, but it is not transferred to the root user's home directory. That is to say, although it is switched to the root user, the root logon environment is not changed. The default logon environment of the user is, you can find it in/etc/passwd, including the Home Directory and SHELL definition;
[Beinan @ localhost ~]? $ Su root
Password:
[Root @ localhost beinan] # pwd
/Home/beinan
2) su plus parameters-
Indicates that the system switches to the root user by default and changes to the root user's environment;
[Beinan @ localhost ~] $ Pwd
/Home/beinan
[Beinan @ localhost ~] $ Su-
Password:
[Root @ localhost ~] # Pwd
/Root
3) su parameter-User Name
[Beinan @ localhost ~] $ Su-root note: this is the same as su;
Password:
[Root @ localhost ~] # Pwd
/Root
[Beinan @ localhost ~] $ Su-linuxsir Note: switching to linuxsir user
Password: enter the Password here;
[Linuxsir @ localhost ~] $ Pwd Note: view the current user location;
/Home/linuxsir
[Linuxsir @ localhost ~] $ Id Note: Check the UID and GID information of the user, mainly to see whether the switch is over;
Uid = 505 (linuxsir) gid = 502 (linuxsir) groups = 0 (root), 500 (beinan), 502 (linuxsir)
[Linuxsir @ localhost ~] $ Exit note: exit
Logout
[Beinan @ localhost ~] $
[Beinan @ localhost Desktop] $ su--c ls Note: This is a combination of su parameters, which indicates to switch to the root user, change to the root environment, and then list the files in the root directory, then exit the root user;
Password: Enter the root Password here;
Anaconda-ks.cfg install. log. syslog mydate1 mytask. sh Videos Note: List Files in the root directory;
Desktop jdk mydate2 Pictures workspace
Documents jdk-6u13-linux-i586.bin mydate3 Public Workspaces
Downloads Linux mydate4 software
Install. log Music MyEclipse 2015 Templates
[Beinan @ localhost Desktop] $ note: the root user is automatically exited;
[Beinan @ localhost Desktop] $ pwd
/Home/beinan/Desktop
[Beinan @ localhost Desktop] $ id Note: Check whether the switchover is successful;
Uid = 506 (beinan) gid = 506 (beinan) groups = 506 (beinan) context = unconfined_u: unconfined_r: unconfined_t: s0-s0: c0.c1023
[Beinan @ localhost Desktop] $
4. Advantages and Disadvantages of su;
Su is indeed convenient for management. By switching to root, all system management tools can be completed, as long as the root password is handed over to any common user, he can switch to the root to complete all the system management work. However, after su switches to the root, there are also insecure factors. For example, the system has 10 users who are also involved in the management. If these 10 users are involved in the use of super permissions, if the administrator wants other users to switch to the super-Permission root through su, the root permission password must be told to these 10 users; if these 10 users have the root permission and can do anything through the root permission, the system security will be caused by the threat Association to a certain extent; think about Windows, it is a nightmare; "There is no insecure system, and there are only insecure people." We cannot guarantee that these 10 users can manage the system according to the normal operation process, any major mistake made to system operations may result in system crash or data loss. Therefore, the su tool is not the best choice in system management involving many people, su is only applicable to systems where one or two people participate in management. After all, su cannot be used by common users. It is absolutely true that the root password of a Super User should be in the hands of a few users! Therefore, the existence of centralized governance still makes sense;
II. The su authorized by sudo is also restricted.1. Applicable Conditions for sudo
Due to su's unrestricted permissions after switching to the super-Permission User root, su cannot act as a system managed by multiple administrators. If su is used to switch to a Super User to manage the system, it is not clear which operations are performed by the Administrator. Especially when many people are involved in server management, it is best to assign specific permissions to the technical expertise and management scope of each administrator, and specify the tools used to complete the work related to it, so we need to use sudo.
Through sudo, We can delegate certain super permissions to specific users without requiring common users to know the root password. Therefore, sudo is safer than su with unrestricted permissions, therefore, sudo can also be referred to as restricted su. In addition, sudo requires authorization, so it is also called the authorization permission su;
2. sudo Command Execution Process 1) authorize the user
The current user switches to the root user (or another user specified to switch to), and then runs the command as root (or another user specified to switch to). After the command is executed, it is directly returned to the current user; the premise is that the sudo configuration file/etc/sudoers should be used for authorization;
For example, if we want to use the beinan ordinary user to pass the content of the more/etc/shadow file, the following may occur;
[Beinan @ localhost ~] $ More/etc/shadow
/Etc/shadow: Permission denied note: the Permission is insufficient.
[Beinan @ localhost ~] $
In this case, we can use sudo more/etc/shadow to read the file content. We need to authorize beinan in/etc/soduers; so we can first su to the root user to change/etc/sudoers through mongodo; (for example, we use the beinan user to log on to the system)
[Beinan @ localhost ~] $ Su
Password: Note: Enter the root Password here.
[Root @ localhost beinan] # mongodo Note: Run mongodo to modify/etc/sudoers.
Beinan ALL =/bin/more, exit and save;
Note: The vi editor is also used for mongodo. beinan ALL =/bin/more indicates that beinan can switch to root and execute more to view the file. Return it to beinan and run the exit command;
[Root @ localhost beinan] # exit
Exit
[Beinan @ localhost ~] $
2) The beinan user executes the root permission to view which commands beinan can execute through sudo.
[Beinan @ localhost ~]? $ Sudo-l
Password: Note: enter the Password of the beinan user here.
User beinan may run the following commands on this host:
(Root)/bin/more note: here we clearly describe that on this host, beinan users can run more with root permissions; more with root permissions, you can view the content of any text file;
Finally, let's see if the beinan user can see the content of the/etc/shadow file;
[Beinan @ localhost ~] $ Sudo more/etc/shadow
Root: $1 $ mKOQVMQ8 $ kg3pR0NI4XBgX8KTk4OJI/: 16541: 0: 99999: 7 :::
Bin: *: 15980: 0: 99999: 7 :::
Daemon: *: 15980: 0: 99999: 7 :::
Adm: *: 15980: 0: 99999: 7 :::
Lp: *: 15980: 0: 99999: 7 :::
Sync: *: 15980: 0: 99999: 7 :::
Shutdown: *: 15980: 0: 99999: 7 :::
Halt: *: 15980: 0: 99999: 7 :::
Mail: *: 15980: 0: 99999: 7 :::
Beinan can not only view the content of the/etc/shadow file, but also the content of other files that can only be viewed under root permissions, such;
[Beinan @ localhost ~] $ Sudo more/etc/gshadow
[Sudo] password for beinan:
Root :::
Bin: bin, daemon
Daemon: bin, daemon
Sys: bin, adm
Adm: adm, daemon
Tty :::
Disk :::
Lp: daemon
Mem :::
Kmem :::
Wheel :::
Mail: mail, postfix
Uucp :::
For the beinan user to view and read all the system files, I just want to view the/etc/shadow content for him; you can add the following line;
Beinan ALL =/bin/more/etc/shadow
Digress: some brothers will say that I can see all the content I want to see by switching su to the root user. Haha, right. But aren't we talking about sudo's usage now? If there are multiple users on the host who do not know the password of the root user but want to view some files they do not see, the administrator needs to authorize them. This is the benefit of sudo;
3) The user group is written in/etc/sudoers.
If the user group appears in/etc/sudoers, add the "%" sign before it. For example, % beinan cannot contain spaces. % beinan ALL =/usr/sbin/*,/sbin /*
If we add the above line in/etc/sudoers, it indicates all the members in the beinan user group, under all possible host names, all commands under the/usr/sbin and/sbin directories can be switched to the root user;
4) cancel the execution of a program
To cancel the execution of a program, you must add it before the command action! In this example, the wildcard * usage is also displayed;
Beinan ALL =/usr/sbin/*,/sbin /*,! /Usr/sbin/fdisk Note: add this rule to/etc/sudoers. However, you must have the beinan user group and beinan is in this group;
This rule indicates that the beinan user runs all programs under/usr/sbin and/sbin on all hosts with all possible host names, except for the fdisk program;
[Beinan @ localhost ~] $ Sudo-l
Password: Note: enter the Password of the beinan user;
User beinan may run the following commands on this host:
(Root)/usr/sbin/* (root )! /Sbin/fdisk
[Beinan @ localhost ~] $ Sudo/sbin/fdisk-l
Sorry, user beinan is not allowed to execute '/sbin/fdisk-L' as root on localhost.
Note: you cannot switch to the root user to run the fdisk program;
If you have sudo permission but do not have su permission: sudo su;
References http://www.jb51.net/LINUXjishu/12713.html