Differences between linuxsu and sudo commands

Differences between linuxsu and sudo commands 1. use the su command to temporarily switch user identities 1. the su command is a tool for switching users. how can this problem be solved? For example, if we log on as a normal user beinan, but want to add user tasks, execute useradd, beinan... differences between linux su and sudo commands 1. use the su command to temporarily switch user identities 1. su's applicability and power the su command is a tool for switching users. how can this problem be solved? For example, if we log on as a normal user beinan, but want to add a user task and execute useradd, the beinan user does not have this permission, and this permission is exactly owned by the root user. There are two solutions. one is to log out of the beinan user and log in again as the root user, but this method is not the best. The other is that we do not need to log out of the beinan user, you can use su to switch to the root directory to add users. after the task is completed, exit root. We can see that, of course, su switching is a good way; su can be used to switch between users. if the super-permission user root does not need a password to switch to a common or virtual user, what is power? That's it! A common user needs password verification to switch to any other user. 2. su usage: su [OPTION parameter] [user]-,-l, -- login logs on and changes to the switched user environment.-c, -- commmand = COMMAND executes a COMMAND and then exits the switched user environment. For more details, see man su; 3. example of su: su is switched to the root user by default without adding any parameters, but not to the root user's home directory, that is to say, although it is switched to the root user, it does not change the root login environment. the user's default logon environment can be found in/etc/passwd, including the home directory, SHELL definition, etc.; [beinan @ localhost ~]? $ SuPassword: [root @ localhost beinan] # pwd/home/beinan su add the parameter-, indicating that the system switches to the root user by default and changes to the root user environment; [beinan @ localhost ~]? $ Pwd/home/beinan [beinan @ localhost ~]? $ Su-Password: [root @ localhost ~] # Pwd/root su parameter-user name [beinan @ localhost ~]? $ Su-root note: This function is the same as su-. Password: [root @ localhost ~] # Pwd/root [beinan @ localhost ~]? $ Su-linuxsir note: This is the Password for switching to linuxsir. note: enter the Password here. [linuxsir @ localhost ~]? $ Pwd note: view the current user location;/home/linuxsir [linuxsir @ localhost ~]? $ Id note: Check the UID and GID information of the user, mainly to see whether the switch is over; uid = 505 (linuxsir) gid = 502 (linuxsir) groups = 0 (root ), 500 (beinan), 502 (linuxsir) [linuxsir @ localhost ~]? $ [Beinan @ localhost ~]? $ Su--c ls note: This is a combination of su parameters. it indicates that the system switches to the root user and changes to the root environment. then, it lists the files in the root directory and exits the root user. Password: note: Enter the root password here; anaconda-ks.cfg Desktop install. log install. log. syslog testgroup testgroupbeinan testgrouproot [beinan @ localhost ~]? $ Pwd note: view the current user's location;/home/beinan [beinan @ localhost ~]? $ Id note: view the current user information; uid = 500 (beinan) gid = 500 (beinan) groups = 500 (beinan) 4. Advantages and disadvantages of su; su does facilitate management, by switching to root, all system management tools can be completed. if the root password is handed over to any common user, he can switch to root to complete all system management work; however, when su is switched to root, there are also insecure factors. for example, the system has 10 users and all users are involved in management. If these 10 users are involved in the use of super permissions, if the administrator wants other users to switch to the super-permission root through su, the root permission password must be told to these 10 users; if these 10 users have the root permission and can do anything through the root permission, the system security will be caused by the threat association to a certain extent; think about Windows, it is a nightmare; "There is no insecure system, and there are only insecure people." We cannot guarantee that these 10 users can manage the system according to the normal operation process, any major mistake made to system operations may result in system crash or data loss. Therefore, the su tool is not the best choice in system management involving many people, su is only applicable to systems where one or two people participate in management. after all, su cannot be used by common users. it is absolutely true that the root password of a super user should be in the hands of a few users! Therefore, the existence of centralized governance still makes sense. the su authorized by sudo is also restricted. sudo is applicable because su has no restrictions on the permissions after switching to the super-permission user root, so su cannot act as a system managed by multiple administrators. If su is used to switch to a super user to manage the system, it is not clear which operations are performed by the administrator. Especially when many people are involved in server management, it is best to assign specific permissions to the technical expertise and management scope of each administrator, and specify the tools used to complete the work related to it, so we need to use sudo. Through sudo, we can delegate certain super permissions to specific users without requiring common users to know the root password. Therefore, sudo is safer than su with unrestricted permissions, therefore, sudo can also be referred to as restricted su. In addition, sudo requires authorization, so it is also called the authorization permission su; the sudo command execution process is that the current user switches to the root (or another specified user), and then runs the command as root (or another specified user). after the command is executed, directly return to the current user. The premise is that the sudo configuration file/etc/sudoers must be used for authorization; for example, if we want to use the beinan ordinary user to pass the content of the more/etc/shadow file, the following may occur; [beinan @ localhost ~]? $ More/etc/shadow: if the permission is insufficient, we can use sudo more/etc/shadow to read the file content; we need to authorize beinan in/etc/soduers, so we can first su to the root user and change/etc/sudoers through mongodo; (for example, we log on to the system as a beinan user.) [beinan @ localhost ~]? $ Su Password: Note: Enter the root Password here to run visodu; [root @ localhost beinan] # mongodo note: run mongodo to change/etc/sudoers by adding the following line and exit save; exit and save. vi will be used here, and the vi editor will also be used for mongodo; as for vi usage, I will not talk about it much; beinan ALL =/bin/more indicates that beinan can switch to root and execute more to view the file. return it to beinan and run the exit command; [root @ localhost beinan] # exit [beinan @ localhost ~]? $ View what commands can beinan execute through sudo? [Beinan @ localhost ~]? $ Sudo-l Password: Note: Here, enter the beinan User's Password User beinan may run the following commands on this host: Note: the instructions here are clear on this host, beinan users can run more with the root permission; more with the root permission can view the content of any text file; (root)/bin/more at the end, let's see if the beinan user can see the content of the/etc/shadow file; [beinan @ localhost ~]? $ Sudo more/etc/shadow beinan not only shows the content of the/etc/shadow file, but also the content of other files that can be viewed only with root permissions, such; [beinan @ localhost ~]? $ Sudo more/etc/gshadow for beinan users to view and read all system files, I just want to view the/etc/shadow content for them; you can add the following line; beinan ALL =/bin/more/etc/shadow topic: some brothers will say that I can see ALL the content I want to see through su switching to the root user. haha, right. But aren't we talking about sudo's usage now? If there are multiple users on the host who do not know the password of the root user but want to view some files they do not see, the administrator needs to authorize them. this is the benefit of sudo; example 5: The exercise user group is written in/etc/sudoers. if the user group appears in/etc/sudoers, add the "%" sign before the user group, for example, % beinan. no space is in the middle; % beinan ALL =/usr/sbin/*,/sbin/* if we add the above line in/etc/sudoers, it indicates ALL members in the beinan user group, all possible host names can be switched to all commands in the/usr/sbin and/sbin directories of the root user. example 6: exercise to cancel the execution of a program: to cancel the execution of a program, you must add it before the command action! In this example, the wildcard * usage is also displayed. beinan ALL =/usr/sbin/*,/sbin /*,! /Usr/sbin/fdisk note: Add this rule to/etc/sudoers. However, you must have the beinan user group and beinan is in this group; this rule indicates that the beinan user runs all programs under/usr/sbin and/sbin on all hosts with all possible host names, except for the fdisk program. [beinan @ localhost ~]? $ Sudo-l Password: Note: Enter the beinan User Password here; User beinan may run the following commands on this host :( root)/usr/sbin/* (root) /sbin/* (root )! /Sbin/fdisk [beinan @ localhost ~]? $ Sudo/sbin/fdisk-lSorry, user beinan is not allowed to execute '/sbin/fdisk-L' as root on localhost. note: you cannot switch to the root user to run the fdisk program. if you have the sudo permission but do not have the su permission: sudo su;