Differences between Su and sudo for Linux permissions

We all know that very many files are only rooted to change, then in our usual development process is recommended to use the general account to login for development. Remember the ssh I mentioned earlier. We will also allow root login to be set to No. Switch to root when necessary to operate, so there is no risk.

So how do we switch identities?

1.su

Su is the simplest identity switch name, with Su we can do whatever the user's switch, is generally su-username, and then input password OK, but the root with Su switch to other identity when the time is not required to input password. At first I was using SU to switch, then the eldest brother saw that my way of switching is not good. You can try other ways to switch. I think this switch is very convenient ah, it is not good where it. Look at the other way of identity switch back to know.

In general, we switch identities to root, and then do something that is only root capable, such as changing the configuration file. For example, download the installation software. These are only the things that Root has authority to do. Switching to root can be purely su, or Su-and su-root, with the following two being the same meaning.

Simply using Su to switch to root, the way to read the variables is to non-login the shell, in such a way that very many variables will not change. Especially path. So the very many commands that Root uses can only be run with absolute paths. The only way to do this is to switch to the root identity.

In the case of Su-in this way, it is the login shell, which is logged in as root before running another operation.

Let's say we just need to switch to root to do a single operation, just add a-C to the SU after the number of parameters. After running this operation. We will switch back to our own identity. Very convenient.

So if there are very many people to manage this host, it is not very many people have to know the root of the password, and maybe some people simply do a root operation can be, this time, Su Way is not very good, rootpassword less people know the better, The less people know, the more secure they will be, and then another way is needed.

2.sudo

Compared to the SU switch identity needs the user's password, is often the need rootpassword,sudo only needs own password, can run the command as other user's identity. The command is often run as root. And not all of them can use sudo:

Here I want to see/etc/shadow the first three lines of this file, but found not to see, the hint of the error is that I am currently the user is not sudoers this file, so sudo is dependent on/etc/sudoers this configuration file.

sudo runs with such a process:

1). When the user runs sudo, the system finds in the/etc/sudoers file whether the user has permission to run sudo;

2). If the user has permission to run sudo. Then let the user enter the user's own password, note that the input here is the user's own password.

3). Assume that the password is correct. Start the command after sudo, root runs sudo is not required to input password, switch to the identity of the same time as the runner. There is no need to enter password.

Here's a look at/etc/sudoers this configuration file:

Why just start with Root can run sudo, switch to root identity through Visudo view/etc/sudoers This configuration file, assuming that Vim/etc/sudoers is able to view, but can not change, because sudoers this file is syntax, Can only be changed by Visudo. The first red box that line of code, what does this line of code mean? The first column of root does not have to say, is the user account, the second column of all means the source hostname of the login, the third column equals to the right of the parentheses in the all is to represent the ability to switch identities. The fourth column all is a command that can be run .

1). sudoers syntax for individual users:

Assuming I want my current user to be able to run all of root, I'll just add one line Learnpython all= (All). So suppose there are very many people who need to run sudo. That's not to write very many lines Ah, this is not very troublesome, so it is necessary to use the user group.

2). Use user groups to process Visudo:

Look at the second red box that line of code. %wheel represents the wheel user group. Let's say we're going to have to join the wheel user group or our own defined group of users who need to run the root operation. Then add a line of code. Then you do not have a user to join in a user, so it is not very convenient AH.

3). Restrict the user sudo permissions:

But often we don't need users to have that much authority. Just let them have the right to their area of responsibility. For example some people to manage password, we just let him be able to carry out password management, and do not let him have different authority, so need authority control.

Suppose I let my current user manage password. That is Learnpython this user can use passwd this command to help root change user password. Just add this line Learnpython all= (Root)/usr/bin/passwd, then learnpython This user will be able to use the passwd command:

But assuming that just run the sudo passwd command, the change is the root of the password, of course, we do not want ordinary users to have the ability to change the Rootpassword, then in the Visudo, you need to limit the number of commands. If you change to this:

[Email protected] ~]# Visudolearnpython    all= (Root)    !/usr/bin/passwd,/usr/bin/passwd [a-za-z]*,!/usr/bin/ passwd Root

4). Set Visudo by Alias

View Sudoers this file. You'll see User_alias. Host_alias and Cmnd_alias These things, they are all aliases, User_alias represents the list of users with sudo permissions, which is the first column of the parameters. Host_alias represents a list of hosts. is the second column of the parameters. Cmnd_alias a list of the commands that are agreed to run, that is, the fourth column of the parameters. There's a runas_alias. My initial sudoers is not, this indicates the user is logged in as to what identity. That is, the third column of the parameters.

So if you have a few password administrators, you can add code such as the following:

[Email protected] ~]# Visudouser_alias pwmng = Manager1, Manager2, Manager3cmnd_alias pwcmd =!/usr/bin/passwd,/usr/bin/ passwd [a-za-z]*,!/usr/bin/passwd rootpwmng    all= (root)    Pwcmd

5). Sudo paired with Su

Look from above. We all just switch to another user and then run the command, then we cut back to our own users. Suppose we want to switch to root directly like Su. And do what you want to do. At this time, change the order to/BIN/SU-. For example, the following:

[Email protected] ~]# Visudouser_alias ADMINS = user1, User2, User3admins    all= (Root)    /bin/su-

Of course this is a need to be cautious, because such users user1. User2,user3 and so on directly switch to root, after the switch they are the eldest.

Have found, when we use sudo continuously, in a certain time without re-entering our password, this is actually set by the system itself, in five minutes to run sudo only need to enter the password to be able to.

3. Summary

Knowing Su and sudo is not a good thing to find sudo. Su mode switching is required to enter the password of the target user. sudo only needs to enter its own password, so Sudo is able to protect the target user's password from outflow. When helping Root to manage the system, SU is directly to the user root all right. and Sudo can better division of labor, only to configure the/etc/sudoers, so that sudo can protect the system more secure, and the Division of labor clear, methodical.

Differences between Su and sudo for Linux permissions