Differences between su and sudo in linux permissions

We all know that many files only have root permissions to be modified. we recommend that you use a general account to log on to the files during normal development.

We all know that many files only have root permissions to be modified. we recommend that you use a general account to log on to the development process during normal development. do you still remember the ssh mentioned earlier, we also set allow root login to no and switch to root when necessary to avoid risks. So how do we switch identities.

1. su

Su is the simplest name for identity switching. we can use su to switch any user. generally, it is su-username, and then the password is OK, however, the root user does not need to enter a password when switching to another identity using su. At first, I used su for switching. later, the boss saw that it was not good for me to switch in this way. you can try other methods to switch. I think it is very convenient to switch this way. where is the problem? let's look at the second identity switching method.

In general, we switch the identity to the root, and then do something that only the root can do, such as modifying the configuration file, such as downloading and installing the software, which can only be done by the root, switching to root can be a simple su, or su-and su-root. The other two are the same.

You can simply use su to switch to the root, and read the variables in non-login shell mode. In this mode, many variables will not change, especially PATH, therefore, many commands used by root can only be executed using absolute paths. this method only switches to the root identity. In this mode, su-is used as the login shell mode. it first logs on as the root user and then performs other operations.

If we only need to switch to root for one operation, we only need to add the-c parameter after su. after this operation, we will automatically switch back to our identity, very convenient.

If many people manage this host, isn't it necessary for many people to know the root password, and some may simply perform a root operation. at this time, the su method is not very good. The fewer the root password, the better. the fewer the root password, the more secure it is. in this case, the second method is required.

2. sudo

In contrast to su, switching identities requires the user's password, and often requires the root password. sudo only needs its own password to execute commands as other users, commands are often executed as root, and not everyone can use sudo:

Here I want to view the first three lines of the/etc/shadow file, but I cannot see it. the error is that the current user is not in the sudoers file, therefore, sudo depends on the/etc/sudoers configuration file. The execution of sudo has the following process:

1) when the user executes sudo, the system checks in the/etc/sudoers file whether the user has the permission to execute sudo;

2) if the user has the permission to execute sudo, ask the user to enter the user's own password. Note that the user's own password is entered here;

3 ). if the password is correct, start executing the command after sudo. if the root user executes sudo, the password does not need to be entered. when the switch is the same as the performer's identity, no password is required.

Let's take a look at the configuration file/etc/sudoers:

At the beginning, why can only the root user execute sudo? switch to the root identity and view the/etc/sudoers configuration file through mongodo. if it is vim/etc/sudoers, it can be viewed but cannot be modified, because sudoers is a file with syntax, it can only be modified through mongodo. The line of code in the first red box indicates what this line of code means. The first column of root does not need to be said, it is the user account, and the second column of ALL indicates the source host name of the login, the "ALL" in the parentheses on the right of the third column indicates the identity that can be switched, and the "ALL" column indicates the executable command.

1). sudoers syntax for a single user:

If I want my current user to perform ALL the root operations, I only need to add a row of learnpython ALL = (ALL) ALL. If there are many people who need to execute sudo, it is not necessary to write many lines. this is not very troublesome, so we need to use user groups.

2). use the user group to process mongodo:

Check the line of code in the second Red Box. % wheel represents the wheel user group. if we add all the users who need to perform the root operation to the wheel user group or our custom user group, then add a line of code, so you don't need to add one user or one user. this is not easy.

3). restrict sudo permissions:

However, we often do not need users to have such permissions as long as they have the permissions they are responsible for. for example, some people manage passwords, we only allow him to manage passwords, instead of having other permissions, so that he needs permission control. If I ask my current user to manage the password, that is, the learnpython user can use the passwd command to help root change the user password, just add this line of learnpython ALL = (root) /usr/bin/passwd, then the learnpython user can use the passwd command:

However, if you only run the sudo passwd command, the root password is changed. of course, we do not want normal users to have the permission to change the root password, in doing do, you must set the command parameters as follows:

[root@localhost ~]# visudolearnpython    ALL=(root)    !/usr/bin/passwd, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

4). set the DO statement using the alias

When viewing the sudoers file, you will see the User_Alias, Host_Alias and Cmnd_Alias. they are all aliases. User_Alias indicates the list of users with sudo permissions, which is the first parameter column, host_Alias indicates the host list, which is the second parameter. Cmnd_Alias indicates the list of commands allowed to be executed, that is, the fourth parameter, and Runas_Alias, which is not found in my initial sudoers, this indicates the identity of the user to log on, that is, the parameter in the third column.

Therefore, if you have several password administrators, you can add the following code:

[root@localhost ~]# visudoUser_Alias PWMNG = manager1, manager2, manager3Cmnd_Alias PWCMD = !/usr/bin/passwd, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd rootPWMNG    ALL=(root)    PWCMD

5). sudo with su

From the above, we only switch to another user and execute the command, and then switch back to our own User. if we want to switch directly to the root user like su, and then do what we want, at this time, modify the command to/bin/su-, as shown below:

[root@localhost ~]# visudoUser_Alias ADMINS = user1, user2, user3ADMINS    ALL=(root)    /bin/su -

Of course, this requires careful consideration, because the user user1, user2, user3 and so on will directly switch to the root, and they will become the boss after the switch.

Have you found that when we use sudo continuously, we do not need to enter our password again for a certain period of time, which is actually set by the system itself, you only need to enter the password once to execute sudo within five minutes.

3. Summary

After understanding su and sudo, do you find that sudo has many advantages. In the su mode, you need to enter the password of the target user, while sudo only needs to enter its own password, so sudo can protect the password of the target user from outflow. When managing the system for the root user, su directly gives all root rights to the user, and sudo can better divide the work, as long as the/etc/sudoers is configured, so that sudo can protect the system security, the division of labor is clear and methodical.