Differences between the Linux su and sudo commands

I. Using the SU command to temporarily switch user identities1, Su's applicable conditions and power

The SU command is the tool to switch users, how to understand it? For example, we use ordinary user Beinan login, but to add user tasks, execute useradd, Beinan the user does not have this permission, and this permission is exactly the root of the own. Solution can not have two, one is to exit Beinan user, re-login with the root user, but this method is not the best; second, we do not need to quit the Beinan user, you can use Su to switch to root to add the user's work, and so on when the task is completed before exiting Root. We can see that, of course, it is a better way to switch through SU;

Through SU can switch between users, if Superuser root to normal or virtual user switch does not require a password, what is power? That's it! And the normal user to switch to any other users need password authentication;

2, Su's usage:

SU [option parameter] [user]

-,-L,--login Login and change to the user environment of the switch;

-c,--commmand=command executes a command, and then exits the user environment that was switched to;

For more details, see Man su;

3, Su's example:

1) Su does not add any parameters

The default is to switch to the root user, but did not go to the root user home directory, that is, although the switch to the root user, but did not change the root login environment, the user default login environment, can be found in the/etc/passwd, including home directory, shell definition, etc.;

[[email protected] ~]?$ su root

Password:

[email protected] beinan]# pwd

/home/beinan

2) su Plus parameters-

Indicates the default switch to root user, and changes to the root user's environment;

[email protected] ~]$ pwd

/home/beinan

[email protected] ~]$ Su-

Password:

[email protected] ~]# pwd

/root

3) su parameter-user name

[email protected] ~]$ Su–root Note: This and Su-are the same functions;

Password:

[Email protected] ~]# pwd

/root

[email protected] ~]$ Su–linuxsir Note: This is the switch to Linuxsir user

Password: Note: Enter the password here;

[[email protected] ~]$ pwd Note: see where the user is currently located;

/home/linuxsir

[[email protected] ~]$ ID Note: Check the user uid and GID information, mainly to see if the switch over;

uid=505 (Linuxsir) gid=502 (Linuxsir) groups=0 (Root), (Beinan), 502 (Linuxsir)

[[Email protected] ~]$ Exit Note: Exit
Logout
[Email protected] ~]$

[[email protected] desktop]$ Su-c ls Note: This is a combination of SU's parameters, which means switching to the root user and changing to the root environment, then listing the files in the root directory and then exiting the root user;
Password: Note: Enter the root password here;

Anaconda-ks.cfg install.log.syslog mydate1 mytask.sh VideosNote: Lists the files of the root home directory;
Desktop JDK mydate2 Pictures workspace
Documents jdk-6u13-linux-i586.bin mydate3 Public Workspaces
Downloads Linux mydate4 Software
Install.log Music MyEclipse Templates
[Email protected] desktop]$Note: Automatically exits the root user;
[Email protected] desktop]$ pwd
/home/beinan/desktop
[[email protected] desktop]$ IDNote: Check whether the switch is successful;
uid=506 (Beinan) gid=506 (Beinan) groups=506 (Beinan) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[Email protected] desktop]$

4, Su's advantages and disadvantages;

Su is indeed convenient for management, by switching to root, can complete all system management tools, as long as the root password to any ordinary user, he can switch to root to complete all system management work, but after the SU switch to root, there is also an unsafe factor , such as the system has 10 users, and all involved in management. If these 10 users are involved in the use of super-privilege, as an administrator if you want other users to switch to the root of the superuser through Su, the root password must be told to the 10 users, if the 10 users have root privileges, through root permission can do anything, This to a certain extent, the security of the system caused the association; Think of Windows, it is a nightmare; "There is no insecure system, only unsafe people", we can not guarantee that these 10 users can operate in accordance with normal operating procedures to manage the system, any one of them on the system operation of a major failure, May result in system crashes or data loss, so SU tools are not the best choice for multi-participant system management, SU only applies to one or two people to participate in the management system , after all, SU does not allow the ordinary user limited use; Root password should be in the hands of a few users, This is absolutely true! So there is some truth in the existence of centralization and governance;

two. Sudo is licensed to use Su, which is also a restricted Su1. Applicable conditions of sudo

Because SU does not have the restriction of permissions after switching to Superuser root, SU does not act as a system managed by multiple administrators. If you use SU to switch to the Superuser to manage the system, it is not clear what work is done by which administrator. In particular, for the management of the server with many people involved in the management, it is best for each administrator's technical expertise and scope of management, and a targeted delegation of authority, and agreed on what tools they use to complete their work, then we need to use sudo.

Through sudo, we can put some super-privileged targeted decentralization, and do not need to know the root password of ordinary users, so sudo relative to the unrestricted permission of Su, is still relatively safe, so sudo can also be referred to as restricted Su, and sudo is required to license, So also known as the licensing of SU;

2. Sudo executes the command process1) authorization to the user

The current user switches to root (or the other user specified to switch to), then executes the command as root (or another specified switch to the user), and returns to the current user directly after execution, which is provided by sudo's configuration file/etc/sudoers.

For example, we want to use Beinan ordinary users through the content of More/etc/shadow files, the following situation may occur;

[email protected] ~]$ More/etc/shadow/etc/shadow
/etc/shadow:permission denied note: Insufficient authority
[Email protected] ~]$

At this point we can use sudo more/etc/shadow to read the contents of the file, we need to give Beinan authorization in/etc/soduers, so we can first su to the root user through the Visudo to change/etc/sudoers (e.g. we are logged in to the system as a Beinan user)

[email protected] ~]$ su

Password: Note: Enter the root password here

[email protected] beinan]# Visudo Note: Run Visudo to change/etc/sudoers

Add the following line Beinan All=/bin/more, exit save;

Note: Visudo is also used by the VI editor; Beinan All=/bin/more means that Beinan can switch to the root to perform more to view the file, return to the Beinan user, and use the Exit command;

[[Email protected] beinan]# exit

Exit

[Email protected] ~]$

2) Beinan the user to perform root privileges to see what commands Beinan through sudo can perform

[Email protected] ~]?$ sudo-l

Password: Note: Enter the password for the Beinan user here

User Beinan may run the following commands on this host:

(root)/bin/more Note: Here is a clear description on this host, Beinan user can run with root privileges more, under the root permission more, can view any text file content;

Finally, let's see if Beinan users have the ability to see the contents of the/etc/shadow file;

[email protected] ~]$ sudo more/etc/shadow

Root:$1$mkoqvmq8$kg3pr0ni4xbgx8ktk4oji/:16541:0:99999:7:::
Bin:*:15980:0:99999:7:::
Daemon:*:15980:0:99999:7:::
Adm:*:15980:0:99999:7:::
Lp:*:15980:0:99999:7:::
Sync:*:15980:0:99999:7:::
Shutdown:*:15980:0:99999:7:::
Halt:*:15980:0:99999:7:::
Mail:*:15980:0:99999:7:::

Beinan not only can see the contents of the/etc/shadow file, but also can see the contents of other files only under the root permission, such as;

[email protected] ~]$ sudo more/etc/gshadow

[sudo] password for Beinan:
Root::
Bin:::bin,daemon
Daemon:::bin,daemon
Sys:::bin,adm
Adm:::adm,daemon
Tty:::
Disk::
LP:::d Aemon
Mem:::
Kmem:::
Wheel:::
Mail:::mail,postfix
UUCP:::

For Beinan users to view and read all system files, I just want to put the contents of/etc/shadow to let him view, can join the following line;

Beinan All=/bin/more/etc/shadow

Digression: Some brethren will say, I can see all the things I want to see through SU switch to root user, haha, yes. But aren't we talking about the use of sudo now? If there are multiple users on the host and do not know the root user's password, but also want to see some of the files they do not see, then you need administrator authorization, this is the advantage of sudo;

3) User group in/etc/sudoers

If the user group appears in the/etc/sudoers, the front to add a number, such as%beinan, the middle can not have spaces ;%beinan all=/usr/sbin/*,/sbin/*

If we add the previous line in the/etc/sudoers, representing all the members under the Beinan user group, you can switch to the root user to run all commands under the/usr/sbin and/sbin directories under the name of all possible hosts;

4) Cancellation of execution of certain classes of programs

To cancel the execution of a program of some kind, precede the command action with a! number; In this case, the use of the wildcard character is also present;

Beinan All=/usr/sbin/*,/sbin/*,!/usr/sbin/fdisk Note: Add this line of rules to/etc/sudoers, but you have to have beinan this user group, and Beinan is also in this group;

This rule indicates that the Beinan user runs all programs under/usr/sbin and/sbin on all host names that may exist, except for FDISK programs;

[Email protected] ~]$ sudo-l

Password: Note: Enter the password of the Beinan user here;

User Beinan may run the following commands on this host:

(root)/usr/sbin/* (root)/sbin/* (root)!/sbin/fdisk

[Email protected] ~]$ sudo/sbin/fdisk–l

Sorry, user Beinan is not allowed to execute '/sbin/fdisk-l ' as root on localhost.

Note: You cannot switch to the root user to run the FDISK program;

If there is sudo permission without Su's permission: sudo su;

Reference http://www.jb51.net/LINUXjishu/12713.html

Differences between the Linux su and sudo commands