Linux Switch user identities, Su, sudo,/etc/sudoers

Linux system, sometimes the ordinary user some things can not be done, unless it is the root user can do. Then you need to useThe SU command temporarily switches to root to work.

su:substitute[' s?bst?tju?t] instead of user
The syntax for SU is:
SU [option parameter] [user]
-,-L,--login log in andChange to the user environment of the switch;
-C,--commmand=commandExecutes a command and then exits the user environment that was switched to;

When you switch users with the SU command, you can use theThe exit command or shortcut key [Ctrl+d] returns to the original logged-on user.

Example:
Su does not add any parameters, the default is to switch to the root user, but did not go to the root user home directory, that is, although the switch to the root user, but did not change the root login environment, the user default login environment, can be found in the/etc/passwd, including home directory, Shell definition, etc.;
Su plus parameter-, which means to switch to the root user by default, and change to the root user's environment;


With Su is able to switch user identity, if every ordinary user can switch to root identity, if a user accidentally leaked the root password, it is not very insecure system? No mistake, in order to improve this problem, yielded the sudo command. Usesudo executes a root command that can be executed, but requires a password that is not the root password but the user's own password. By default only the root user can use the sudo command, and the normal user wants to use sudo, which requires root pre-set, i.e., usingVisudocommand to edit the relevant configuration file/etc/sudoers. If this command is not Visudo, use the "Yum install-y sudo" installation.

The default root can be sudo because there is a line in the file "root all= (All) All"

the applicable conditions for sudo are:
Because SU does not have the restriction of permissions after switching to Superuser root, SU does not act as a system managed by multiple administrators. If you use SU to switch to the Superuser to manage the system, it is not clear what work is done by which administrator. In particular, for the management of the server with many people involved in the management, it is best for each administrator's technical expertise and scope of management, and a targeted delegation of authority, and agreed on what tools they use to complete their work, then we need to use sudo.
With Sudo, we can putSome super permissions are targeted, and do not require ordinary users to know the root password, so sudo relative to the unrestricted permission of Su, is still relatively safe, soSudo can also be referred to as a restricted Su, and sudo is required to be licensed, so it is also known as a licensed Su;
sudo the process of executing the command : the current user switches to root (or other specified switch to the user), and then executes the command as root (or another specified switch to the user), and then returns to the current user immediately after execution, and these are the prerequisites for the sudo profile /etc/sudoers to authorize;

Starting with the sudo configuration file/etc/sudoers
sudo configuration file is/etc/sudoers, we can use his special editing tool Visodu, the advantage of this tool is that when adding a rule is not very accurate, save the exit will prompt US error message, after configuration, you can switch to your authorized users, through the sudo-l To see which commands can be executed or forbidden;
/etc/sudoers file each line in a rule, preceded by a # can be regarded as a description of the content, do not execute; If the rules are long, a row, you can use the \ number to continue the line, so that a rule can also have more than one row;
The rules of/etc/sudoers can be divided into two categories , one is alias definition, the other is authorization rule; alias definition is not necessary, but authorization rules are necessary;

sudo authorization rule (sudoers configuration):
Authorized User Host = Command action
These three elements are indispensable, but before the action can also be specified to switch to a specific user, where the user to specify the switch to use (), if you do not need a password to run the command directly, you should add nopasswd: parameters, but these can be omitted;

Default configuration for Sudoers:

HTML code

2. #############################################################
4. # sudoers file.
6. #
8. # This file must is edited with the ' Visudo ' command as root.
10. #
12. # See the Sudoers Mans page for the details about how to write a sudoers file.
14. #
16. # Host alias Specification
18. # User alias Specification
20. # CMND alias Specification
22. # Defaults Specification
24. # User Privilege Specification
26. Root all= (all) all
28. # Uncomment to allow people in group wheel to run all commands
30. #%wheel all= (All) all
32. # same thing without a password
34. #%wheel all= (All) Nopasswd:all
36. # Samples
38. #%users All=/sbin/mount/cdrom,/sbin/umount/cdrom
40. #%users localhost=/sbin/shutdown-h now
42. ##################################################################

1. The simplest configuration, so that ordinary user support has all the root permissions
After executing Visudo, you can see that there is only one configuration by default:
Root all= (All) all
Then you'll add one more configuration to the bottom:
Support All= (All) all
In this way, normal user support can perform all commands that root privileges
After logging in as a support user, execute:
sudo su-
Then enter the support user's own password, you can switch to the root user
2. Allow normal user support to perform certain commands that root can perform on only a few servers
First you need to configure some alias, so that in the following configuration permissions, it will be convenient, do not write large sections of the configuration. Alias is divided into 4 main types
Host_alias
Cmnd_alias
User_alias
Runas_alias
1) configuration Host_alias: Is the list of hosts
Host_alias Host_flag = hostname1, hostname2, Hostname3
2) configuration Cmnd_alias: Is the list of commands that are allowed to execute,Command before adding! Indicates that this command cannot be executed.
command must use absolute path, to avoid other directories with the same name command is executed, resulting in security risks, so the use of the time is also used absolute path!
Cmnd_alias Command_flag = Command1, Command2, Command3,!command4
3) Configure User_alias: Is the list of users with sudo permissions
User_alias User_flag = user1, User2, User3
4) Configure Runas_alias: Is the list of what the user is doing (for example, root, or Oracle)
Runas_alias Runas_flag = Operator1, Operator2, Operator3
5) Configure permissions
The format for configuring permissions is as follows:
User_flag host_flag= (Runas_flag) Command_flag
If password Authentication is not required, configure it in this format
User_flag host_flag= (Runas_flag) Nopasswd:command_flag
Example configuration:

HTML code

2. ############################################################################
4. # sudoers file.
6. #
8. # This file must is edited with the ' Visudo ' command as root.
10. #
12. # See the Sudoers Mans page for the details about how to write a sudoers file.
14. #
16. # Host alias Specification
18. Host_alias EPG = 192.168.1.1, 192.168.1.2
20. # User alias Specification
22. # CMND alias Specification
24. Cmnd_alias SQUID =/opt/vtbin/squid_refresh,!/sbin/service,/bin/rm
28. Cmnd_alias ADMPW =/usr/bin/passwd [a-za-z]*,!/usr/bin/passwd,!/usr/bin/passwd root
30. # Defaults Specification
32. # User Privilege Specification
34. Root all= (all) all
36. Support epg= (all) Nopasswd:squid
38. Support epg= (all) NOPASSWD:ADMPW
40. # Uncomment to allow people in group wheel to run all commands
42. #%wheel all= (All) all
44. # same thing without a password
46. #%wheel all= (All) Nopasswd:all
48. # Samples
50. #%users All=/sbin/mount/cdrom,/sbin/umount/cdrom
52. #%users localhost=/sbin/shutdown-h now
54. ###############################################################

Reference: Su sudo sudoers

http://desert3.iteye.com/blog/1663995

Linux Switch user identities, Su, sudo,/etc/sudoers