sudo configuration temporarily obtains root permissions

Turn from: http://www.linuxidc.com/Linux/2012-09/69525.htm

The ordinary user of Linux system sometimes need root permission to perform some kind of operation, if use Su-root Word must know root password, this is unsafe, so have sudo,root can make certain configuration to/etc/sudoers, Allow ordinary users to perform actions that only root can do without switching to root. This file can only be modified by root, it is recommended to use Visudo This command to modify, rather than directly vim/etc/sudoers.

There are two reasons:

◦ One is that it can prevent two users from modifying it at the same time;

◦ The second is that it can also perform a limited grammar check.

When editing this file has errors, use Visudo will give error prompts, at this time can press E to edit, x do not save exit, Q Save exit, if the choice of Q,sudo can not work properly.

The experimental process completes the sudo command that can be executed for the specified user, sudo, and a set of users with an alias.

The process is as follows:

[Root@mail ~]# Visudo

#chen为普通用户, all can be logged from any host, (root) can be as root, followed by commands that can be executed, preferably write full path
The # # Allow root to run any commands anywhere
All= Root (All)
/usr/sbin/useradd,/usr/bin/passwd Chen All= (root)
# # # Allows members of the ' sys ' group to run networking, software,


[Root@mail ~]# exit
Logout
[Chen@mail Desktop]$ sudo-l #查看自己可以执行的sudo命令
[sudo] password for Chen: #输入自己的密码
Matching Defaults entries for Chen on this host:
Requiretty, Always_set_home, Env_reset, env_keep= "COLORS DISPLAY HOSTNAME
Histsize inputrc kdedir ls_colors ", env_keep+=" MAIL PS1 PS2 Qtdir
LANG lc_address lc_ctype ", env_keep+=" Lc_collate lc_identification
Lc_measurement lc_messages ", env_keep+=" Lc_monetary lc_name lc_numeric
Lc_paper Lc_telephone ", env_keep+=" Lc_time lc_all LANGUAGE Linguas
_xkb_charset xauthority ", Secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User Chen may run the following commands in this host:
(root)/usr/sbin/useradd, (root)/usr/bin/passwd #这里看到可以执行的sudo命令
[Chen@mail desktop]$ sudo useradd user3 #测试
[Chen@mail desktop]$ sudo passwd user3
Change the user user3 password.
New Password:
Invalid Password: Too short
Invalid Password: too simple
Re-enter the new password:
PASSWD: All authentication tokens have been successfully updated.
[Chen@mail desktop]$ ID user3 #添加user3成功
uid=503 (User3) gid=503 (user3) group =503 (USER3)
[Chen@mail Desktop]$ Visudo #普通用户不允许编辑
Visudo:/etc/sudoers:permission denied
Visudo:/etc/sudoers:permission denied
[Chen@mail Desktop]$ Su-root
Password:
[Root@mail ~]# Visudo
[Root@mail ~]# cat/etc/sudoers |grep user1 #编辑增加了下面一行
User1 all= (User2)/bin/ls
[Root@mail ~]# Su-user1
[User1@mail ~]$ Sudo-l

We Trust your have received the usual lecture from the local System
The Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) before you type.
#3) with the great power comes great responsibility.

[sudo] password for user1:
Matching Defaults entries for User1 on this host:
Requiretty, Always_set_home, Env_reset, env_keep= "COLORS DISPLAY HOSTNAME
Histsize inputrc kdedir ls_colors ", env_keep+=" MAIL PS1 PS2 Qtdir
LANG lc_address lc_ctype ", env_keep+=" Lc_collate lc_identification
Lc_measurement lc_messages ", env_keep+=" Lc_monetary lc_name lc_numeric
Lc_paper Lc_telephone ", env_keep+=" Lc_time lc_all LANGUAGE Linguas
_xkb_charset xauthority ", Secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User User1 may run the following commands in this host:
(User2)/bin/ls
[User1@mail ~]$ Ls/home/user2 #user1直接查看user2的家目录肯定是不允许的
LS: Unable to open Directory/home/user2: Insufficient permissions
[User1@mail ~]$ sudo-u user2 ls/home/user2 #但是sudo以user2的身份查看就可以
A

#这里不能以user2的身份添加用户, because User2 itself does not have useradd privileges.
#事实上, even if you give user2 sudo to add user permissions This is not the case, because user2 to add the time to sudo ah
#直接以user2肯定不行, look at the demo.
[User1@mail ~]$ sudo-u user2 useradd user4 #这时候不能添加
Sorry, user user1 isn't allowed to execute '/usr/sbin/useradd user4 ' as User2 on mail.example.com.
[User1@mail ~]$ exit
Logout
[Root@mail ~]# Visudo
#添加了这行, to User2 sudo to add user permissions, this time sudo-u user2 useradd user4 whether it can. It's not going to work.
User2 all= (Root)/usr/sbin/useradd,/usr/bin/passwd
[Root@mail ~]# Su-user2
[User2@mail ~]$ Sudo-l

We Trust your have received the usual lecture from the local System
The Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) before you type.
#3) with the great power comes great responsibility.

[sudo] password for user2:
Matching Defaults entries for User2 on this host:
Requiretty, Always_set_home, Env_reset, env_keep= "COLORS DISPLAY HOSTNAME
Histsize inputrc kdedir ls_colors ", env_keep+=" MAIL PS1 PS2 Qtdir
LANG lc_address lc_ctype ", env_keep+=" Lc_collate lc_identification
Lc_measurement lc_messages ", env_keep+=" Lc_monetary lc_name lc_numeric
Lc_paper Lc_telephone ", env_keep+=" Lc_time lc_all LANGUAGE Linguas
_xkb_charset xauthority ", Secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User User2 may run the following commands in this host:
(root)/usr/sbin/useradd, (Root)/usr/bin/passwd
[User2@mail ~]$ Su-user1
Password:
[User1@mail ~]$ sudo-u user2 useradd user4 #答案在此, No.
Sorry, user user1 isn't allowed to execute '/usr/sbin/useradd user4 ' as User2 on mail.example.com.
[User1@mail ~]$
#总结下, sudo-u User name command, the current user as a user to execute a command, the user itself must not add sudo situation
#直接能执行的命令 before it can be executed in this way. In addition, Sudo does not add-U, default as root execution

[User1@mail ~]$ exit
Logout
[User2@mail ~]$ exit
Logout
[Root@mail ~]# Visudo
#改动如下: Deleted 91, 92 lines,
The # # Allow root to run any commands anywhere
All= Root (All)
/usr/sbin/useradd,/usr/bin/passwd Chen All= (root)
User1 all= (user2)/bin/ls #删除
User2 all= (Root)/usr/sbin/useradd,/usr/bin/passwd #删除

The # # Allow root to run any commands anywhere
All= Root (All)
/usr/sbin/useradd,/usr/bin/passwd Chen All= (root)
All= ADMIN (Root)/usr/sbin/useradd,/usr/bin/passwd #新添加

# User_alias ADMINS = jsmith, Mikem
User_alias ADMIN = user1, User2 #新添加
22
#这里相当于ADMIN为user1, User2 alias, this alias has the right to add users, User1 and User2 also have this permission
[Root@mail ~]# Su-user1
[User1@mail ~]$ Sudo-l
[sudo] password for user1:
Matching Defaults entries for User1 on this host:
Requiretty, Always_set_home, Env_reset, env_keep= "COLORS DISPLAY HOSTNAME
Histsize inputrc kdedir ls_colors ", env_keep+=" MAIL PS1 PS2 Qtdir
LANG lc_address lc_ctype ", env_keep+=" Lc_collate lc_identification
Lc_measurement lc_messages ", env_keep+=" Lc_monetary lc_name lc_numeric
Lc_paper Lc_telephone ", env_keep+=" Lc_time lc_all LANGUAGE Linguas
_xkb_charset xauthority ", Secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User User1 may run the following commands in this host:
(root)/usr/sbin/useradd, (root)/usr/bin/passwd #可以看到user1有useradd权限
[User1@mail ~]$ Su-user2
Password:
[User2@mail ~]$ Sudo-l
[sudo] password for user2:
Matching Defaults entries for User2 on this host:
Requiretty, Always_set_home, Env_reset, env_keep= "COLORS DISPLAY HOSTNAME
Histsize inputrc kdedir ls_colors ", env_keep+=" MAIL PS1 PS2 Qtdir
LANG lc_address lc_ctype ", env_keep+=" Lc_collate lc_identification
Lc_measurement lc_messages ", env_keep+=" Lc_monetary lc_name lc_numeric
Lc_paper Lc_telephone ", env_keep+=" Lc_time lc_all LANGUAGE Linguas
_xkb_charset xauthority ", Secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User User2 may run the following commands in this host:
(root)/usr/sbin/useradd, (root)/usr/bin/passwd #user2也有
[User2@mail ~]$