The flow of sudo to execute a command
Switches the current user to the Superuser, or to the specified user,
The command is then executed as Superuser or as the user it specifies to switch to, and is returned directly to the current user when the execution completes.
The specific work process is as follows:
When the user executes sudo, the system proactively looks for the/etc/sudoers file to determine if the user has permission to execute sudo
--> confirm that the user has the ability to execute sudo, let the user enter the user's own password confirmation
--> If the password entry succeeds, start the sudo follow up command
Second, do not need to enter the password situation
1.root do not need to enter the password when sudo (eudoers file has the configuration root all= (all) all such a rule)
2. Want to switch identity and the identity of the performer, do not need to enter a password
The 3./etc/sudoers file is set to allow users to use all commands without entering the user's password
For example, setting allows users in the wheel user group to use all commands without entering the user's password
(%wheel all= (All) nopasswd:all)
Iii. Interpretation of/etc/sudoers documents
[Root@test ~]# Cat/etc/sudoers
# # Sudoers allows particular users to run various commands as
# # The root user, without needing the root password.
# #该文件允许特定用户像root用户一样使用各种各样的命令, without the password of the root user
##
# # Examples are provided at the bottom of the ' file for collections
# # of related commands, which can then is delegated out to particular
# # users or groups.
# # provides examples of related commands at the bottom of the file to choose from, and these examples can be selected by a specific user or
# # # # # The user group uses
# # This file must is edited with the ' Visudo ' command.
# # This file must be edited using the ' Visudo ' command
# # Host Aliases
#主机别名
# # Groups of machines. You could prefer to use hostnames (Perhap using
# # wildcards for entire domains) or IP addresses instead.
# # for a group of servers, you might prefer to use host names (possibly full domain wildcard characters)
# # or IP address instead, you can configure the host alias
# Host_alias fileservers = FS1, FS2
# Host_alias mailservers = SMTP, SMTP2
# # User Aliases
#用户别名
# # These aren ' t often necessary, as your can use regular groups
# # (ie, from files, LDAP, NIS, etc.) in the File-just use%groupname
# # rather than Useralias
# # This is not very common, because you can use groups to replace the alias of a group of users
# User_alias ADMINS = jsmith, Mikem
# # Command Aliases
# # These are groups of related commands ...
# # Specifies an alias for a series of interrelated commands, which, of course, can be one, by giving the alias sudo permission,
# # You can invoke all the commands that the alias contains by sudo, here are some examples
# # Networking
#网络操作相关命令别名
Cmnd_alias networking =/sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,
/usr/bin/net,/sbin/iptables,/usr/bin/rfcomm,/usr/bin/wvdial,/sbin/iwconfig,
/sbin/mii-tool
# # Installation and management of software
#软件安装管理相关命令别名
Cmnd_alias SOFTWARE =/bin/rpm,/usr/bin/up2date,/usr/bin/yum
# # Services
#服务相关命令别名
Cmnd_alias SERVICES =/sbin/service,/sbin/chkconfig
# # Updating the Locate database
#本地数据库升级命令别名
Cmnd_alias LOCATE =/usr/sbin/updatedb
# # Storage
#磁盘操作相关命令别名
Cmnd_alias STORAGE =/sbin/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount
# # Delegating Permissions
#代理权限相关命令别名
Cmnd_alias delegating =/usr/sbin/visudo,/bin/chown,/bin/chmod,/BIN/CHGRP
# # Processes
#进程相关命令别名
Cmnd_alias processes =/bin/nice,/bin/kill,/usr/bin/kill,/usr/bin/killall
# # Drivers
#驱动命令别名
Cmnd_alias DRIVERS =/sbin/modprobe
#环境变量的相关配置
# Defaults Specification
#
# Disable ssh hostname sudo <cmd>, because it'll show the password in clear.
# You have to run "ssh-t hostname sudo <cmd>".
#
Defaults Requiretty
Defaults Env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME histsize inputrc kdedir \
Ls_colors MAIL PS1 PS2 qtdir USERNAME \
LANG lc_address lc_ctype lc_collate lc_identification \
Lc_measurement lc_messages lc_monetary lc_name lc_numeric \
Lc_paper lc_telephone lc_time lc_all LANGUAGE linguas \
_xkb_charset xauthority "
# # Next comes the main Part:which users can run what software on
# # which machines (the sudoers file can be shared between multiple
# # Systems).
# # Below is the rule configuration: What commands users can perform on which server (sudoers files can be shared on multiple systems)
# # Syntax:
# #语法
# # User Machine=commands
# # User Login host = (can transform identity) command to execute
##
# # The COMMANDS have other options added to it.
The # # Command section can be accompanied by some other options
##
# # Allow ROOT to run any commands anywhere
# # allows root users to execute arbitrary commands under arbitrary paths
Root all= (All)
# # allows members of the ' sys ' group to run networking, software,
# # Service Management apps and more.
#%sys all = Networking, SOFTWARE, SERVICES, STORAGE, delegating, Processes, LOCATE, DRIVERS
# # allow users in the SYS group to use commands configured in all aliases such as networking
# # allows people in group wheel to run all commands
#%wheel all= (All)
# # allows users in the wheel user group to execute all commands
# # Same thing without a password
# # allows users in the wheel user group to use all commands without entering the user's password
#%wheel all= (All) Nopasswd:all
# # Allows members of the users group to mount and unmount the
# # CDROM as Root
# # Allow users in the Users group to use Mount, unmount, chrom commands like root users
#%users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom
# # Allows members of the users group to shutdown this system
#%users Localhost=/sbin/shutdown-h Now
# # Allow users in the Users group to use the shutdown command like root users
Iv. Demonstration of actual cases
Example 1: Let the normal user Fieldyang have the/etc/init.d/nagios script restart permission, you can add the following settings in/etc/sudoers:
[Root@test ~]# Visudo
Fieldyang All=nopasswd:/etc/init.d/nagios Restart
Example 2: Let ordinary users fieldyang with all superuser privileges without entering a password
[Root@test ~]# Visudo
Fieldyang all= (All) Nopasswd:all
[fieldyang@test ~] #sudo Su-
[Fieldyang@test ~] #pwd
/root
Example 3: For MySQL database settings, let test users in the test group have/ETC/INIT.D/MYSQLD permissions
######################## MySQL ################
1.
[Root@test ~]# Groupadd Test
[Root@test ~]# useradd-g test-m-d/home/test-s/bin/bash test
[Root@test ~]# passwd test
2.
[Root@test ~]# Visudo
# test all= (All) nopasswd:/etc/init.d/mysqld
Test all= (All)/etc/init.d/mysqld
3. Start/stop MySQL
3.1) Start MySQL
Login Test
[Root@test ~]# su Test
[Test@test ~]$ sudo/etc/init.d/mysqld start
3.2) Stop MySQL
Login Test
[Root@test ~]# su Test
[Test@test ~]$ Sudo/etc/init.d/mysqld Stop
Example 4: For Tomcat settings, the test user in the test group has the right to Tomcat operations
######################## Tomcat ################
1.
[Root@test ~]# Groupadd Test
[Root@test ~]# useradd-g test-m-d/home/test-s/bin/bash test
[Root@test ~]# passwd test
2.
[Root@test ~]# Visudo
# test all= (All)/usr/local/tomcat/bin/shutdown.sh,/usr/local/tomcat/bin/startup.sh
Test all= (All) nopasswd:/usr/local/tomcat/bin/shutdown.sh,/usr/local/tomcat/bin/startup.sh
3.
[Root@test ~]# vim/usr/local/tomcat/bin/catalina.sh
### JDK
Export JAVA_HOME=/USR/LOCAL/JDK
Export Jre_home= $JAVA _home/jre
4. Start/stop Tomcat
4.1) Start Tomcat
Login Test
[Root@test ~]# su Test
[Test@test ~]$ sudo/usr/local/tomcat/bin/startup.sh
[Test@test ~]$ Ss-ntlup | grep java
[Test@test ~]$ curl-i http://localhost:8080
4.2) Stop Tomcat
Login Test
[Root@test ~]# su Test
[Test@test ~]$ sudo/usr/local/tomcat/bin/shutdown.sh