Designed to illustrate the basic usage and differences of the SU and sudo commands in CentOS
Knowledge Reserve
1.Linux is usually not recommended to log in as root directly, too dangerous! However, as a regular user login, and at some point by the authority to suppress, Su and sudo is a good solution;
2.su is usually used to temporarily switch to a user identity, to execute some instructions, switching mode has a complete switch, not completely switch;
3.sudo is usually used as a user to execute certain instructions, after completion of the login identity or itself, that is, supper do!
Essentials of the SU command
SU switch mode:
(1) su-l root full switch: Will re-read the new identity of the private configuration file, environment variable path and so on;
(2) su root does not switch completely: will not re-read;
Normally, after switching to a new identity, it will remain there until the new identity is exited with the Exit command;
Several points:
You can use su-c command root to switch to root identity after running command command to automatically exit the root identity, this and sudo a bit like Oh, details man Su;
Normal user Switching to any user needs to enter a password, only the root switch to the normal user without password;
Su-,su-l,su--login all represent a full switchover and will read a private small configuration!
sudo command essentials
The features of Sudo are roughly:
(1) Authorizing the specified user to run the specified command on the specified host "Who, where, do"
(2) Detailed logging information about the user's execution of commands based on sudo
(3) Sudo has a time-sensitive authentication: that is, the user first executes sudo will be required to enter a password authentication, this credential will be saved for a period, the default is 5 minutes, 5 minutes do not need to enter the password again, "Ticket system"
sudo command:
Authorized users should run commands that are authorized to run with the sudo command:
Su-No default is SU to admin, requires root password
sudo [OPTIONS] COMMAND
sudo su-no administrator password haha, it's interesting to understand.
-L: View the sudo commands that the current user can execute;
-K: Clear the previous memory of the "token";
-U USERNAME Command: Run command with the specified user;
sudo configuration file:/etc/sudoers
As previously mentioned, Sudo can define which users, on which hosts, to do which instructions. These definitions are actually saved on the configuration file/etc/sudoers, it is recommended to use a dedicated editor editor, that is, the Visudo command "syntax checking and other functions"
sudo configuration file syntax
The sudoers configuration file syntax is simple, as follows
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/75/DE/wKioL1ZEGj2TzUZGAAApPysW0-s939.png "title=" 2015-11-12_12-47-10.png "alt=" Wkiol1zegj2tzuzgaaappysw0-s939.png "/>
For example, specify CentOS for ordinary users, allowing the FDISK command to be executed as root on any host
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/75/DE/wKioL1ZEG8DzD5_pAABHOs0SKrQ922.png "title=" 2015-11-12_12-50-21.png "alt=" Wkiol1zeg8dzd5_paabhos0skrq922.png "/>
However, if you want to assign authorization to multiple users, different groups of users, does adding to the list seem too cumbersome? This is especially true when a user can execute multiple command commands via sudo. In fact, you can use aliases to authorize, the use of the following:
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/75/DE/wKioL1ZEIOzDGLYGAAGcMkM1z0Y910.png "title=" 2015-11-12_13-11-25.png "alt=" Wkiol1zeiozdglygaagcmkm1z0y910.png "/>
For example, specify allow users to CentOS, user group Apache, allow to execute FDISK,USERADD system administration commands as root on any host, and network management commands such as Wget,ifconfig. So how do you define it?
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/75/DE/wKioL1ZEIrOid0g5AAA7lUvwIA0989.png "title=" 2015-11-12_13-23-39.png "alt=" Wkiol1zeiroid0g5aaa7luvwia0989.png "/>
Several points:
The name of the alias, must be, and definitely uppercase string
Aliases can be nested between each other, for example user_alias a = Apache,b Here's B is another user_alias
Rational planning of aliases, reasonable nesting of good aliases!
As mentioned above, Sudo has a "ticket system", then whether an authorized command needs to check the ticket is based on the label of the command, such as the following
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/75/E1/wKiom1ZEI93DJhKYAAAP2ZA7B6Y047.png "title=" 2015-11-12_13-29-41.png "alt=" Wkiom1zei93djhkyaaap2za7b6y047.png "/>
This means that CentOS can be used by sudo to run the Fdisk command as root on any host (need to check in, show a ticket for 5 minutes by default), and run wget without having to present a ticket
5. Please note that the authorized CMD1 CMD2 These commands that can be executed sudo, it is recommended to use absolute path!
6. After using Visudo modified configuration file, effective immediately
Practice:
1, authorized CentOS users can run the FDISK command to complete Disk Management, and use MKFS or MKE2FS to achieve file system management;
Prior to authorization:
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/75/DF/wKioL1ZEJojDz_wrAAArPHoyVPE305.png "title=" 2015-11-12_13-36-44.png "alt=" Wkiol1zejojdz_wraaarphoyvpe305.png "/>
To modify the sudo configuration file:
#visudocentos all= (Root)/sbin/fdisk,/SBIN/MKFS.EXT4
After authorization:
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/75/E2/wKiom1ZEK3qxXmRLAABHzKNmEMc465.png "title=" 2015-11-12_13-58-22.png "alt=" Wkiom1zek3qxxmrlaabhzknmemc465.png "/>
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/75/DF/wKioL1ZEK7DRmM52AABtFXnQoIw239.png "title=" 2015-11-12_14-01-47.png "alt=" Wkiol1zek7drmm52aabtfxnqoiw239.png "/>
2, authorized Gentoo users can run the logical volume management of the relevant commands;
The commands associated with logical volumes are
Show related PVs, VGS, LVS
Scan related Pvscan, Vgscan, Lvscan
Create related pvcreate, Vgcreate, lvcreate
To edit the sudo configuration file:
#visudoCmnd_Alias vgcmds=/sbin/pvs,/sbin/vgs,/sbin/lvs,/sbin/pvscan,/sbin/vgscan,/sbin/lvscan,/sbin/pvcreate,/ Sbin/vgcreate,/sbin/lvcreatecentos all= (root) Vgcmds
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/75/E0/wKioL1ZEL-WTFbgoAAAvGYoGRCA170.png "title=" 2015-11-12_14-19-58.png "alt=" Wkiol1zel-wtfbgoaaavgyogrca170.png "/> Some of the problems encountered here:
When defining the Cmnd_alias, I tried the/sbin/{vgs,lvs} notation, found not recognized, failed!
At the time of verification, always unsuccessful, finally found no empty credentials, sudo-k
The survey found that VGs, Lvcreate, and other VG related commands, in fact, is essentially a soft link to/SBIN/LVM, but without authorization/SBIN/LVM is also able to execute these VG instructions
This article is from the "Blue Warehouse" blog, be sure to keep this source http://bluebox.blog.51cto.com/8852456/1712126
Su and sudo