Fully resolve the distribution of special Linux User Permissions

Article Title: comprehensively resolves the distribution of special Linux user permissions. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

For a large system, there will be multiple Linux administrators. The allocation of special Linux User Permissions is required. If each share is used by Amway staff to log on to the system as root, then system management will become very insecure and reliable. You can assign special Linux user permissions to common users to solve this problem.

We cannot use su to make them directly root, because these users must know the root password. This method is not safe and does not meet our division of labor needs. The general practice is to use permission settings to classify users with special identities into the same working group and set the permissions of the Working Group. For example, the user wwwadm is required to manage website data. Generally, the httpd owner of the Apache Web Server process is www. You can set wwwadm as the same working group as www, set the working group permissions for Apache to store the web directory/usr/local/httpd/htdocs by default to readable, writable, and executable, in this way, every user in this Working Group can manage webpages.

However, this is not the best solution. For example, if the administrator wants to grant the shutdown permission to an ordinary user, the above method is not ideal. You may think that I only want this user to execute the shutdown command as root. It's totally correct. Unfortunately, this function cannot be implemented in common Linux systems, however, a tool can be used to implement this function. sudosudo assigns privileges to different users by maintaining a database mapped to the user name, these privileges can be identified by different commands listed in the database. To obtain a specific permission, qualified users simply enter the sudo and command name on the command line and enter the password again as prompted (the user's own password, not the root user password ). For example, sudo allows a common user to format a disk, but does not grant other root user privileges.

1. The sudo tool is configured by the file/etc/sudoers, which contains a list of all users who can access the sudo tool and defines their privileges. A typical/etc/sudoers entry is as follows:

Liming ALL = (ALL) ALL

This entry allows the user liming to access all applications as a Super User. For example, if the user liming needs to run commands as a Super User, he simply needs to add the prefix sudo before the command. Therefore, to run the format command as the root user, liming can enter the following command:

# Sudo/usr/sbin/useradd sam

Note: The command must write an absolute PATH./usr/sbin is not in the search PATH of a common user by default, or add the PATH: PATH = $ PATH:/usr/sbin; export PATH. In addition, different system commands have different paths. You can use the command "whereis command name" to find the path.

The following output result is displayed:

We trust you have got ed the usual lecture from the local System

Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.

#2) Think before you type.

Password:

If liming correctly enters the password, the command useradd will be executed as the root user.

Note: The configuration file/etc/sudoers must be edited using the cmddo command.

You only need to add the user name, host name, and license command list to the file/etc/sudoers in the standard format, and save the list to take effect. Let's look at another example.

2. Example: The administrator needs to allow the gem user to execute the reboot and shutdown commands on the host sun and add the following to/etc/sudoers:

Gem sun =/usr/sbin/reboot,/usr/sbin/shutdown

Note: the absolute path must be used for commands to prevent commands of the same name in other directories from being executed, resulting in security risks.

Save and exit. When you want to execute the reboot command, you only need to run the following command at the prompt:

] $ Sudo/usr/sbin/reboot

Enter the correct password to restart the server.

If you want to define a group of users, you can add % before the group name to set it, such:

% Cuug ALL = (ALL) ALL

3. You can also use aliases to simplify the configuration file. Aliases are similar to group concepts, including user aliases, host aliases, and command aliases. Multiple users can define them with an alias first, and then use the alias when specifying what commands they can execute. This configuration takes effect for all users. The same is true for host aliases and command aliases. Note that before use, define the User_Alias, Host_Alias, and Cmnd_Alias items in/etc/sudoers. Add the corresponding names after them and separate them by commas. For example:

Host_Alias SERVER = no1

User_Alias ADMINS = liming, gem

Cmnd_Alias SHUTDOWN =/usr/sbin/halt,/usr/sbin/shutdown,/usr/sbin/reboot

Admins server = SHUTDOWN

4. Let's look at this example again:

Admins all = (ALL) NOPASSWD: ALL

Allow ADMINS to perform all operations without a password. "NOPASSWD:" indicates that the user does not need to enter a password when performing the operation.

5. The sudo command can also add some parameters to complete some auxiliary functions, such

$ Sudo? L

The following information is displayed:

User liming may run the following commands on this host:

(Root)/usr/sbin/reboot

Root allows liming to execute the/usr/sbin/reboot command. This parameter allows you to view which commands can be executed in sudo.

6. Enter the sudo command at the command prompt to list all parameters. Other parameters are as follows:

-V displays the version number.

-H: displays the parameters used by The sudo command.

-V will ask for the password because sudo is not executed during the first execution or within N minutes (N is set to 5 by default. This parameter is re-confirmed. If it is more than N minutes, you will also ask the password.

-K will force the user to ask for the password (whether or not it has been more than N minutes) during the next sudo execution ).

-B: Execute the command in the background.

-P prompt can change the password prompt, where % u is replaced with the user's account name, and % h displays the host name.

-U username/# this parameter is not added to the uid, which indicates that the command is to be executed as root, but this parameter is added, you can run commands as username (# uid of username ).

-S executes the SHELL specified by the Shell in the environment variable, or the Shell specified in/etc/passwd.

-H: Specify the HOME directory in the environment variable as the HOME Directory of the user who wants to change the identity. (If the-u parameter is not added, the system administrator root is used .)

Command to be executed as a system administrator (or changed to another person as a-u.

The distribution of special Linux user permissions can help us better and more secure management systems.