Grant root account permissions to other users in unix

Article Title: grant root account permissions to other users in unix. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

In practice, Unix System engineers may need to delegate some command programs that should have been root users to normal users for execution. For example, with the passwd command, only the root administrator can change the password of the user account by default. However, system engineers prefer users to change their passwords. In this case, the user's own password is only known, and may be more secure. After a user forgets his/her password, the system project uses the permissions of the root account to initialize the user's password. In Windows, this function can be easily implemented. However, in Unix systems, implementation is not so easy. In this article, I will discuss this topic with you.

　1. Valid UID and real UID.

When the system administrator runs the passwd command in the shell environment, shell first creates another shell process. The newly created shell process image will load the passwd executable image and overwrite its own image. Then the passwd process starts to run. After a process is created, the passwd process inherits most of the attributes from the shell parent process. There are two main attributes related to today's topic. First, the actual UID of the process. This property is related to the program file. This parameter represents the UID of the user (not the program file) that runs the process. Normally, this parameter is stored in the user-related records in/etc/passwd. The second is the valid UID of the process. This parameter actually represents the owner of the program file, that is, who can execute this command. Generally, the valid UID of a process is the same as that of a real UID. But when non-root users run the passwd command, they will be different.

　Ii. Special Features of PASSWD files.

Before explaining how to grant root account permissions to other users, I would like to introduce the difference between the passwd command file and other files. As shown in, the system administrator can run the commands shown in the figure to view the differences between the passwd program file and other program files (such as vi.

Comparing the attributes of the above two files, you will find that a permission bit in the passwd file is labeled with the special character s. This parameter is called the set bit of the owner identity (SUID). It can be used to change the permission mode of a general user. When a non-root user executes passwd to change the name of his account, the real UID is the user's UID, that is, the user who runs the program. However, valid UID is not. Valid UID is the root user, that is, the owner of the program file. Generally, the access and running permissions of processes or commands are not determined by the real UID but by the valid UID. Therefore, if the special owner ID s is not set, other users cannot use this command. Other users can also use the passwd command to change their own commands. It can be seen that the setting bit of this owner identity can change the permission mode of normal users, only the root account can run the process to other users.

[1] [2] [3] Next page