sudo is a Linux system Management Directive, a tool that allows the system administrator to let ordinary users perform some or all of the root commands, such as HALT,REBOOT,SU, and so on. This not only reduces the login and administration time of the root user, but also improves security. sudo is not a substitute for the shell, it is for each command.
sudo configuration file/etc/sudoers, which is in the following format:
Root all= (All) all #root用户可以在任何地方, perform any command to anyone, users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom#users user group on the host Can be mounted and uninstalled as an administrator
Sudoers supports grouping of homogeneous objects using aliases: Group names must use all caps
Host_alias in which hosts
User_alias which users
Which identities are used by Runas_alias
Cmnd_alias which commands to use
sudo authorized users:
$ sudo-l can view the permissions granted to you by using sudoers
$ sudo command using commands
Grammar
sudo [-bhhpv][-s][-u < user >][instructions] or sudo [-klv]
Parameters
-B executes the instruction in the background.
-h displays Help.
-H Sets the home environment variable to the new identity of the home environment variable.
-K The expiration of the password, which is required to enter the password the next time the sudo is executed.
-l lists instructions that are currently available to users and cannot be executed.
-p Change the hint symbol to ask for the password.
-S executes the specified shell.
-U < user > with the specified user as the new identity. If this parameter is not added, the default is the new identity as root.
-V Extend the password for a period of 5 minutes.
-V Displays version information.
-S to obtain a password from a standard input stream instead of a terminal
Cases:
1, let Tom user can be the administrator on all hosts to execute the useradd command, to add Jerry users
In the root user
# which useradd/usr/sbin/useradd# passwd tompassed:tom# visudotom all= (Root)/usr/sbin/useradd
Re-open a terminal, log in with Tom User
$ sudo-l as a different user, you can use this command to view commands that can be used as other users [sudo] password for tom:user Tom might run the following commands on this host: (root)/usr/sbin/useradd$ Sudo/usr/sbin/useradd jerry$ tail/etc/passwdtom:x:501:501::/home/tom:/bin/bashjerry:x : 502:502::/home/jerry:/bin/bash
To the previous terminal, which is the root user
# tail/var/log/secure #查看日志文件, this file only has the root user privileges 10:34:11 Sange sudo:tom:tty=pts/2; Pwd=/home/tom; User=root; Command=listmar 10:34:15 Sange SUDO:TOM:TTY=PTS/2; Pwd=/home/tom; User=root; Command=/usr/sbin/useradd Jerrymar 10:34:15 sange useradd[11625]:new Group:name=jerry,gid=502mar 10:34:15 sange Useradd[11625]:new User:name=jerry,uid=502,gid=502,home=/home/jerry,shell=/bin/bash
2, add useradmins This user group, so that Tom and Jerry can use administrative commands
# Groupadd useradmins# usermod-a-G useradmins tom# usermod-a-G useradmins jerry# passwd Jerrypasswd:jerry
Open another terminal and log in with Jerry User
$ sudo-l[sudo] Password for jerry:jerry #现在Jerry没有权限Sorry, user Jerry could not run sudo on sange.$ sudo/usr/sbin/u Seradd User1[sudo] Password for jerry:jerryjerry are not in the sudoers file. This incident'll be reported
So to the root terminal
# Tail/var/log/securemar 10:51:18 Sange sudo:Jerry:command not allowed; TTY=PTS/4; Pwd=/home/jerry; User=root; Command=listmar 10:51:47 Sange sudo:Jerry:user not in sudoers; TTY=PTS/4; Pwd=/home/jerry; User=root; Command=/usr/sbin/useradd user1you have new mail in/var/spool/mail/root
If each individual license is too cumbersome, but we want to let these multiple users have the same permissions at the same time,
# Visudotom all= (Root)/usr/sbin/useradd –%useradminsall= (root)/usr/sbin/useradd
To Jerry Terminal
$ sudo-l[sudo] Password for Jerry:user Jerry could run the following commands on this host: (Root)/usr/sbin/useradd
to Tom Terminal
$ sudo-l[sudo] Password for Tom:sorry,user Tom could not run sudo on sange. #不太清楚什么原因, just open another terminal.
Re-open a terminal, log in with Tom User
$ sudo-l[sudo] Password for Tom:user Tom could run the following commands on this host: (Root)/usr/sbin/useradd
3. Using Command aliases
In the root user
# Visudocmnd_alias useradmin =/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/ Groupdel%useradmins all= (Root) useradmin
To the Tom terminal that just opened
$ sudo-luser Tom may run the following commands on this host: (Root)/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/u Serdel,/usr/sbin/groupadd,/usr/sbin/groupdel
To Jerry Terminal
$ sudo-l[sudo] Password for Jerry:user Jerry could run the following commands on this host: (root)/usr/sbin/useradd,/ Usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/groupdel$ Sudo/usr/sbin/userdel User3
4. User Alias
On the root terminal
# useradd admin# passed adminpasswd:admin# visudocmnd_alias useradmincmnds =/usr/sbin/useradd,/usr/sbin/usermod,/usr/ Sbin/userdel,/usr/sbin/groupadd,/usr/sbin/groupdeluser_alias useradmins = tom,jerry,adminuseradmins ALL= (root) Useradmincmnds
to Tom Terminal
$ sudo-luser Tom may run the following commands on this host: (Root)/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/u Serdel,/usr/sbin/groupadd,/usr/sbin/groupdel
To Jerry Terminal
$ sudo-l[sudo] Password for Jerry:jerryuser Jerry could run the following commands on this host: (Root)/usr/sbin/usera DD,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/groupdel
to admin terminal
$ sudo-l[sudo] Password for Admin:adminuser Jerry could run the following commands on this host: (Root)/usr/sbin/usera DD,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/groupdel
5. Host aliases
to the root terminal
# Visudohost_alias userhosts = 192.168.0.0/24 #这一网段都可以用
6. Label
How to add passwd to the back of a command
On the root terminal
# Visudocmnd_alias useradmin =/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/ Groupdel,/USR/BIN/PASSWD
After the change, the user defined by using Sudoers can change anyone's password, even the administrator's password can be modified, too dangerous. So I'm going to add some content later.
Cmnd_alias useradmin =/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/ Groupdel,/usr/bin/passwd [a-za-z0-9]*,!/USR/BIN/PASSWD Root
So that no other user can change the root password
to Tom Terminal
$ sudo/usr/bin/passwd jerrychanging passwd for user jerry.new Passed:retype New passwd:passwd:all authentication Tokens Updated successfully. [[email protected] ~]$ sudo/usr/bin/passwd rootsorry,user Tom is not allowed to execute '/usr/bin/passwd root ' as root on Sange.com.
This article is from the "three elder brother" blog, please be sure to keep this source http://523958392.blog.51cto.com/9871195/1628145
Initial use of sudo