Initial use of sudo

sudo is a Linux system Management Directive, a tool that allows the system administrator to let ordinary users perform some or all of the root commands, such as HALT,REBOOT,SU, and so on. This not only reduces the login and administration time of the root user, but also improves security. sudo is not a substitute for the shell, it is for each command.

sudo configuration file/etc/sudoers, which is in the following format:

Root all= (All) all #root用户可以在任何地方, perform any command to anyone, users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom#users user group on the host Can be mounted and uninstalled as an administrator

Sudoers supports grouping of homogeneous objects using aliases: Group names must use all caps

Host_alias in which hosts

User_alias which users

Which identities are used by Runas_alias

Cmnd_alias which commands to use

sudo authorized users:

$ sudo-l can view the permissions granted to you by using sudoers

$ sudo command using commands

Grammar

sudo [-bhhpv][-s][-u < user >][instructions] or sudo [-klv]

Parameters

-B executes the instruction in the background.

-h displays Help.

-H Sets the home environment variable to the new identity of the home environment variable.

-K The expiration of the password, which is required to enter the password the next time the sudo is executed.

-l lists instructions that are currently available to users and cannot be executed.

-p Change the hint symbol to ask for the password.

-S executes the specified shell.

-U < user > with the specified user as the new identity. If this parameter is not added, the default is the new identity as root.

-V Extend the password for a period of 5 minutes.

-V Displays version information.

-S to obtain a password from a standard input stream instead of a terminal

Cases:

1, let Tom user can be the administrator on all hosts to execute the useradd command, to add Jerry users

In the root user

# which useradd/usr/sbin/useradd# passwd tompassed:tom# visudotom all= (Root)/usr/sbin/useradd

Re-open a terminal, log in with Tom User

$ sudo-l as a different user, you can use this command to view commands that can be used as other users [sudo] password for tom:user Tom might run the following commands on this host: (root)/usr/sbin/useradd$ Sudo/usr/sbin/useradd jerry$ tail/etc/passwdtom:x:501:501::/home/tom:/bin/bashjerry:x : 502:502::/home/jerry:/bin/bash

To the previous terminal, which is the root user

# tail/var/log/secure #查看日志文件, this file only has the root user privileges 10:34:11 Sange sudo:tom:tty=pts/2; Pwd=/home/tom; User=root; Command=listmar 10:34:15 Sange SUDO:TOM:TTY=PTS/2; Pwd=/home/tom; User=root; Command=/usr/sbin/useradd Jerrymar 10:34:15 sange useradd[11625]:new Group:name=jerry,gid=502mar 10:34:15 sange Useradd[11625]:new User:name=jerry,uid=502,gid=502,home=/home/jerry,shell=/bin/bash

2, add useradmins This user group, so that Tom and Jerry can use administrative commands

# Groupadd useradmins# usermod-a-G useradmins tom# usermod-a-G useradmins jerry# passwd Jerrypasswd:jerry

Open another terminal and log in with Jerry User

$ sudo-l[sudo] Password for jerry:jerry #现在Jerry没有权限Sorry, user Jerry could not run sudo on sange.$ sudo/usr/sbin/u Seradd User1[sudo] Password for jerry:jerryjerry are not in the sudoers file. This incident'll be reported

So to the root terminal

# Tail/var/log/securemar 10:51:18 Sange sudo:Jerry:command not allowed; TTY=PTS/4; Pwd=/home/jerry; User=root; Command=listmar 10:51:47 Sange sudo:Jerry:user not in sudoers; TTY=PTS/4; Pwd=/home/jerry; User=root; Command=/usr/sbin/useradd user1you have new mail in/var/spool/mail/root

If each individual license is too cumbersome, but we want to let these multiple users have the same permissions at the same time,

# Visudotom all= (Root)/usr/sbin/useradd –%useradminsall= (root)/usr/sbin/useradd

To Jerry Terminal

$ sudo-l[sudo] Password for Jerry:user Jerry could run the following commands on this host: (Root)/usr/sbin/useradd

to Tom Terminal

$ sudo-l[sudo] Password for Tom:sorry,user Tom could not run sudo on sange. #不太清楚什么原因, just open another terminal.

Re-open a terminal, log in with Tom User

$ sudo-l[sudo] Password for Tom:user Tom could run the following commands on this host: (Root)/usr/sbin/useradd

3. Using Command aliases

In the root user

# Visudocmnd_alias useradmin =/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/ Groupdel%useradmins all= (Root) useradmin

To the Tom terminal that just opened

$ sudo-luser Tom may run the following commands on this host: (Root)/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/u Serdel,/usr/sbin/groupadd,/usr/sbin/groupdel

To Jerry Terminal

$ sudo-l[sudo] Password for Jerry:user Jerry could run the following commands on this host: (root)/usr/sbin/useradd,/ Usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/groupdel$ Sudo/usr/sbin/userdel User3

4. User Alias

On the root terminal

# useradd admin# passed adminpasswd:admin# visudocmnd_alias useradmincmnds =/usr/sbin/useradd,/usr/sbin/usermod,/usr/      Sbin/userdel,/usr/sbin/groupadd,/usr/sbin/groupdeluser_alias useradmins = tom,jerry,adminuseradmins ALL= (root) Useradmincmnds

to Tom Terminal

$ sudo-luser Tom may run the following commands on this host: (Root)/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/u Serdel,/usr/sbin/groupadd,/usr/sbin/groupdel

To Jerry Terminal

$ sudo-l[sudo] Password for Jerry:jerryuser Jerry could run the following commands on this host: (Root)/usr/sbin/usera DD,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/groupdel

to admin terminal

$ sudo-l[sudo] Password for Admin:adminuser Jerry could run the following commands on this host: (Root)/usr/sbin/usera DD,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/groupdel

5. Host aliases

to the root terminal

# Visudohost_alias userhosts = 192.168.0.0/24 #这一网段都可以用

6. Label

How to add passwd to the back of a command

On the root terminal

# Visudocmnd_alias useradmin =/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/ Groupdel,/USR/BIN/PASSWD

After the change, the user defined by using Sudoers can change anyone's password, even the administrator's password can be modified, too dangerous. So I'm going to add some content later.

Cmnd_alias useradmin =/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel,/usr/sbin/groupadd,/usr/sbin/ Groupdel,/usr/bin/passwd [a-za-z0-9]*,!/USR/BIN/PASSWD Root

So that no other user can change the root password

to Tom Terminal

$ sudo/usr/bin/passwd jerrychanging passwd for user jerry.new Passed:retype New passwd:passwd:all authentication Tokens Updated successfully.  [[email protected] ~]$ sudo/usr/bin/passwd rootsorry,user Tom is not allowed to execute '/usr/bin/passwd root ' as root on Sange.com.

This article is from the "three elder brother" blog, please be sure to keep this source http://523958392.blog.51cto.com/9871195/1628145

Initial use of sudo