Introduction to sudo command instances in CentOS

I. Introduction to sudo:

1. concept:

Sudo is a common tool in linux that allows common users to use superuser permissions. It allows system administrators to execute some or all of the root commands, such as halt, reboot, and su. This not only reduces the login and management time of the root user, but also improves the security. Sudo is not a substitute for shell. It is intended for every command.

It has the following features:

1. sudo allows users to run certain commands only on a host.

2. sudo provides a wide range of logs that detail what each user has done. It can upload logs to the central host or log server.

3. sudo uses the timestamp file-log to execute a similar "ticket checking" system. When the user calls sudo and enters its password, the user receives a 5-minute ticket (this value can be changed during compilation ).

4. The sudo configuration file is/etc/sudoers and the attribute must be 0440. It allows the system administrator to centrally manage user permissions and hosts.

2. Edit the configuration file command: mongodo

Note: to edit the sudo configuration file/etc/sudoers, do not directly use vi (vi/etc/sudoers) to edit it, because the sudoers configuration has certain syntax, directly use vi to edit and save the system without checking the syntax. If there is a mistake, it may be impossible to use the sudo tool. It is best to use the mongodo command to configure it. Although mongodo also calls vi for editing, the syntax check is performed during saving. If there is a mistake, a prompt is displayed.

3. syntax and Parameters

1 sudo [ -Vhl LvkKsHPSb ] │ [ -p prompt ] [ -c class │- ] [ -a auth_type ] [-u username│#uid ] command

Parameters:

1234567891011 -V: display version number -H: the version number and instructions are displayed. -L display the permissions of the user (the user who executes sudo) -V because sudo is not executed during the first execution or within N minutes (N is set to 5), the password is asked. this parameter is re-confirmed. If it exceeds N minutes, will also ask the password -K will force the user to ask the password for the next sudo execution (whether or not the password exceeds N minutes) -B: Execute the command in the background. -P prompt can change the password prompt, where % u is replaced by the user's account name, and % h displays the Host Name -U username/# The uid does not contain this parameter, which indicates that the command is to be executed as root, but this parameter is added, commands can be executed as username (# uid is the user number of this username) The SHELL specified by the shell in the-s execution environment variable, or the shell specified in/etc/passwd -H: Specify the HOME directory in the environment variable as the user's HOME directory for identity change (if the-u parameter is not added, the system administrator root is used) Command the command to be executed as a system administrator (or changed to another person as a-u)

Ii. Practical drills

1. Define a user (tom) so that it has special permissions to add users and create users.

① Create a tom and create a password for it

1234 [root@localhost ~] # useradd tom [root@localhost ~] # echo "tom" | passwd --stdin tom Changing password for user tom. passwd : all authentication tokens updated successfully.

② Modify the configuration file and add special permissions useradd for tom

1234 ## Allow root to run any commands anywhere root ALL=(ALL) ALL tom ALL=(root) /usr/sbin/useradd # Add permissions./usr/sbin/useradd indicates that the full path must be used for normal users. You can use the which command to view the permissions! ## Allows members of the 'sys' group to run networking, software,

③ Switch to user tom to verify special permissions

12345678910111213141516 [root@localhost ~] # Su-tom # switching users [tom@localhost ~]$ sudo -l # View the special permissions of this user We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [ sudo ] password for tom: # Verify the password to ensure that the operation is performed by the user himself. Matching Defaults entries for tom on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS ", env_keep+=" MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+= "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" , env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE ", env_keep+=" LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path= /sbin \: /bin \: /usr/sbin \: /usr/bin User tom may run the following commands on this host: (root) /usr/sbin/useradd # Use The useradd command as root

Tom executes useradd:

123 [tom@localhost ~]$ sudo /usr/sbin/useradd test1 # Add User test1 [tom@localhost ~]$ tail -1 /etc/passwd test1:x:501:501:: /home/test1 : /bin/bash # Added successfully

④ View logs/vat/log/secure

Note: You must switch back to root to have the permission to view logs.

12345678910111213 [root@localhost ~] # tail /var/log/secure Apr 5 13:55:58 localhost su : pam_unix( su -l:session): session opened for user tom by root(uid=0) Apr 5 13:56:11 localhost su : pam_unix( su -l:session): session closed for user tom Apr 5 13:56:17 localhost passwd : pam_unix( passwd :chauthtok): password changed for tom Apr 5 13:56:17 localhost passwd : gkr-pam: couldn 't update the ' login' keyring password: no old password was entered Apr 5 13:56:23 localhost su : pam_unix( su -l:session): session opened for user tom by root(uid=0) Apr 5 13:56:43 localhost sudo : tom : TTY=pts /0 ; PWD= /home/tom ; USER=root ; COMMAND=list # Tom runs the list command as an administrator Apr 5 14:00:50 localhost sudo : tom : TTY=pts /0 ; PWD= /home/tom ; USER=root ; COMMAND= /usr/sbin/useradd test1 # Tom runs the useradd command as an administrator to add user test1 Apr 5 14:00:50 localhost useradd [2128]: new group: name=test1, GID=501 Apr 5 14:00:50 localhost useradd [2128]: new user: name=test1, UID=501, GID=501, home= /home/test1 , shell= /bin/bash Apr 5 14:07:15 localhost su : pam_unix( su -l:session): session closed for user tom

In the future, you can use this command log to check whether the host is under intrusion attacks, or view a user logging in and using special permissions to execute error commands. So we need to monitor the movements of this file in real time.

⑤-K parameter example

123456 [root@localhost ~] # su - tom [tom@localhost ~]$ sudo -k # End password Validity Period [tom@localhost ~]$ sudo /usr/sbin/useradd test2 [ sudo ] password for tom: # After the validity period ends, execute a special command and re-verify the password [tom@localhost ~]$ tail -1 /etc/passwd test2:x:502:502:: /home/test2 : /bin/bash # Test2 added successfully

2. alias application, alias:

12345 Sudoers files support grouping similar objects using aliases: group names must use uppercase letters and separate similar object commands using commas. Host_Alias: Host alias User_Alias: User alias Runas_Alias: the alias of the host whose identity runs Cmnd_Alias: Command alias

1. Define aliases in the configuration file

123456 [root@localhost ~] # visudo Host_Alias USERHOSTS = 172.16.0.0 /16 ,127.0.0.0 /8 ,192.168.0.0 /24 # Define the host alias and on which machines can execute special commands Cmnd_Alias USERADMIN= /usr/sbin/useradd , /usr/sbin/usermod , /usr/sbin/userdel # Define command alias root ALL=(ALL) ALL tom ALL=(root) USERADMIN # Define here that tom can execute all commands in the alias USERADMIN tom USERHOSTS=(ROOT) USERADMIN # Execute commands in USERADMIN on the machine of the alias USERHOSTS

Verification:

12345 [root@localhost ~] # su - tom [tom@localhost ~]$ sudo /usr/sbin/userdel -r test2 # Delete user test2 [ sudo ] password for tom: [tom@localhost ~]$ tail -1 /etc/passwd # Deletion successful test1:x:501:501:: /home/test1 : /bin/bash

② Disable a user from performing an operation

12 tom ALL=（root） /usr/bin/passwd [a-zA-Z]*,! /usr/bin/passwd root # Tom can change the password as root, but cannot change the root password.

③ No Password is required when a privileged user is set

12 tom ALL=(root) /usr/sbin/useradd ,NOPASSWD: /usr/sbin/userdel , /usr/sbin/groupdel ,PASSWD: /usr/sbin/usermod , /usr/sbin/groupmod # The password must be used for the/usr/sbin/useradd operation./usr/sbin/userdel, /usr/sbin/groupdel can be used without a password (no password is used for all operations following it);/usr/sbin/usermod, the password must be entered during/usr/sbin/groupmod operations. PASSWD and NOPASSWD cannot be defined in aliases!

Verification:

123456789101112 [root@localhost ~] # su - tom [tom@localhost ~]$ sudo /usr/sbin/useradd test3 [ sudo ] password for tom: [tom@localhost ~]$ sudo -k [tom@localhost ~]$ sudo /usr/sbin/useradd test4 [ sudo ] password for tom: # Useradd Password required each time [tom@localhost ~]$ sudo -k [tom@localhost ~]$ sudo /usr/sbin/userdel test3 # The password is not required for userdel execution. The NOPASSWD setting takes effect. [tom@localhost ~]$ tail -3 /etc/passwd tom:x:500:500:: /home/tom : /bin/bash test1:x:501:501:: /home/test1 : /bin/bash test4:x:503:503:: /home/test4 : /bin/bash

The above is the description of this sudo command.

This article is from the "strabismus ceiling" blog, please be sure to keep this source http://lemidi.blog.51cto.com/8601832/1390912