Introduction to the SU and sudo commands

I. Introduction and usage of the SU command

1. Introduction to the SU command

Su is used for switching between users. However, the previous user remains in the login state. This toggle requires password authentication if the superuser switches to normal or virtual users without a password, while the normal user switches to any other user.

2. Common usage Description

Ordinary users do not add parameters and use parameters when using the SU command-the result is different:

• Su without any parameters, the default is to switch to the root user, here needs to enter the root user's password, but did not go to the root user home directory, that is, although the switch to the root user, but did not change to the root login environment;

• Su plus parameter-, which means to switch to the root user by default, and change to the root user's environment;

3. Deficiencies

• is not safe, SU tools in multi-participant system management, is not the best choice, su only for one or two people to participate in the management system, after all, SU does not allow ordinary users limited use; Root password should be in the hands of a small number of users.

• If a user needs to use root privileges, they must tell the user the root password.

Ii. sudo command introduction

1. Introduction

The sudo command is a privilege management mechanism that allows an administrator to authorize some ordinary user to perform some root operations without needing to know the root password, which relies on the/etc/sudoers file. This file can be delegated to the user on that host to be able to execute as administrator what kind of management command, and is limited. This file is equivalent to an authorization form.

2. Main Features

• Ability to restrict specified users from running certain commands on the specified host.

• Logs can be provided, faithfully documenting what each user has done with sudo, and able to upload logs to a central host or log server.

• Provides a configuration file for system administrators that allows system administrators to centrally manage user permissions and hosts used by users. Its default storage location is/etc/sudoers.

• Use a timestamp file to complete a system like "wicket". When the user executes sudo and enters the password, the user obtains a "ticket" with a default survival period of 5 minutes (the default value can be changed at compile time). After the timeout, the user must re-enter the password.

3. Common parameters

-B executes the instruction in the background.

-H sets the home variable to the home directory of the target user.

-K The expiration of the password, which is required to enter the password the next time the sudo is executed.

-l lists instructions that are currently available to users and cannot be executed.

-p Change the hint symbol to ask for the password.

-S executes the specified shell.

-U takes the specified user as the new identity. If this parameter is not added, the default is the new identity as root.

4./etc/sudoers File Description

Before we edit this file, we'll look at the permissions for this file:

[Email protected] ~]# ll/etc/sudoers-r--r-----. 1 root root 4002 March 2 2012/etc/sudoers

By viewing the file permissions we found that the default file root does not have write permissions, but can still use the VIM editor to edit this file, in order to avoid syntax errors here is not recommended to use the VIM editor to modify this file. The system installs the sudo command by default with the command Visudo, which is used to edit this file, using this command to edit the benefits once your grammar is incorrectly written, this tool will check the correctness of your written grammar.

When you use the Visudo command to edit a configuration file, the default file has the following statement, which means:

Root all= (All) all

Root root user

All on the host can be

(all) is executed in whose capacity, all means that root can execute the command in anyone's capacity

All the commands

Then the whole rule is that the root user can execute all commands in any host as anyone, that is, without qualification.

By the above instructions we can simply authorize a user to execute some commands as root, separated by commas and spaces between multiple commands:

Simple Application Examples:

Define user Bols can execute useradd,usermod,userdel three commands as root:

Bols aal= (Root)/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel

Define user Bols can execute the useradd, usermod, userdel three commands, while You can not enter the password :

Bols all= (Root) Nopasswd:/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel

In the above executable command added the passwd Change Password command, did not avoid the change root password phenomenon, it is set to prohibit the root password change:

Bols all= (Root) Nopasswd:/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel,/USR/BIN/PASSWD,!/usr/bin/passwd Root

5. Define the commands that the ordinary user can execute by means of aliases

1) Configure Host_alias: Is the list of hosts

Host_alias HOSTS = hostname1, hostname2, Hostname3

2) Configure Cmnd_alias: Is the list of commands that are allowed to execute

Cmnd_alias usercmd = Command1, Command2, Command3

3) Configure User_alias: Is the list of users with sudo permissions

User_alias useradmin = user1, User2, User3

4) Configure Runas_alias: is a list of what the user is doing (such as root, or Oracle, etc.)

Runas_alias ADMIN = Operator1, Operator2, Operator3

Note: We generally use uppercase when defining aliases.

Examples of applications defined by aliases:

Host_alias HOSTS = 192.168.0.0/16cmnd_alias Usercmd =/usr/sbin/*,/sbin/*,!/usr/sbin/passwd,!/usr/sbin/userdel Us Er_alias useradmin = Bols, Canglsrunas_alias ADMIN = rootuseradmin hosts= (admin) usercmd

The meaning of this definition is that user Bols,cangls can run/usr/sbin/and/sbin/as root on the 192.168.0.0/16 network segment. All the commands except passwd and Userdel.

Note: The command must use absolute paths to avoid the execution of commands with the same name in other directories, thus creating a security risk.

6. Sudo log management

sudo can record which commands are run by each user. However, these need to be properly configured for /etc/sudoers and /etc/rsyslog.conf files. Here's how:

First the log system configuration file was added as follows:

[Email protected] ~]# vim/etc/rsyslog.conf Local2.debug/var/log/sudo.log

Then use the Visudo name order at the end of the /etc/sudoers file to add the following:

Defaults Logfile=/var/log/sudo.log

Finally restart the log system:

[Email protected] ~]#/etc/init.d/rsyslog restart

After the normal user executes several statements using the sudo command, view the sudo log file to get the following log information:

[Email protected] ~]# Cat/var/log/sudo.log 6 22:40:05:bols:tty=pts/2; Pwd=/home/bols;    User=root; Command=/usr/sbin/useradd Longlsaug 6 22:40:41:BOLS:TTY=PTS/2; Pwd=/home/bols;    User=root; Command=/usr/sbin/useradd Longlsaug 6 22:41:15:BOLS:TTY=PTS/2; Pwd=/home/bols;    User=root; Command=/usr/sbin/useradd Xiaozels

This article is from the "Bread" blog, make sure to keep this source http://cuchadanfan.blog.51cto.com/9940284/1682432

Introduction to the SU and sudo commands