Linux commands sudo for centralization (power-up) management to prevent super-privilege flooding

sudo summary
1, the alias to use uppercase
2. Wrap with "\"
3, use the whitelist policy, try not to give all permissions (recommended first off)
4. The Forbidden permission is put in the last, the allowed permission is put in front, the sudoers configuration file's permission matches from the back to the front
5. The member must be present (the user must exist)
6, "!" Represents a Forbidden permission
7, command, team members, groups, etc., separated by "," (comma)
8, the group must be preceded with "%"

SU Command disadvantage
1, ordinary users need to know the root password, and switch to the root user, to use root privileges (Super permissions)
2, normal can change the root password
3, Super Authority flooding, easy to cause human error, resulting in system crashes or data loss
4, Suggestions: If it is small and medium-sized companies, no more than 3 administrators, in order to manage the convenience, the use of SU to common management is acceptable. (The more individuals, the greater the probability of human error)

sudo command advantages
1, ordinary users do not need to know the root password
2, do not need to switch to the root user, you can use super permissions
3, can control the user has what Super Authority (authorization, right to power)
4, the authority of fine management, to prevent the overflow of super-privilege; For example, the classification of permissions, different departments to use different super-permissions, only the open to meet the different levels of each department to complete their work of the super-privilege.

sudo command principle

Parameters of sudo
-L: View the user's own sudo permissions

[[email protected] ~]# sudo –l……户 YWchuji01 可以在该主机上运行以下命令：    (root) /usr/bin/free, /usr/bin/iostat, /usr/bin/top, /bin/hostname,    /sbin/ifconfig, /bin/netstat, /sbin/route

-U: Specifies that specific command actions are performed as a user (role, used with multiple roles configured)

-K: Delete the timestamp, the next sudo command requires a password, provided that the user's authorization cannot have the "NOPASSWD:" parameter. Time stamp default 5 minutes will also expire

Visudo–c: Check the/etc/sudoers profile syntax (if you use Visudo editing, the syntax is checked automatically, and if you edit with other editors, such as vi/vim, you need to use VISUDO–C to check the syntax, which could cause a failure ; sudoers profile is invalid and sudo permission is not available for all users)

[[email protected] ~]# visudo -c/etc/sudoers：解析正确[[email protected] ~]#

sudo configuration file
If the server cluster is a shared sudoers configuration file for a single server, you can use the distribution software to distribute the sudoers configuration file.
Authorized:

oldboy ALL=(ALL) /usr/sbin/useraddroot    ALL=(ALL)       NOPASSWD: ALL

User/group/user_alias machine/host_alias = (role/runas_alias) command/cmnd_alias

User/Group/alias: to which user or group or alias user is authorized, before the group must add "%"
Machine (hostname): That is, on which hosts to execute sudo permissions, can be all to match all hosts, generally use all;
Role: The user who performs the sudo command permission, that is, the right to a user, usually root execution, or can be defined by other users or multiple users to execute; All matches all users.
Command: The super privilege granted to the user must be an absolute path; The regular is also used when defining:/USR/BIN/PASSWD [a-za-z]* (can modify user password, but only English-size users)

Example:

[[email protected] ~]# visudoUser_Alias CJYW=%YWCHUJI,YWchuji01,YWchuji02Runas_Alias OP=rootCmnd_Alias    CJYW_CMD=/usr/bin/free,/usr/bin/iostat,/usr/bin/top,/bin/hostname,/sbin/ifconfig,！/bin/netstat,！/sbin/routeCJYW  ALL=(OP)  CJYW_CMD

Linux commands sudo for centralization (power-up) management, preventing super-privileged flooding