LinuxSudo command and its configuration file/etc/
SudoersPair
LinuxSome people will know about the sudo command. The core idea of The sudo command is to grant permissions, that is, the user of a command is not yourself, but you have the permission to execute it. However, although you have the permission to execute this command, it is still executed by the user of this command. [Note 1]. (The su command is similar to the sudo command, but the difference between the two is that Su is a coarse-grained permission assignment, and www.2cto.com has the best understanding of Su. I think it is change user running command permanent. That is to say, the su user is switched permanently to the previous user, and then the new user from the su will do everything it can do, sudo refers to the user that temporarily switches to the command owner when executing a command to execute [NOTE 1], and sudo can grant permissions to other users in the unit of a single command, it is more flexible than Su .) I know about sudo. Do you know how to configure sudo? The following is a brief description: configure the sudo configuration file in/etc/
SudoersIn this example, the mongodo command is usually used to safely open and edit the file. View/etc/
SudoersCommand: Man 5
Sudoers. In/etc/
SudoersThe file contains the following two parts: 1. the alias www.2cto.com mainly includes the following types: user_alias, host_alias, runas_alias, and cmnd_alias: User alias, host alias, running user alias, and command alias. The command for setting these aliases is mainly used for configuration convenience, which is similar
LinuxRoles in a user group or database can grant permissions in batches with aliases. Setting Method alias_type alias_name = name1, name2, name3, for example, user_alias user1 = user1, user2, user3. The method for setting other types of Alias is similar. 2. The real sudo entry is to configure which users can use the commands (you can even disable alias settings ). Format: User Name (User alias) Host Name (host alias) = [(run user or runas_alias) Optional] [tag optional] executable commands (or cmd_alias) the description syntax is hard to understand. For example, user1 host1 =/bin/kill # user1 can use the command/bin/killuser1 host1 = nopasswd on host1: /bin/kill # user1 can use the command/bin/kill on host1 without having to enter the password (nopasswd # is used here. The default value is passwd) user1 host1 = nopasswd: /bin/kill, password:/bin/ls # user1 can use the command/bin/kill on host1 without entering the password, however, to use/bin/LS, enter the password user1 host1 = (opterator)/bin/ki. Ll # user1 can use the/bin/kill command on host1, but this command must be run by the operator user. It is equivalent to # Su-u opertor/bin/killuser1 host1 = (: group_name) /bin/kill # user1 can use the command/bin/kill on host1 and must be run by the user in the group_name user group. % Group_name host1 =/bin/kill # All users in group_name can execute/bin/kill (
LinuxIn general, # % group_name is used for the entire user group. I didn't understand the sudo su command before. Why can I directly Su to the root user, no Password required? I checked it.
SudoersThe file only knows that there is such a line: XXX all = nopasswd:/bin/su www.2cto.com, so far ~, An additional journal account is provided ~~~ ^__^ NOTE 1: In
LinuxEach process has a uid, GID, which are valid uid, real uid, valid GID, and real GID. Valid uid. GID is used to determine permissions, while real UID and GID are used to keep records (which process belongs to which user or logs are recorded ). After sudo entry is configured, the valid uid contains the configured user uid. Therefore, you can pass the permission verification. ----------------- Sudo is
LinuxAllows a common user to use a super-Permission tool. Its configuration file is/etc/
SudoersYou can use mongodo to edit the file. We strongly recommend that you use this command to edit the file, because this command has the function of automatic troubleshooting and syntax check during editing, this provides effective drip protection.
SudoersFile cannot be modified incorrectly!
I. Automatic Login Without entering the password in sudo settings:
1. Edit with mongodoSudoersFile. By default, we will see a line of comment "% admin all = (all) All". Here admin is a group name, here, users in the admin group can have the sudo permission, but need to enter the password. If you do not want to enter the password, you can change this line to "% admin all = (all) nopasswd: nopasswd all.
2. we know that in sudo scenarios, run/usr/bin/passwd root. At this time, because the Admin group user inherits the root Super permission, it can modify the root password, in terms of security, this is not allowed. To avoid this situation, you can make the following configuration after the Admin group, % admin all = (all) nopasswd: All ,! /Usr/bin/passwd root. If the passwd command is disabled, the root password cannot be modified.
3. for common users, You can separately define their sudoer access rules:
First, you need to configure some alias. In this way, it is easier to configure the permission below, so you do not need to write the configuration of Large segments. Alias is mainly divided into four types: host_alias cmnd_alias user_alias runas_alias
1) Configure host_alias: Host list host_alias host_flag = hostname1, hostname2, hostname3 2) Configure cmnd_alias: List of commands allowed to be executed cmnd_alias command_flag = command1, command2, command3 3) configure user_alias: the list of users with sudo permissions user_alias user_flag = user1, user2, user3 4) Configure runas_alias: the identity of the user (such as root or Oracle) runas_alias runas_flag = operator1, operator2, operator3 5) The permission configuration format is as follows: user_flag host_flag = (runas_flag) command_flag if password verification is not required, configure user_flag host_flag = (runas_flag) nopasswd: command_flag in this format.
Example:
# Host alias specification host_alias IP = 172.16.1.100, 172.16.1.101 ....
# User alias specification user_alias OK = test1, Test2 # Cmnd alias specification cmnd_alias ok2 =/usr/bin/SCP,/usr/bin/ssh
# Defaults Specification
# User Privilege specification root all = (all) all support IP = (all) nopasswd: ok2
