Linux sudo command

To put it simply, sudo is a privilege management mechanism that allows administrators to authorize some ordinary users to perform some root operations without needing to know the root password.
To be precise, sudo allows an authorized user to run a command in the role of a superuser or another user. Of course, what you can and cannot do is specified by security policy. sudo supports the security policy of the plug-in architecture and writes the input and output to the log. Third parties can develop and publish their own security policies and input and output log plug-ins, and let them work seamlessly with sudo. The default security policy is recorded in the/etc/sudoers file. Security policies may require users to authenticate themselves with a password. That is, when the user executes the sudo command, the user is required to enter the password of their account. If the validation fails, the sudo command exits. (Note that the sudo command described in this article runs in Ubuntu 14.04.) )

sudo command syntax

sudo [-bhhpv][-s][-u < user >][Instructions]
Or
sudo [-klv]
Parameters
-B executes the instruction in the background.
-h displays Help.
-H Sets the home environment variable to the new identity of the home environment variable.
-K The expiration of the password, which is required to enter the password the next time the sudo is executed.
-l lists instructions that are currently available to users and cannot be executed.
-p Change the hint symbol to ask for the password.
-S executes the specified shell.
-U < user > with the specified user as the new identity. If this parameter is not added, the default is the new identity as root.
-V Extend the password for a period of 5 minutes.
-V Displays version information.
-S to obtain a password from a standard input stream instead of a terminal

sudo program related files

/etc/sudoers
/etc/init.d/sudo
/etc/pam.d/sudo
/var/lib/sudo
/usr/share/doc/sudo
/usr/share/lintian/overrides/sudo
/usr/share/bash-completion/completions/sudo
/usr/bin/sudo
/usr/lib/sudo

Basic Configuration

The system creates a group named sudo by default. As long as the user is added to this group, the user has sudo permissions.
As for how to add users to the sudo group, you can edit the/etc/group file directly, and of course you have to use a user with sudo permissions to do this:

$ sudo vim/etc/group

To add a new user to the sudo group, separate multiple users with commas.

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/952033/201612/952033-20161217110625401-1112595499. PNG "style=" margin:0px;padding:0px;border:0px; "/>

Or you can use the Usermod command to add users to a group:

$ sudo usermod-a-G sudo jack

In the above settings we have added the user jack to the sudo group, so when the user Jack logs in, you can use the sudo command to execute the command with root privileges!

Detailed configuration

In the previous configuration we just added the user jack to the Sudo group, and he had the ability to execute commands with root privileges.
Now we want to ask, how did this happen? It's time to introduce how to configure the sudo command!
The configuration file for the sudo command is/etc/sudoers. (Note that the configuration of/etc/sudoers is very rich, we only do a brief introduction.) For more information, please refer to man sudoers. )
Edit this file is a separate command Visudo (this file we'd better not use the VIM command to open), because once you write wrong syntax will cause serious consequences, the tool will check your syntax for you, this file syntax follows the following format:
who where whom command
In other words, which user in which host to execute those commands, then this where, is allowed in the host SSH connection in order to execute the following command, the file default to the root user defined a rule:

Root all= (All:all) all

Root represents the root user.
All means that it can be executed from any host, or it can be 192.168.100.0/24.
(All:all) is executed in whose capacity, All:all on behalf of the root can be any person's identity to execute the command.
All represents any command.
The whole rule is that the root user can execute all commands as anyone in any host.

Now we can answer why Jack has the ability to execute commands with root privileges. Open/etc/sudoers File:
650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/952033/201612/952033-20161217133309198-300889369. PNG "style=" margin:0px;padding:0px;border:0px; "/>
All users in the Sudo group have the ability to execute commands with root privileges!

Let's look at an example:

Nick 192.168.10.0/24= (Root)/usr/sbin/useradd

The above configuration only allows Nick to connect to the host on the 192.168.10.0/24 network segment and execute the useradd command with root privileges.

You do not need to enter a password when setting sudo

You always need to enter a password event when you execute the sudo command (aside from security). Some scenarios also need to avoid the interaction of entering passwords when Sudo is executed.
So how do you set it up? It's really simple, just add nopasswd to the configuration line: you can:

All= (All) Nopasswd:all

Try again, don't you already need to enter a password?

sudo's log

In Ubuntu, sudo logs are recorded by default in the/var/log/auth.log file. When we execute the sudo command, the relevant logs are recorded. For example, a log that executes the sudo command is displayed:

650) this.width=650; "Src=" http://images2015.cnblogs.com/blog/952033/201612/952033-20161217140101683-639387129. PNG "style=" margin:0px;padding:0px;border:0px; "/>

Linux sudo command