Linux sudo, linuxsudo

Source: Internet
Author: User

Linux sudo, linuxsudo
Introduction

This article mainly introduces the configuration and usage of sudo. To control permissions for a user, such as executing a command or shutting down the server, the server administrator usually configures sudo for this user, next, we will introduce the specific configuration methods in detail.

Environment: centos6.7

 

Structure Description

You can configure it by editing the file/etc/sudoers. Generally, you can use the modify do command to modify it, because if the format you modified does not match it, a prompt is displayed. Next we will learn about it in a format.

<user> 
chenmh localhost = (root)    NOPASSWD: /bin/mkdir test

<User>: indicates a specific user or user alias. If % user is used, it indicates a user group.

<Host>: indicates the specific host (either the machine name or ip address) or the host alias. ALL indicates ALL hosts.

<Operator user>: (optional) specifies the user to be called for execution. "ALL" indicates that the root user is called for execution. Here, we need to explain what the root user's permissions mean. For example, if the owner of a directory is root, the root user's permissions must be granted to perform relevant operations, for example, if the preceding chenmh user is configured with another user, such as himself, it has no permission to perform operations under the root owner's directory. Similarly, if the user is configured here, the owner of the folder created by mkdir, for example, is the user. If this parameter is not specified by default, ALL is used.

<Par>: (optional) specify a parameter. Generally, NOPASSWD is used (this indicates that the user does not need to enter his or her password when executing sudo ).

<Command list>: the specified command, alias, or ALL, ALL indicates ALL permissions.

Note: [<operator user> [<par>] These two options are optional and can be left unspecified. If not specified, the root user is called by default for execution, however, to use sudo, you must enter your own password.

Configuration File

Next, let's take a closer look at its configuration file, its configuration file, and detailed instructions on how to use it. The previous section shows how to create a group name for a group of permissions, note that aliases must be capitalized,

# Sudoers allows particle users to run various commands as # the root user, without needing the root password. #### Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particle # users or groups. #### This file must be edited with the 'usually do 'command.
# You can configure multiple hosts as one host alias # host Aliases # Groups of machines. you may prefer to use hostnames (perhaps using # wildcards for entire domains) or IP addresses instead. host_Alias FILESERVERS = 192.168.137.40, 192.168.137.30 # Host_Alias MAILSERVERS = smtp, smtp2
# Configure multiple users as one user alias # user Aliases # These aren't often necessary, as you can use regular groups # (ie, from files, LDAP, NIS, etc) in this file-just use % groupname # rather than USERALIASUser_Alias ADMINS = chenmh ### next is the command alias, which is to put a group of commands together, in this way, you can easily configure # Command Aliases # These are groups of related commands... # Networking # Cmnd_Alias NETWORKING =/sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,/usr/bin/net,/sbin/iptables, /usr/bin/rfcomm,/usr/bin/wvdial,/sbin/iwconfig, /sbin/mii-tool # Installation and management of software # Cmnd_Alias SOFTWARE =/bin/rpm,/usr/bin/up2date, /usr/bin/yum # Services # Cmnd_Alias SERVICES =/sbin/service, /sbin/chkconfig # Updating the locate database # Cmnd_Alias LOCATE =/usr/bin/updatedb # Storage # Cmnd_Alias STORAGE =/sbin/fdisk,/sbin/sfdisk, /sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount # Delegating permissions # Cmnd_Alias DELEGATING =/usr/sbin/mongodo,/bin/chown, /bin/chmod,/bin/chgrp # Processes # Cmnd_Alias PROCESSES =/bin/nice,/bin/kill,/usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS =/sbin/modprobe
### This is the command alias configured by myself. Configure the mkdir and rm commands together and assign them to a user # userdefinCmnd_Alias OTHERS =/bin/mkdir, /bin/rm # Defaults specification # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh-t hostname sudo <cmd> ". # Defaults requiretty # Refuse to run if unable to disable echo on the tty. this setting shoshould also be # changed in order to be able to use sudo without a tty. See requiretty above. # Defaults! Visib1_w # Preserving HOME has security implications since extends programs # use it when searching for configuration files. note that HOME # is already set when the env_reset option is enabled, so # this option is only valid for changes where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults publish messages = "colors display hostname histsize inclukdedir LS_COLORS" Defaults env_keep + = "MAIL PS1 PS2 qtdir username lang LC_ADDRESS LC_CTYPE" Defaults env_keep + = "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep + = "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER limit" Defaults env_keep + = "LC_TIME LC_ALL language linguas _ Your XAUTHORITY" # Adding HOME to env_keep may enable a user to run commands # commands via sudo. # Defaults env_keep + = "HOME" Defaults secure_path =/sbin:/bin:/usr/sbin:/usr/bin # Next comes the main part: which users can run what software on # which machines (the sudoers file can be shared between multiple # systems ). # Syntax: #### user MACHINE = COMMANDS #### The COMMANDS section may have other options added to it. #### Allow root to run any commands anywhere root ALL = (ALL) ALL # Allows members of the 'sys 'group to run networking, software, # service management apps and more. # % sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ### users in the sys group can execute related command group permissions, multiple command groups are separated by commas # Allows people in group wheel to run all commands # % wheel ALL = (ALL) ALL ## Same thing without a password # % wheel ALL = (ALL) NOPASSWD: ALL # Allows members of the users group to mount and unmount the # cdrom as root # % users ALL =/sbin/mount/mnt/cdrom, /sbin/umount/mnt/cdrom ### users in the users group can attach and detach the/mnt/cdrom directory. # Allows members of the users group to shutdown this system # % users localhost =/sbin/shutdown-h now ### users in the users Group can execute the shutdown command # Read drop-in files from/etc/sudoers. d (the # here does not mean a comment) # includedir/etc/sudoers. d

 

Case

1. users in the user alias group can call the root user's permission to execute the OTHERS command group in the FILESERVERS host group. Multiple command groups are separated by commas.

ADMINS  FILESERVERS=(ALL)    NOPASSWD:OTHERS

2. the user chenmh can call the root user on the local machine to execute all the commands.

chenmh localhost=(root) NOPASSWORD:ALL

3. the user chenmh can call the root user to create the directory test, or only create the directory test.

chenmh ALL=(ALL)    NOPASSWD: /bin/mkdir test

4. users in the dev group can execute the shutdown command.

%dev ALL=(ALL)    NOPASSWD:/sbin/shutdown
Quick operation

1. View The sudo permissions of the current user

sudo -l
User chenmh may run the following commands on this host:    (root) NOPASSWD: /bin/mkdir, /bin/rm
Summary

When configuring sudo, remember to use the cmddo command. If the configuration is incorrect, it will prompt you when saving the configuration.

 

 

 

Note:

Author: pursuer. chen

Blog: http://www.cnblogs.com/chenmh

All essays on this site are original. You are welcome to repost them. However, you must indicate the source of the article and clearly give the link at the beginning of the article.

Welcome to discussion

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.