Sudo is a very useful tool on the Unix/linux platform that allows system administrators to assign reasonable "rights" to ordinary users to perform tasks that only superuser or other privileged users can accomplish, such as running some commands like MOUNT,HALT,SU. , or edit some system configuration files, such as/etc/mtab,/etc/samba/smb.conf. In this way, it not only reduces the number of login and management time of root users, but also improves the security of the system.
I. The characteristics of sudo
Sudo's role has doomed it to be extra cautious about security, or it could cause illegal users to grab root. At the same time, it also needs to take into account ease of use, so that the system administrator can be more efficient, more easily used it. The goal of the Sudo designer is to give the user as few privileges as possible but still allow them to do their job. So, sudo
Has the following characteristics:
# 1. Sudo can restrict the specified user from running certain commands on the specified host.
# 2. sudo can provide a log that faithfully records what each user does with sudo, and can upload logs to a central host or log server.
# 3. sudo provides the system administrator with a configuration file that allows the system administrator to centrally manage user permissions and the host used. Its default storage location is/etc/sudoers.
# 4.sudo uses a timestamp file to complete a system like "ticket checking". When the user executes sudo and enters a password, the user obtains a "ticket" with a default lifetime of 5 minutes (the default value can be changed at compile time). After the timeout, the user must re-enter the password.
two. sudo command
The sudo program itself is a binary file that has a suid bit set. We can check its permissions:
$ls-L/usr/bin/sudo
---s--x--x 2 root root 106832 02-12 17:41/usr/bin/sudo
Its owner is root, so each user can execute the program as root. Programs that have a suid can be run with the user as the owner's euid. This is why the SUID program must be carefully written. But it is a different concept to set the suid of a command file and run it in Sudo, and they play a different role.
The sudo configuration is recorded in the/etc/sudoers file, which we will explain in detail below. The configuration file indicates which users can execute which commands. To use sudo, the user must provide a specified user name and password. Note: sudo needs not the target user's password, but the user's password to execute sudo. If the user does not execute the command through sudo in sudoers, sudo reports the event to the administrator. Users can sudo-v to see if they are in sudoers. If it is, it can also update your "ticket" on the time, if not, it will prompt you, but will not notify the administrator.
The sudo command format is as follows:
Sudo-k-l-v-h-k-l-vsudo [-HPSB] [-a auth_type] [-C class-] [-P prompt] [-u username#uid] {e-file [...]-i-s Comman D
Now let's take a look at some of the other common parameters of sudo:
Option meaning effect
Sudo-h help lists usage methods and exits.
Sudo-v version Displays the release information and exits.
The Sudo-l list lists the commands that the current user can execute. This option is available only to users in Sudoers.
The Sudo-u username#uid user executes the command as the specified user. The following user is a user name, or #uid, other than root.
Sudo-k Kill clears the time on the "entry" and then enter the password again the next time you use sudo.
The sudo-k sure Kill is similar to K, but it also tears up the "entry volume", which is to delete the timestamp file.
Sudo-b command Background executes the specified commands in the background.
Sudo-p prompt command Prompt can change the prompt that asks for a password, where%u is substituted for the user account name, and%h displays the host name. Very humanized design.
Instead of executing the command, sudo-e file edit modifies the files, which is equivalent to the command sudoedit.
There are also some less commonly used parameters that can be found in the man page sudo (8).
three. Configure sudo
sudo must be configured by editing the/etc/sudoers file, and only Superuser can modify it, and must also use Visudo editing. There are two reasons to use Visudo, and one is that it prevents
Two users modify it at the same time, and the second is that it can perform a limited grammar check. So, even if you only have a superuser, you'd better use Visudo to check the syntax.
Visudo the default is to open the configuration file in VI, with VI to modify the file. We can modify this default item at compile time. Visudo does not arbitrarily save a configuration file with a syntax error, it prompts you for a problem and asks what to do, just like this:
>>> sudoers file:syntax Error, line < <
At this point we have three options: Type "E" to be re edited, type "X" to not save the exit, type "Q" to exit and save. If you really choose Q, sudo will not run until the error is corrected.
Now, let's take a look at the mystery profile and learn how to write it. Let's start with a simple example: let the user Foobar to execute all root-executable commands through sudo. Using Visudo to open the configuration file as root, you can see a few lines like the following: # Runas alias specification
# User Privilege Specificationroot all= (All)
We can see it at a glance, Root has all the permissions, as long as the example of the existing root in the line, we add a line below (preferably with the tab as a blank):
Foobar all= (All)
After the save exits, switch to the Foobar user, and we execute the command with its identity: [Foobar@localhost ~]$ Ls/root
LS:/root: Insufficient permissions
[Foobar@localhost ~]$ sudo ls/root
PassWord:
Anaconda-ks.cfg Desktop Install.log Install.log.syslog
Well, let's limit Foobar's right to let him do whatever he wants. For example, we just want him to use LS and ifconfig like root, and change that line to:
Foobar localhost=/sbin/ifconfig,/bin/ls
To execute the command again:
[Foobar@localhost ~]$ sudo head-5/etc/shadow
Password:
Sorry, user foobar isn't allowed to execute '/usr/bin/head-5/etc/shadow ' as Root on Localhost.localdomain.
[Foobar@localhost ~]$ sudo/sbin/ifconfigeth0 linkencap:ethernet hwaddr 00:14:85:ec:e9:9b ...
Now let's take a look at what those three all mean. The first all refers to the host in the network, which we later changed to the host name, which indicates
Foobar can execute the following command on this host. All in the second bracket refers to the target user, which is the identity of the person who executes the command. Last one
All of course refers to the command name. For example, we would like to have foobar users execute the KILL command as Jimmy or Rene on a Linux host, writing a configuration file:
Foobar linux= (Jimmy,rene)/bin/kill
But there is a question of whether Foobar is being executed as Jimmy or Rene. At this point we should think of the sudo-u, it is used at this time. Foobar can use sudo-u jimmy kill pid or Sudo-u Rene kill PID, but this is troublesome, in fact, we can not need to add-u every time, the Rene or Jimmy set as the default target users. Add one more line to the above:
Defaults:foobar Runas_default=rene
Defaults, if there is a colon, is the default for the following user, and if not, it is the default for all users. Just like a single line in the configuration file:
Defaults Env_reset
Another problem is, many times, we are already logged in, every time using sudo to enter the password is cumbersome. Can we no longer enter the password? Of course, we can modify the configuration file like this:
Foobar localhost=nopasswd:/bin/cat,/bin/ls
Again, sudo:
[Foobar@localhost ~]$ sudo ls/rootanaconda-ks.cfg Desktop install.log
Install.log.syslog
Of course, you can also say "some command user foobar can not run", by using the! operator, but this is not a good idea. Because, with! operator to "remove" from all some commands are generally not effective, a user can copy the command to another place, and then run the name.
Four. Log and security
Sudo is thoughtful for security, not only logging, but also reporting to the system administrator when necessary. However, the sudo logging feature is not automatic and must be turned on by an administrator. To do this: # Touch/var/log/sudo
# vi/etc/syslog.conf
Add one line to the last side of the syslog.conf (which must be tab-separated) and save:
Local2.debug/var/log/sudo
Restart log waiting process, ps aux grep syslogd
Insert the PID of the resulting syslogd process (the second column of output is PID) into the following:
Kill–hup PID
In this way, sudo can write the log:
[Foobar@localhost ~]$ sudo ls/rootanaconda-ks.cfg
Desktop Install.log
Install.log.syslog
$cat/var/log/sudojul 22:52:54 localhost sudo:foobar:
TTY=PTS/1; Pwd=/home/foobar; User=root; Command=/bin/ls/root
However, with a small "flaw", sudo logging is not very loyal:
[Foobar@localhost ~]$ sudo cat/etc/shadow >/dev/null
[Foobar@localhost ~]$
Cat/var/log/sudo ... June 23:10:24 localhost sudo:foobar:tty=pts/1;
Pwd=/home/foobar; User=root; Command=/bin/cat/etc/shadow
Redirection is not documented. Why. Because the shell finished the redirection before the command was run, Sudo did not see the redirection at all. This also has the advantage that the following means will not succeed:
[Foobar@localhost ~]$ sudo ls/root >/etc/shadowbash:/etc/shadow: Insufficient privileges
Sudo has its own way of protecting security. Execute sudo as root
-V, to see the sudo settings. Because of security concerns, some of the environment variables are not passed to the command behind Sudo, or are checked and then passed, such as: Path,home,
Shell and so on. Of course, you can also configure these environment variables by sudoers.
As you can see, sudo is helpful for controlling and reviewing root access, which allows system administrators to manage systems more effectively and securely. Mastering the correct use of sudo is also a good training for system administrators. This article is just a preliminary introduction to sudo usage and for more information refer to Sudoers (5) and sudo (8) man pages.