sudo works as follows:
1, when the user executes sudo, the system will actively look for the/etc/sudoers file to determine if the user has the ability to execute sudo
2, after confirming that the user has the ability to execute sudo, let the user enter the user's own password confirmation
3, if password input is successful, execute sudo follow-up command
4,root do not need to enter a password when executing sudo (eudoers file has configuration root all= (all) all such a rule)
5, if you want to switch the identity of the performer is the same, do not need to enter a password
Visudo uses VI to open the/etc/sudoers file, but when you save the exit, Visudo checks the internal syntax to prevent the user from entering an error message
Visudo requires root access
[[email protected] ~]$ Visudo visudo:/etc/sudoers: Insufficient permissions visudo:/etc/sudoers: Insufficient permissions
Use the Visudo command to open the sudo configuration file
# # Sudoers allows particular users to run various commands as # # The root user, without needing the root password. # # This file allows a specific user to use a variety of commands like the root user without requiring the root user's password # # # # # # # # # # # Examples is provided at the bottom of the file for collections # # O F related commands, which can then is delegated out to particular # # users or groups. # # at the bottom of the file is an example of a lot of relevant commands that can be used by a specific user or # # user Group # # # # # # # # # must be edited with the ' Visudo ' command. # # The file must be edited using the "Visudo" command # # Host Aliases # # Groups of machines. Prefer to use Hostnames (perhaps using # wildcards for entire domains) or IP addresses instead. # # for a group of servers, you might prefer to use the hostname (possibly the wildcard character for the full domain name) # #, or IP address, you can configure the host alias # Host_alias fileservers = FS1, FS2 # host_alias mails ervers = SMTP, SMTP2 # User Aliases # These aren ' t often necessary, as can use regular groups # # (ie, from file S, LDAP, NIS, etc) in this file-just using%groupname # # rather than Useralias # # This is not very common because you can use groups instead of aliases for a group of users # User_a Lias ADMINS = jsmith, Mikem # # Command Aliases # # These is groups of related commands ... # # specifies an alias for a series of interrelated commands (which can, of course, be one), by giving the alias sudo permission, # # You can invoke all the commands that are included with the alias via sudo, here are some examples # # Networking network Operations Related command Aliases # Cmnd_alias Networking =/sbin/route,/sbin/ifconfig,/bin/ping, /sbin/dhclient,/usr/bin/net,/sbin/iptables,/usr/bin/rfcomm,/usr/bin/wvdial,/sbin/iwconfig,/sbin/mii-tool # # Installation and management of software Software Installation management-related command aliases # Cmnd_alias software =/bin/rpm,/usr/bin/up2date,/usr/bin/yum # # Services Service-related command aliases # Cmnd_alias services =/sbin/service,/sbin/chkconfig # # Updating The Locate Database Upgrade command Name # Cmnd_alias LOCATE =/usr/bin/updatedb # # Storage Disk Operations Related command Aliases # Cmnd_alias Storage =/sbin/fdisk,/sbin/sfdisk,/SB in/parted,/sbin/partprobe,/bin/mount,/bin/umount # # Delegating permissions Proxy permissions related command aliases # Cmnd_alias delegating =/ Usr/sbin/visudo,/bin/chown,/bin/chmod,/BIN/CHGRP # # Processes Process-related command aliases # Cmnd_alias Processes =/bin/nice,/bin/ki ll,/usr/bin/kill,/usr/Bin/killall # # Drivers driver Command alias # Cmnd_alias Drivers =/sbin/modprobe # Defaults Specification # # Disable "ssh h Ostname sudo <cmd> ", because it'll show the password in clear. # You has to run "ssh-t hostname sudo <cmd>". # Some environment variables related to the configuration, the case can be seen man soduers Defaults requiretty Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME histsize INPUTRC kdedir ls_colors "Defaults env_keep + =" MAIL PS1 PS2 qtdir USERNAME LANG lc_address lc_ctype "Defaults env_keep + =" Lc_collate lc_identification lc_measurement lc_messages "Defaults env_keep + =" Lc_monetary Lc_name lc_numeric lc_paper lc_telephone "Defaults env_keep + =" Lc_time lc_all LANGUAGE linguas _xkb_charset XAUTHORI TY "Defaults secure_path =/sbin:/bin:/usr/sbin:/usr/bin # # Next comes the main Part:which users can run what Ftware on # which machines (the sudoers file can be shared between multiple # # systems). # # Here is the rule configuration: What user can execute which commands on which server (sudoersFiles can be shared on multiple systems) # # Syntax (Syntax): # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # The COMMANDS section Ma Y has other options added to it. # # Commands section can be accompanied by some other options # # # # # Allow ROOT to run any commands anywhere # # allows the root user to execute arbitrary commands under any path root all= (all) All # # allows members of the ' sys ' group to run networking, software, # # service Management apps and more. # # allow users in the SYS user group to use the commands configured in all aliases such as NETWORKING #%sys all = NETWORKING, software, SERVICES, STORAGE, delegating, PROCESSES, Locat E, DRIVERS # allows people in group wheel to run all commands # # allow users in the wheel user group to execute all commands%wheel all= (all) All # # same thing without a password # # allows users in the wheel user group to use all commands without entering the user's password #%wheel all= (All) Nopasswd:all # # allows Members of the user group to mount and unmount the # cdrom as root # # allows users in the users user group to use the Mount, unmount, chrom commands as root users #%users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom # # Allows members of the users group to shutdown this s Ystem # # Allow users in the users user group to shut down localhost this server #%users localhost=/sbin/shutdown-h now # # Read drop-in files FROM/ETC/SUDOERS.D (The # Here does not mean a comment) # # reads the files placed in the/etc/sudoers.d/folder (# Here does not mean this is a declaration) #includedir/ETC/SUDOERS.D
#参考配置
[[email protected] ~]$ sudo visudo## Sudoers allows particular users to run various commands as## the root user, with Out needing the root password.#### Examples is provided at the bottom of the "file for collections####" This file must is E Dited with the ' Visudo ' command.## Host aliases## Groups of machines. Prefer to use Hostnames (perhaps using## wildcards for entire domains) or IP addresses instead.# host_alias FI Leservers = FS1, fs2# host_alias mailservers = SMTP, smtp2## User aliases## these aren ' t often necessary, as you can u SE regular groups## (ie, from files, LDAP, NIS, etc) in the File-just use%groupname## rather than useralias# User_alia s ADMINS = jsmith, mikem## Command aliases## These is groups of related commands...## networking## installation and Manag Ement of software# Cmnd_alias software =/bin/rpm,/usr/bin/up2date,/usr/bin/yum## services## Updating the Locate Databas e# Cmnd_alias LOCATE =/usr/bin/updatedb## storage# cmnd_alias Storage =/SBIn/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount## delegating permissions# Cmnd_Alias delegating =/usr/sbin/visudo,/bin/chown,/bin/chmod,/bin/chgrp## processes# cmnd_alias Processes =/bin/nice,/bin/kil L,/usr/bin/kill,/usr/bin/killall## drivers# cmnd_alias Drivers =/sbin/modprobe# Defaults specification## Disable "ssh h Ostname sudo <cmd> ", because it'll show the password in clear.# you had to run" ssh-t hostname sudo < Cmd> ". #Defaults: Ceph!requiretty## refuse to run if unable to disable echo on the TTY. This setting should also be# changed in order to being able to use sudo without a tty. See requiretty above. #Defaults!visiblepw## preserving HOME have security implications since many programs# use it when s Earching for configuration files. Note that home# are already set when the the the the the The Env_reset option is enabled, so# this option was only effective for Configurati ONS where either# env_reset is disabled or HOME is present in theEnv_keep list. #Defaults always_set_homedefaults env_resetdefaults env_keep = "COLORS DISPLAY HOSTNAME histsize I NPUTRC kdedir ls_colors "Defaults env_keep + =" MAIL PS1 PS2 qtdir USERNAME LANG lc_address lc_ctype "Defaults env_keep + = "Lc_collate lc_identification lc_measurement lc_messages" Defaults env_keep + = "Lc_monetary lc_name LC_NUMERIC LC_PA PER Lc_telephone "Defaults env_keep + =" Lc_time lc_all LANGUAGE linguas _xkb_charset xauthority "# # Adding HOME to Env_ke EP may enable a user to run unrestricted# commands via sudo.## Defaults env_keep + = "HOME" Defaults Secure_path =/sbi n:/bin:/usr/sbin:/usr/bin## Next comes the main Part:which users can run what software on## which machines (the sudoers f Ile can be shared between multiple## systems). # # syntax:#### User machine=commands#### the COMMANDS section may ha ve other options added to it.#### allow root to run any commands anywhereroot all=ceph all= (Root) nopasswd:all #添加一个普通用户, no password required when switching# # allows members of the ' sys ' group to run networking, software,## service management apps and more.#%sys all = Networki NG, Software, SERVICES, STORAGE, delegating, PROCESSES, LOCATE, drivers## allows people in group wheel to run all commands %wheel all= (All) all## same thing without a password#%wheel all= (All) nopasswd:all## allows members Of the Users group to mount and Unmount the## cdrom as root#%users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom## Allows members of the users group to shutdown this system#%users localhost=/sbin/shutdown-h now## Read drop-in files F ROM/ETC/SUDOERS.D (the # here does not mean a comment) #includedir/ETC/SUDOERS.D
#使配置生效
[[email protected] ~]$ sudo visudo-c/etc/sudoers:parsed ok/etc/sudoers.d/ceph:parsed OK
Linux User Configuration sudo permissions (Visudo)