Linux sudo command learning

sudo is a Linux system Management Directive, a tool that allows a system administrator to allow ordinary users to perform some or all of the root commands, such as HALT,REBOOT,SU, and so on. This will not only reduce the root user login and management time, but also improve security. sudo is not a substitute for the shell, it is oriented to each command.

Overview

There are several main features of it:

Sudo can restrict the user from running certain commands on a single host.

sudo provides a rich log of what each user has done in detail. It can upload logs to a central host or log server.

sudo uses a timestamp file to perform a similar "check-in" system. When the user invokes sudo and enters its password, the user obtains a 5-minute lifetime ticket (this value can be changed at compile time, or it can be used sudo-k to invalidate it immediately, that is, when the command is executed again, the password will be required in less than 5 minutes).

The sudo configuration file is the Sudoers file, which allows the system administrator to centralize the administration of user permissions and the host used. The location of the default is/etc/sudoers, and the attribute must be 0411.

Configuration

Edit configuration File command: Visudo

Default profile location:/etc/sudoers

You can edit the sudoers configuration file with Visudo, but it can also be done directly by modifying the sudoers file, but before editing, it's a good idea to look at its sample.sudoers file, which has a fairly detailed example to refer to.

#第一部分: User-defined, divides the user into fulltimers, parttimers and webmasters three categories.

User_alias fulltimers = Millert, MIKEF, dowdy

User_alias parttimers = Bostley, Jwfox, crawl

User_alias webmasters = would, Wendy, Wim

#第二部分, the action type is categorized.

Runas_alias OP = root, operator

Runas_alias DB = Oracle, Sybase

#第三部分, categorize the hosts. These are all casually divided for the purpose of better management.

Host_alias SPARC = bigtime, Eclipse, MOET, anchor: \

SGI = Grolsch, dandelion, black: \

ALPHA = widget, thalamus, foobar: \

HPPA = Boa, nag, python

Host_alias cunets = 128.138.0.0/255.255.0.0

Host_alias csnets = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

Host_alias SERVERS = master, mail, www, NS

Host_alias CDROM = Orion, Perseus, Hercules

#第四部分, define the command and command path. command must use absolute path, avoid other directories with the same name command is executed, causing security risks, so use the time is also using absolute path!

Cmnd_alias dumps =/USR/BIN/MT,/usr/sbin/dump,/usr/sbin/rdump,\

/usr/sbin/restore,/usr/sbin/rrestore

Cmnd_alias KILL =/usr/bin/kill

Cmnd_alias PRINTING =/USR/SBIN/LPC,/USR/BIN/LPRM

Cmnd_alias SHUTDOWN =/usr/sbin/shutdown

Cmnd_alias HALT =/usr/sbin/halt,/usr/sbin/fasthalt

Cmnd_alias REBOOT =/usr/sbin/reboot,/usr/sbin/fastboot

Cmnd_alias SHELLS =/usr/bin/sh,/usr/bin/csh,/usr/bin/ksh, \

/USR/LOCAL/BIN/TCSH,/usr/bin/rsh, \

/usr/local/bin/zsh

Cmnd_alias SU =/usr/bin/su

# Here is a different strategy for different users, such as default all syslog directly through the auth output. The Fulltimers group does not need to see lecture (the message that was generated at the first run); the user millert use sudo without entering a password, and the logfile path is/var/log/sudo.log and must include years in each row of logs.

Defaults Syslog=auth

Defaults:fulltimers!lecture

Defaults:millert!authenticate

Defaults@servers Log_year, Logfile=/var/log/sudo.log

#root和wheel组的成员拥有任何权利. If you want to define a group of users, you can set them by adding% before the group name.

Root all = (All)

%wheel all = (All)

#FULLTIMERS可以运行任何命令在任何主机而不用输入自己的密码

Fulltimers all = Nopasswd:all

#PARTTIMERS可以运行任何命令在任何主机, but you must first verify your password.

Parttimers all = All

#jack可以运行任何命令在定义地CSNET (128.138.243.0, 128.138.242.0, and 128.138.204.0/24 subnets), but note that the first two do not need to match the subnet mask, and the latter must match the mask.

Jack Csnets = All

#lisa可以运行任何命令在定义为CUNETS (128.138.0.0) on the subnet in the host.

Lisa Cunets = All

#用户operator可以运行DUMPS, Kill,printing,shutdown,halt,reboot and all the commands in/usr/oper/bin.

operator all = dumps, KILL, PRINTING, SHUTDOWN, HALT, reboot,\

/usr/oper/bin/

#joe可以运行su operator Command

Joe all =/usr/bin/su operator

#pete可以为除root之外地用户修改密码.

Pete HPPA =/usr/bin/passwd [a-z]*,!/USR/BIN/PASSWD Root

#bob可以在SPARC和SGI机器上和OP用户组中的root和operator一样运行如何命令.

Bob SPARC = (OP) all:sgi = (OP) all

#jim可以运行任何命令在biglab网络组中. sudo default "+" is a network group prefix.