In Linux, we use sudo to command to reduce the use of root user time, and improve security, the following is a brief explanation of how to configure, mainly records, afraid to forget.
System environment:
[Email protected] ~]# cat/etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[Email protected] ~]# uname-r
3.10.0-514.26.2.el7.x86_64
Configuration file path:/etc/sudoers
[[email protected] ~]# Vim/etc/sudoers (although the implementation of Visudo can also enter the editor, but it is recommended to use this)
1 # # Sudoers allows particular users to run various commands as
2 # # Root user, without needing the root password.
3 # #
4 # # Examples is provided at the bottom of the file for collections
5 # of related commands, which can then is delegated out to particular
6 # # users or groups.
7 # #
8 # # This file must is edited with the ' Visudo ' command.
9
Ten # # Host Aliases
# # Groups of machines. Prefer to use hostnames (perhaps using
# # # wildcards for entire domains) or IP addresses instead.
# Host_alias fileservers = FS1, FS2
# Host_alias mailservers = SMTP, SMTP2
15
-# # User Aliases
# # # These aren ' t often necessary, as can use regular groups
# # # (ie, from files, LDAP, NIS, etc) in the File-just use%groupname
# # # rather than Useralias
# User_alias ADMINS = jsmith, Mikem
21st
22
# # Command Aliases
# # # These is groups of related commands ...
25
# # Networking
Cmnd_alias NETWORKING =/sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,/usr/bin/net,/sbin/iptables,/usr/b In/rfcomm,/usr/bin/wvdial,/sbin/iwconfig,/sbin/mii-tool
28
# # Installation and management of software
# Cmnd_alias software =/bin/rpm,/usr/bin/up2date,/usr/bin/yum
31
# # Services
Cmnd_alias SERVICES =/sbin/service,/sbin/chkconfig,/usr/bin/systemctl start,/usr/bin/systemctl stop,/usr/bin/sy Stemctl Reload,/usr/bin/systemctl restart,/usr/bin/systemctl status,/usr/bin/systemctl enable,/usr/bin/systemctl D Isable
34
# # Updating The Locate database
# Cmnd_alias LOCATE =/usr/bin/updatedb
37
# # # Storage
Cmnd_alias STORAGE =/sbin/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount
40
* # Delegating permissions
Cmnd_alias delegating =/usr/sbin/visudo,/bin/chown,/bin/chmod,/BIN/CHGRP
43
# # Processes
Cmnd_alias PROCESSES =/bin/nice,/bin/kill,/usr/bin/kill,/usr/bin/killall
46
* # Drivers
# Cmnd_alias DRIVERS =/sbin/modprobe
49
# Defaults Specification
51
52 #
Refuse to run if unable to disable echo on the TTY.
54 #
Defaults!VISIBLEPW
56
57 #
Preserving HOME has security implications since many programs
The use of it when the searching for configuration files. Note that HOME
Already set when the Env_reset option is enabled, so
# This option was only effective for configurations where either
Env_reset is disabled or HOME is present in the Env_keep list.
63 #
Defaults Always_set_home
65
Defaults Env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME histsize kdedir ls_colors"
Defaults Env_keep + = "MAIL PS1 PS2 qtdir USERNAME LANG lc_address lc_ctype"
Defaults Env_keep + = "Lc_collate lc_identification lc_measurement lc_messages"
Defaults Env_keep + = "Lc_monetary lc_name lc_numeric lc_paper lc_telephone"
Defaults Env_keep + = "Lc_time lc_all LANGUAGE linguas _xkb_charset xauthority"
72
73 #
# Adding HOME to Env_keep if enable a user to run unrestricted
# commands via sudo.
76 #
# Defaults Env_keep + = "HOME"
78
Defaults Secure_path =/sbin:/bin:/usr/sbin:/usr/bin
80
Bayi # # Next comes the main Part:which users can run what software on
Which machines (the sudoers file can be shared between multiple
# # # Systems).
# # # Syntax:
85 # #
* # # User Machine=commands
87 # #
The COMMANDS section of * * May has the other options added to it.
89 # #
# # Allow Root to run any commands anywhere
All= root (All) all
Wxh-docker all= (Root)/usr/bin/systemctl
93
94 # Allows members of the "SYS" group to run networking, software,
# # Service Management apps and more.
%sys all = NETWORKING, software, SERVICES, STORAGE, delegating, PROCESSES, LOCATE, DRIVERS
97
98 # allows people in group wheel to run all commands
%wheel all= (All) all
100
101 # Same thing without a password
102 #%wheel All= (All) Nopasswd:all
103
104 # Allows members of the users group to mount and unmount the
* # CDROM as root
106 #%users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom
107
108 # Allows members of the users group to shutdown this system
109 #%users Localhost=/sbin/shutdown-h now
110
111 # # Read Drop-in Files from/etc/sudoers.d (the # here does not mean a comment)
/ETC/SUDOERS.D #includedir
Explain:
In fact, the core of this configuration file is a command format:
User source host ip/Domain name = (authorized user) command
Group source host ip/Domain name = (authorized user) command
All of these can be defined at the beginning of the file alias, a set of user/ip/commands such as integration into a
All= root (All) all
Wxh-docker all= (Root)/usr/bin/systemctl
With the 91st and 92 behavior examples, line 91st is the default, and line 92nd is the one I added
This line means: Allow Wxh-docker this user to connect to this host in any location (unlimited source IP) and can run the Systemctl command as root
This article is from the "Breeze Month Blog" blog, please be sure to keep this source http://watchmen.blog.51cto.com/6091957/1952460
Linux-sudo Configuration