Linux switching user identities, Su, sudo,/etc/sudoers__linux
Source: Internet
Author: User
In a Linux system, there are times when ordinary users can't do something, unless it's a root user. Then you need to use the SU command to temporarily switch to the root identity to do things.
su:substitute[' sʌbstɪtjuːt] instead of user
The SU syntax is: Su [option option parameters] [users]
-,-L,--login Login and change to the user environment of the switch;
-C,--commmand=command executes a command and then exits the user environment to which it is switched;
After switching users with the SU command, you can use the Exit command or the shortcut key [Ctrl+d] to return to the original logged-on user.
Example: Su without any parameters, the default is to switch to the root user, but did not go to the root directory, that is, although it is switched to root user, but did not change the root login environment, the user's default login environment, can be found in the/etc/passwd, including home directory, Shell definition, etc.;
Su Plus parameter-, the default switch to root user, and change to the root user environment;
With SU can switch user identity, if each ordinary user can switch to root identity, if a user accidentally leaked the root password, it is not a system is very insecure. No mistake, in order to improve the problem, the sudo command was generated. Commands that use sudo to execute a root can be done, but you need to enter a password that is not the password for root but the user's own password. By default only the root user can use the sudo command, and the average user wants to use sudo, which requires root to be pre-set, that is, use
Visudocommand to edit the related configuration file/etc/sudoers. If you do not visudo this command, use the "Yum install-y sudo" installation.
The default root can be sudo because there is one line in this file, "root all= (All)"
sudo's applicable conditions: Because of the unrestricted privileges of the SU pair after switching to Superuser root, SU cannot act as a system administered by multiple administrators. If you use SU to switch to Superuser to manage your system, you cannot be clear about which administrator is doing the work. Especially for the management of the server has many people involved in management, it is best for each administrator's technical expertise and management scope, and targeted delegated authority, and agreed to use which tools to complete its related work, then we need to use sudo.
With sudo, we can target certain super privileges and do not need a normal user to know the root password, so sudo is safer than the unrestricted Su, so sudo can also be called restricted su; and sudo requires authorization, So also known as the licensing su;
Sudo's process of executing commands: is the current user switching to root (or other designated user to switch to), and then to the root (or other specified switch to the user) identity to execute the command, after the completion of the execution, directly back to the current user, and these are the premise of the sudo through the configuration file/etc/sudoers to authorize;
start by writing the sudo configuration file/etc/sudoers sudo configuration file is/etc/sudoers, we can use his dedicated editing Tool Visodu, the advantage of this tool is that when the rule is not very accurate, save the exit will prompt us the error message, when configured, you can switch to your authorized user, through the sudo-l To see which commands can be executed or prohibited;
The/etc/sudoers file contains a rule for each line, preceded by a # can be regarded as a description of the content, not executed; if the rule is very long, a row, you can use the number to continue, so it seems that a rule can also have multiple rows;
/etc/sudoers rules can be divided into two categories: one is the alias definition, the other is the authorization rule, the alias definition is not necessary, but the authorization rule is necessary;
sudo authorization rules (sudoers configuration): Authorized User Host = Command action
These three elements are indispensable, but before the action can also be specified to switch to a specific user, where the user to specify the switch to use () number enclosed, if the password does not need to run the command, should add nopasswd: parameters, but these can be omitted;
Default configuration for Sudoers:
HTML code ############################################################# # sudoers file. # # this file must be edited with the ' Visudo ' command as root. # # see The sudoers man page for the details on how to write a sudoers file. # # host alias specification # user alias specification # cmnd alias specification # defaults specification # User privilege specification root all= (All) ALL # Uncomment to allow people in group wheel to run all commands # %wheel all= (All) ALL # same thing without a password # % Wheel all= (All) nopasswd: all # samples # %users all=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now ##################################################################
1. The simplest configuration, let ordinary user support have root all rights After performing the Visudo, you can see that there is only one configuration by default:
Root all= (All)
Then you can add a second configuration below:
Support All= (All)
In this way, normal user support can perform all commands for root permissions
After logging in as a support user, execute:
sudo su-
Then enter the support user's own password, you can switch to the root user
2. Let ordinary users support only on a few servers, the execution of some of the commands root can be executed First you need to configure some alias, so that when you configure permissions below, it will be easier not to write large sections of the configuration. The alias is mainly divided into 4 kinds
Host_alias
Cmnd_alias
User_alias
Runas_alias
1) Configure Host_alias: Is the list of hosts
Host_alias Host_flag = hostname1, hostname2, Hostname3
2) Configure Cmnd_alias: Is the list of commands that are allowed to execute, plus before the command! Indicates that the command cannot be executed.
command must use absolute path, avoid other directories with the same name command is executed, causing security risks, so use the time is also using absolute path!
Cmnd_alias Command_flag = Command1, Command2, Command3,!command4
3) Configure User_alias: Is the list of users with sudo permissions
User_alias User_flag = user1, User2, User3
4) Configure Runas_alias: Is the list of what the user performs (for example, root, or Oracle)
Runas_alias Runas_flag = Operator1, Operator2, Operator3
5) Configure Permissions The configuration permissions are formatted as follows:
User_flag host_flag= (Runas_flag) Command_flag
If you do not need password validation, then configure it in this format
User_flag host_flag= (Runas_flag) Nopasswd:command_flag
Configuration Example:
HTML code ############################################################################ # sudoers file. # # this file must be edited with the ' Visudo ' command as root. # # see the sudoers man page for the details on how to write a sudoers file. # # host alias specification host_alias epg = 192.168.1.1, 192.168.1.2 # user alias specification # cmnd alias specification cmnd_alias squid = /opt/vtbin/squid_refresh, !/sbin/service, /bin/rm cmnd_alias &nbsP admpw = /usr/bin/passwd [a-za-z]*, !/usr/bin/passwd, !/usr/bin/passwd root # defaults specification # user privilege specification root all= (All) ALL support epg= (All) nopasswd: squid support epg= (All) NOPASSWD: ADMPW # Uncomment to allow people in group wheel to run all commands # %wheel all= (All) ALL # same thing without a password # %wheel all= (All) NOPASSWD: ALL # samples # %users all=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now ###############################################################
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.