Linux System sudo command detailed _linux

Source: Internet
Author: User
Tags bit set one more line syslog ticket root access

For example: Run some commands like Mount,halt,su, or edit some system configuration files, such as/etc/mtab,/etc/samba/smb.conf. In this way, it not only reduces the number of login and management time of root users, but also improves the security of the system.

I. The characteristics of sudo

Sudo's role has doomed it to be extra cautious about security, or it could cause illegal users to grab root. At the same time, it also needs to take into account ease of use, so that the system administrator can be more efficient, more easily used it. The goal of the Sudo designer is to give the user as few privileges as possible but still allow them to do their job. So, sudo
Has the following characteristics:

# 1. Sudo can restrict the specified user from running certain commands on the specified host.
# 2. sudo can provide a log that faithfully records what each user does with sudo, and can upload logs to a central host or log server.
# 3. sudo provides the system administrator with a configuration file that allows the system administrator to centrally manage user permissions and the host used. Its default storage location is/etc/sudoers.
# 4.sudo uses a timestamp file to complete a system like "ticket checking". When the user executes sudo and enters a password, the user obtains a "ticket" with a default lifetime of 5 minutes (the default value can be changed at compile time). After the timeout, the user must re-enter the password.

Two. sudo command

The sudo program itself is a binary file that has a suid bit set. We can check its permissions:

Copy Code code as follows:

$ls-L/usr/bin/sudo
---s--x--x 2 root root 106832 02-12 17:41/usr/bin/sudo

Its owner is root, so each user can execute the program as root. Programs that have a suid can be run with the user as the owner's euid. This is why the SUID program must be carefully written. But it is a different concept to set the suid of a command file and run it in Sudo, and they play a different role.

The sudo configuration is recorded in the/etc/sudoers file, which we will explain in detail below. The configuration file indicates which users can execute which commands. To use sudo, the user must provide a specified user name and password. Note: sudo needs not the target user's password, but the user's password to execute sudo. If the user does not execute the command through sudo in sudoers, sudo reports the event to the administrator. Users can sudo-v to see if they are in sudoers. If it is, it can also update your "ticket" on the time, if not, it will prompt you, but will not notify the administrator.

The sudo command format is as follows:

Copy Code code as follows:

Sudo-k-l-v-h-k-l-vsudo [-HPSB] [-a auth_type] [-C class-] [-P prompt] [-u username#uid] {e-file [...]-i-s Comman D

Now let's take a look at some of the other common parameters of sudo:

Option meaning effect
Sudo-hhelp lists usage methods and exits.
Sudo-vversion Displays the version information and exits.
Sudo-llist lists the commands that the current user can execute. This option is available only to users in Sudoers.
Sudo-uusername#uiduser executes the command as the specified user. The following user is a user name, or #uid, other than root.

Sudo-kkill clears the time on the "entry volume" and then enters the password again the next time you use sudo.

Sudo-ksurekill is similar to K, but it also tears up the "entry volume", which is to delete the timestamp file.

Sudo-bcommandbackground executes the specified command in the background.

Sudo-ppromptcommandprompt can change the prompt that asks for a password, where%u is substituted for the user account name, and%h displays the host name. Very humanized design.
Instead of executing the command, Sudo-efileedit modifies the file, which is equivalent to the command sudoedit.

There are also some less commonly used parameters that can be found in the man page sudo (8).

Three. Configure sudo

sudo must be configured by editing the/etc/sudoers file, and only Superuser can modify it, and must also use Visudo editing. There are two reasons to use Visudo, and one is that it prevents

Two users modify it at the same time, and the second is that it can perform a limited grammar check. So, even if you only have a superuser, you'd better use Visudo to check the syntax.

Visudo the default is to open the configuration file in VI, with VI to modify the file. We can modify this default item at compile time. Visudo does not arbitrarily save a configuration file with a syntax error, it prompts you for a problem and asks what to do, just like this:

Copy Code code as follows:

>>>sudoersfile:syntaxerror,line22<<

At this point we have three options: Type "E" to be re edited, type "X" to not save the exit, type "Q" to exit and save. If you really choose Q, sudo will not run until the error is corrected.

Now, let's take a look at the mystery profile and learn how to write it. Let's start with a simple example: let the user Foobar to execute all root-executable commands through sudo. Using Visudo to open the configuration file as root, you can see a few lines similar to the following:

Copy Code code as follows:

#Runasaliasspecification
#UserprivilegespecificationrootALL = (All)

We can see it at a glance, Root has all the permissions, as long as the example of the existing root in the line, we add a line below (preferably with the tab as a blank):

Copy Code code as follows:

Foobarall= (All)

After the save exits, switch to the Foobar user, and we execute the command with its identity:
Copy Code code as follows:

[foobar@localhost~] $ls/root
Ls:/root: Not enough permissions
[foobar@localhost~] $sudols/root
PassWord:
Anaconda-ks.cfgdesktopinstall.loginstall.log.syslog

Well, let's limit Foobar's right to let him do whatever he wants. For example, we just want him to use LS and ifconfig like root, and change that line to:

Copy Code code as follows:

Foobarlocalhost=/sbin/ifconfig,/bin/ls

To execute the command again:
Copy Code code as follows:

[foobar@localhost~] $sudohead -5/etc/shadow
Password:
Sorry,userfoobarisnotallowedtoexecute '/usr/bin/head-5/etc/shadow ' Asrootonlocalhost.localdomain.
[foobar@localhost~] $sudo/sbin/ifconfigeth0linkencap:ethernethwaddr00:14:85:ec:e9:9b ...

Now let's take a look at what those three all mean. The first all refers to the host in the network, which we later changed to the host name, which indicates
Foobar can execute the following command on this host. All in the second bracket refers to the target user, which is the identity of the person who executes the command. Last one
All of course refers to the command name. For example, we would like to have foobar users execute the KILL command as Jimmy or Rene on a Linux host, writing a configuration file:

foobarlinux= (Jimmy,rene)/bin/kill
But there is a question, foobar in the end is Jimmy or Rene's identity execution? At this point we should think of the sudo-u, it is used at this time. Foobar can use Sudo-ujimmykillpid or sudo-urenekillpid, but it's a hassle, but we don't have to add-u every time, Rene or Jimmy as the default target user. Add one more line to the above:

Defaults:foobarrunas_default=rene
Defaults, if there is a colon, is the default for the following user, and if not, it is the default for all users. Just like a single line in the configuration file:

Defaultsenv_reset
Another problem is, many times, we are already logged in, every time using sudo to enter the password is cumbersome. Can we no longer enter the password? Of course, we can modify the configuration file like this:

Foobarlocalhost=nopasswd:/bin/cat,/bin/ls
Again, sudo:

Copy Code code as follows:

[foobar@localhost~] $sudols/rootanaconda-ks.cfgdesktopinstall.log

Install.log.syslog

Of course, you can also say "some command user foobar can not run", by using the! operator, but this is not a good idea. Because, with! operator to "remove" from all some commands are generally not effective, a user can copy the command to another place, and then run the name.
Four. Log and security

Sudo is thoughtful for security, not only logging, but also reporting to the system administrator when necessary. However, the sudo logging feature is not automatic and must be turned on by an administrator. To do this:

Copy Code code as follows:

#toUCh/var/log/sudo
#vi/etc/syslog.conf

Add one line to the last side of the syslog.conf (which must be tab-separated) and save:

Local2.debug/var/log/sudo
Restart the log waiting process,

Psauxgrepsyslogd
Insert the PID of the resulting syslogd process (the second column of output is PID) into the following:

Kill–huppid
In this way, sudo can write the log:

Copy Code code as follows:

[foobar@localhost~] $sudols/rootanaconda-ks.cfg

Desktopinstall.log
Install.log.syslog
$cat/var/log/sudojul2822:52:54localhostsudo:foobar:
TTY=PTS/1; Pwd=/home/foobar; User=root; Command=/bin/ls/root

However, with a small "flaw", sudo logging is not very loyal:

Copy Code code as follows:

[foobar@localhost~] $sudocat/etc/shadow>/dev/null
[foobar@localhost~]$
Cat/var/log/sudo ... JUL2823:10:24LOCALHOSTSUDO:FOOBAR:TTY=PTS/1;
Pwd=/home/foobar; User=root; Command=/bin/cat/etc/shadow

Redirect is not on record! Why? Because the shell finished the redirection before the command was run, Sudo did not see the redirection at all. This also has the advantage that the following means will not succeed:

Copy Code code as follows:

[foobar@localhost~] $sudols/root>/etc/shadowbash:/etc/shadow: Insufficient permissions

Sudo has its own way of protecting security. Execute sudo as root
-V, to see the sudo settings. Because of security concerns, some of the environment variables are not passed to the command behind Sudo, or are checked and then passed, such as: Path,home,
Shell and so on. Of course, you can also configure these environment variables by sudoers.

As you can see, sudo is helpful for controlling and reviewing root access, which allows system administrators to manage systems more effectively and securely. Mastering the correct use of sudo is also a good training for system administrators. This article is just a preliminary introduction to sudo usage and for more information refer to Sudoers (5) and sudo (8) man pages.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.