Linuxsudo command and its configuration file/etc/sudoers

The Linuxsudo command and its configuration file/etc/sudoers will also know about the sudo command. The core idea of the sudo command is to grant permissions, that is, the user of a command is not yourself, but you have the permission to execute it. But we need to note that, although...
The Linux sudo command and its configuration file/etc/sudoers will also know about the sudo command. The core idea of the sudo command is to grant permissions, that is, the user of a command is not yourself, but you have the permission to execute it. However, although you have the permission to execute this command, it is still executed by the user of this command. [note 1]. (The su command is similar to the sudo command, but the difference between the two is that su is a coarse-grained permission assignment, and www.2cto.com has the best understanding of su. I think it is change user running command permanent. That is to say, the su user is switched permanently to the previous user, and then the new user from the su will do everything it can do, sudo refers to the user that temporarily switches to the command owner when executing a command to execute [note 1], and sudo can grant permissions to other users in the unit of a single command, it is more flexible than su .) I know about sudo. do you know how to configure sudo? The following is a brief description: the configuration file for configuring sudo is in/etc/sudoers. Generally, you can use the mongodo command to safely open and edit the file. Run the following command to view the usage of/etc/sudoers: man 5 sudoers. The/etc/sudoers file contains the following two parts:
1. the alias www.2cto.com mainly includes the following types: User_Alias, Host_Alias, Runas_Alias, and Cmnd_Alias: User alias, host alias, running user alias, and command alias. The command for setting these aliases is mainly used for configuration convenience. This is similar to the role in a linux user group or database. with aliases, you can grant permissions in batches. Setting method Alias_Type alias_name = name1, name2, name3, for example, User_Alias User1 = user1, user2, user3. The method for setting other types of alias is similar.
2. the real sudo entry is to configure which users can use the commands (you can even disable alias settings ). Format: user name (user alias) host name (host alias) = [(run user or Runas_Alias) optional] [tag optional] executable commands (or cmd_alias) the description syntax is hard to understand. for example, user1 host1 =/bin/kill # user1 can use the command/bin/killuser1 host1 = NOPASSWD on host1: /bin/kill # user1 can use the command/bin/kill on host1 without having to enter the password (NOPASSWD # is used here. the default value is PASSWD) user1 host1 = NOPASSWD: /bin/kill, PASSWORD:/bin/ls # user1 can use the command/bin/kill on host1 without entering the PASSWORD, however, to use/bin/ls, enter the password user1 host1 = (opterator)/bin/ki. Ll # user1 can use the/bin/kill Command on host1, but this command must be run by the operator User. it is equivalent to # su-u opertor/bin/killuser1 host1 = (: group_name) /bin/kill # user1 can use the command/bin/kill on host1 and must be run by the user in the group_name user group. % Group_name host1 =/bin/kill # all users in group_name can execute/bin/kill on host1 (in linux, # % group_name is generally used for the entire user group) for another practical example, I didn't understand the sudo su command. Why can I directly connect su to the root user without a password? Check the sudoers file to know that there is such a line in it: xxx ALL = NOPASSWD:/bin/su www.2cto.com, so far ~, An additional Journal account is provided ~~~ ^__ ^ Note 1: In linux, each process has a UID, GID, which are valid UID, real UID, valid GID, and real GID. Valid UID. GID is used to determine permissions, while real UID and GID are used to keep records (which process belongs to which user or logs are recorded ). After sudo entry is configured, the valid UID contains the configured user UID. Therefore, you can pass the permission verification. From ICER-REPLS 'blog