Mastering the use of sudo

Source: Internet
Author: User
Tags bit set one more line syslog root access

"Sudo" is a very useful tool on the Unix/linux platform that allows system administrators to assign some reasonable "rights" to ordinary users to perform tasks that only superuser or other privileged users can accomplish, such as running some commands like MOUNT,HALT,SU. , or edit some system configuration files, such as/etc/mtab,/etc/samba/smb.conf, etc. This has not only reduced the number of logins and administrative time of the root user, but also improved the security of the system.

I. Features of Sudo

Sudo's role is destined to be extra cautious in terms of security, or it could lead to illegal users grabbing root privileges. At the same time, it has to take into account the ease of use, so that the system administrator can more efficient and more convenient usage of it. The purpose of sudo designers is to give users as few permissions as possible but still allow them to complete their work. Therefore, Sudo has the following features:

  • 1. Sudo can restrict the specified user from running certain commands on the specified host.
  • 2. Sudo can provide logs, faithfully record what each user has done with sudo, and can upload logs to a central host or log server.
  • 3. Sudo provides the system administrator with a configuration file that allows the system administrator to centrally manage user permissions and the hosts used. Its default storage location is/etc/sudoers.
  • 4. sudo uses a timestamp file to complete a system similar to "wicket". When the user executes sudo and enters the password, the user obtains a "ticket" with a default survival period of 5 minutes (the default value can be changed at compile time). After the timeout, the user must re-enter the password. Two. sudo command

    The sudo program itself is a binary file with the SUID bit set. We can check its permissions:

    $ls-L/usr/bin/sudo
    ---s--x--x 2 root root 106832 02-12 17:41/usr/bin/sudo
    Its owner is root, so each user can execute the program as root. Programs that have the SUID set can give the user the owner's euid at run time. This is why the SUID program must be carefully written. But setting a command file's suid and running it with sudo is a different concept, and they play a different role.

    sudo configuration is recorded in the/etc/sudoers file, which we will explain in detail below. The configuration file indicates which users can execute which commands. To use sudo, the user must provide a specified user name and password. Note: sudo requires a password that is not the target user's password, but the user who executes sudo. If a user who is not in Sudoers executes the command through Sudo, sudo reports the event to the administrator. Users can see whether they are in sudoers by Sudo-v. If it is, it can also update your "ticket" on the time, if not, it will prompt you, but will not notify the administrator.

    The sudo command format is as follows:

    Sudo-k | -L | -V | -H | -K | -L | -vsudo [-HPSB] [-a auth_type] [-C class|-] [-P prompt] [-u username| #uid] {-e file [...] |-I |-s | command}
    Let's take a look at some of the other commonly used parameters of sudo:

    Options Meaning Role
    Sudo-h Help List the use methods, exit.
    Sudo-v Version Displays the version information and exits.
    Sudo-l List Lists the commands that the current user can execute. This option is available only to users in Sudoers.
    Sudo-u username| #uid User Executes the command as the specified user. The following users are other than root, which can be either a user name or a #uid.
    Sudo-k Kill Clear the time on the "entry volume" and enter the password again the next time you use sudo.
    Sudo-k Sure Kill Similar to-K, but it also rips the "entry volume", which is to delete the timestamp file.
    Sudo-b command Background Executes the specified command in the background.
    Sudo-p prompt command Prompt You can change the prompt that asks for a password, where%u is substituted for the user account name, and%h displays the host name. Very user-friendly design.
    SUDO-E file Edit Instead of executing the command, the file is modified, equivalent to the command sudoedit.

    There are also some infrequently used parameters that can be found in the manual page sudo (8). Three. Configure sudo

    To configure sudo, you must edit the/etc/sudoers file, and only the superuser can modify it, and you must also use Visudo editing. There are two reasons for using Visudo, one is that it prevents two users from modifying it at the same time, and the other is that it can perform a limited syntax check. So, even if you are only a superuser, you'd better use Visudo to check the syntax.

    Visudo default is to open the configuration file in VI, with VI to modify the file. We can modify this default at compile time. Visudo does not save a configuration file with syntax errors, it prompts you for problems and asks what to do with it, like this:

    >>> sudoers file:syntax error, line <<<what now? E
    At this point we have three options: Type "E" is re-edit, type "X" is not saved exit, type "Q" is exit and save. If you do select Q, then sudo will no longer run until the error is corrected.

    Now, let's take a look at the mysterious configuration file and learn how to write it. Let's start with a simple example: let the user foobar can execute all the root executable commands with sudo. To open the configuration file as root with Visudo, you can see a few lines similar to the following:

    # Runas alias specification# User privilege Specificationroot all= (All) all
    As soon as we see it, Root has all the permissions, just follow the example of an existing root, we add a line below (preferably with tab as a blank):
    Foobar all= (All) all
    After saving the exit, switch to the Foobar user, and we execute the command with its identity:
    [[email protected] ~]$ LS/ROOTLS:/root: Insufficient permissions [[email protected] ~]$ sudo ls/rootpassword:anaconda-ks.cfg Desktop ins Tall.log Install.log.syslog
    Well, let's limit Foobar's rights and let him do whatever he pleases. For example, we just want him to use LS and ifconfig like root, and change that line to:
    Foobar localhost=/sbin/ifconfig,/bin/ls
    To execute the command again:
    [[email protected] ~]$ sudo head-5/etc/shadowpassword:sorry, user foobar is not allowed to execute '/usr/bin/head-5/et C/shadow ' as Root on Localhost.localdomain. [Email protected] ~]$ sudo/sbin/ifconfigeth0 Link encap:ethernet HWaddr 00:14:85:ec:e9:9b ...
    Now let's take a look at what those three all mean. The first all refers to the host in the network, and we later change it to the hostname, which indicates that Foobar can execute the following command on this host. The "All" in the second parenthesis refers to the target user, who is the person who executes the command. The last all of course refers to the command name. For example, we want Foobar users to execute the KILL command on a Linux host as Jimmy or Rene, writing a configuration file:
    Foobar linux= (Jimmy,rene)/bin/kill
    But there is a question, foobar in the end to the status of Jimmy or Rene execution? At this point we should think of the sudo-u, it is used at such times. Foobar can use sudo-u jimmy kill pid or Sudo-u Rene kill PID, but this is a hassle, in fact we can not need to add-u every time, the Rene or Jimmy set as the default target users can. Add one more line to the top:
    Defaults:foobar Runas_default=rene
    Defaults If there is a colon, it is the default for the subsequent user, and if not, it is the default for all users. Like a line from a configuration file:
    Defaults Env_reset
    Another problem is that, in many cases, we're already logged in, and it's cumbersome to enter a password every time you use sudo. Could we not enter the password again? Of course, we can modify the configuration file as follows:
    Foobar localhost=nopasswd:/bin/cat,/bin/ls
    To sudo again:
    [email protected] ~]$ sudo ls/rootanaconda-ks.cfg Desktop install.log install.log.syslog

    Of course, you can also say "some commands the user Foobar not be able to run", by using the! operator, but that's not a good idea. Because, with! Operators "out" of all the commands are generally ineffective, a user can completely copy the command to another place, and then run after a name.

    Four. Logs and security

    Sudo is very thoughtful about security, not only logging, but also reporting to the system administrator if necessary. However, the log function of sudo is not automatic and must be turned on by the administrator. To do so:

    # touch/var/log/sudo# Vi/etc/syslog.conf
    Add a line to the last face of the syslog.conf (Must be tab-separated) and save:
    Local2.debug     /var/log/sudo
    Restart the log waiting process,
    PS aux | grep syslogd
    Fill in the PID of the resulting syslogd process (the second column of the output is PID):
    Kill–hup PID
    In this way, sudo can write the log:
    [[email protected] ~]$ sudo ls/rootanaconda-ks.cfg Desktop install.log install.log.syslog$cat/var/log/sudojul 28 2 2:52:54 localhost sudo:foobar:tty=pts/1; Pwd=/home/foobar; User=root; Command=/bin/ls/root
    However, with a small "flaw", sudo logs are not very faithful:
    [[email protected] ~]$ sudo cat/etc/shadow >/dev/null[[email protected] ~]$ Cat/var/log/sudo ... Jul 23:10:24 localhost sudo:foobar:tty=pts/1; Pwd=/home/foobar; User=root; Command=/bin/cat/etc/shadow
    Redirection is not documented! Why? Because the shell had done the redirection before the command was run, Sudo did not see the redirect at all. This also has a benefit, the following means will not succeed:
    [[email protected] ~]$ sudo ls/root >/etc/shadowbash:/etc/shadow: Insufficient permissions
    Sudo has its own way to protect security. Execute sudo-v as root and look at sudo settings. Because of security concerns, some of the environment variables are not passed to the command behind Sudo, or are checked and then passed, such as: path,home, Shell, etc. Of course, you can also configure these environment variables through sudoers.

    As seen above, sudo is useful for controlling and reviewing root access, which enables system administrators to manage systems more efficiently and securely. Mastering the correct use of sudo is also good training for system administrators. This article is just a preliminary introduction to the use of sudo, see the Sudoers (5) and sudo (8) manual pages for more information.

Mastering the use of sudo

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.