"Sudo" is a very useful tool on the Unix/linux platform that allows system administrators to assign some reasonable "rights" to ordinary users to perform tasks that only superuser or other privileged users can accomplish, such as running some commands like MOUNT,HALT,SU. , or edit some system configuration files, such as/etc/mtab,/etc/samba/smb.conf, etc. This has not only reduced the number of logins and administrative time of the root user, but also improved the security of the system.
I. Features of SudoSudo's role is destined to be extra cautious in terms of security, or it could lead to illegal users grabbing root privileges. At the same time, it has to take into account the ease of use, so that the system administrator can more efficient and more convenient usage of it. The purpose of sudo designers is to give users as few permissions as possible but still allow them to complete their work. Therefore, Sudo has the following features:
The sudo program itself is a binary file with the SUID bit set. We can check its permissions:
Its owner is root, so each user can execute the program as root. Programs that have the SUID set can give the user the owner's euid at run time. This is why the SUID program must be carefully written. But setting a command file's suid and running it with sudo is a different concept, and they play a different role.$ls-L/usr/bin/sudo
---s--x--x 2 root root 106832 02-12 17:41/usr/bin/sudo
sudo configuration is recorded in the/etc/sudoers file, which we will explain in detail below. The configuration file indicates which users can execute which commands. To use sudo, the user must provide a specified user name and password. Note: sudo requires a password that is not the target user's password, but the user who executes sudo. If a user who is not in Sudoers executes the command through Sudo, sudo reports the event to the administrator. Users can see whether they are in sudoers by Sudo-v. If it is, it can also update your "ticket" on the time, if not, it will prompt you, but will not notify the administrator.
The sudo command format is as follows:
Let's take a look at some of the other commonly used parameters of sudo:Sudo-k | -L | -V | -H | -K | -L | -vsudo [-HPSB] [-a auth_type] [-C class|-] [-P prompt] [-u username| #uid] {-e file [...] |-I |-s | command}
| Options | Meaning | Role |
| Sudo-h | Help | List the use methods, exit. |
| Sudo-v | Version | Displays the version information and exits. |
| Sudo-l | List | Lists the commands that the current user can execute. This option is available only to users in Sudoers. |
| Sudo-u username| #uid | User | Executes the command as the specified user. The following users are other than root, which can be either a user name or a #uid. |
| Sudo-k | Kill | Clear the time on the "entry volume" and enter the password again the next time you use sudo. |
| Sudo-k | Sure Kill | Similar to-K, but it also rips the "entry volume", which is to delete the timestamp file. |
| Sudo-b command | Background | Executes the specified command in the background. |
| Sudo-p prompt command | Prompt | You can change the prompt that asks for a password, where%u is substituted for the user account name, and%h displays the host name. Very user-friendly design. |
| SUDO-E file | Edit | Instead of executing the command, the file is modified, equivalent to the command sudoedit. |
To configure sudo, you must edit the/etc/sudoers file, and only the superuser can modify it, and you must also use Visudo editing. There are two reasons for using Visudo, one is that it prevents two users from modifying it at the same time, and the other is that it can perform a limited syntax check. So, even if you are only a superuser, you'd better use Visudo to check the syntax.
Visudo default is to open the configuration file in VI, with VI to modify the file. We can modify this default at compile time. Visudo does not save a configuration file with syntax errors, it prompts you for problems and asks what to do with it, like this:
At this point we have three options: Type "E" is re-edit, type "X" is not saved exit, type "Q" is exit and save. If you do select Q, then sudo will no longer run until the error is corrected.>>> sudoers file:syntax error, line <<<what now? E
Now, let's take a look at the mysterious configuration file and learn how to write it. Let's start with a simple example: let the user foobar can execute all the root executable commands with sudo. To open the configuration file as root with Visudo, you can see a few lines similar to the following:
As soon as we see it, Root has all the permissions, just follow the example of an existing root, we add a line below (preferably with tab as a blank):# Runas alias specification# User privilege Specificationroot all= (All) all
After saving the exit, switch to the Foobar user, and we execute the command with its identity:Foobar all= (All) all
Well, let's limit Foobar's rights and let him do whatever he pleases. For example, we just want him to use LS and ifconfig like root, and change that line to:[[email protected] ~]$ LS/ROOTLS:/root: Insufficient permissions [[email protected] ~]$ sudo ls/rootpassword:anaconda-ks.cfg Desktop ins Tall.log Install.log.syslog
To execute the command again:Foobar localhost=/sbin/ifconfig,/bin/ls
Now let's take a look at what those three all mean. The first all refers to the host in the network, and we later change it to the hostname, which indicates that Foobar can execute the following command on this host. The "All" in the second parenthesis refers to the target user, who is the person who executes the command. The last all of course refers to the command name. For example, we want Foobar users to execute the KILL command on a Linux host as Jimmy or Rene, writing a configuration file:[[email protected] ~]$ sudo head-5/etc/shadowpassword:sorry, user foobar is not allowed to execute '/usr/bin/head-5/et C/shadow ' as Root on Localhost.localdomain. [Email protected] ~]$ sudo/sbin/ifconfigeth0 Link encap:ethernet HWaddr 00:14:85:ec:e9:9b ...
But there is a question, foobar in the end to the status of Jimmy or Rene execution? At this point we should think of the sudo-u, it is used at such times. Foobar can use sudo-u jimmy kill pid or Sudo-u Rene kill PID, but this is a hassle, in fact we can not need to add-u every time, the Rene or Jimmy set as the default target users can. Add one more line to the top:Foobar linux= (Jimmy,rene)/bin/kill
Defaults If there is a colon, it is the default for the subsequent user, and if not, it is the default for all users. Like a line from a configuration file:Defaults:foobar Runas_default=rene
Another problem is that, in many cases, we're already logged in, and it's cumbersome to enter a password every time you use sudo. Could we not enter the password again? Of course, we can modify the configuration file as follows:Defaults Env_reset
To sudo again:Foobar localhost=nopasswd:/bin/cat,/bin/ls
[email protected] ~]$ sudo ls/rootanaconda-ks.cfg Desktop install.log install.log.syslog
Of course, you can also say "some commands the user Foobar not be able to run", by using the! operator, but that's not a good idea. Because, with! Operators "out" of all the commands are generally ineffective, a user can completely copy the command to another place, and then run after a name.
Four. Logs and securitySudo is very thoughtful about security, not only logging, but also reporting to the system administrator if necessary. However, the log function of sudo is not automatic and must be turned on by the administrator. To do so:
Add a line to the last face of the syslog.conf (Must be tab-separated) and save:# touch/var/log/sudo# Vi/etc/syslog.conf
Restart the log waiting process,Local2.debug /var/log/sudo
Fill in the PID of the resulting syslogd process (the second column of the output is PID):PS aux | grep syslogd
In this way, sudo can write the log:Kill–hup PID
However, with a small "flaw", sudo logs are not very faithful:[[email protected] ~]$ sudo ls/rootanaconda-ks.cfg Desktop install.log install.log.syslog$cat/var/log/sudojul 28 2 2:52:54 localhost sudo:foobar:tty=pts/1; Pwd=/home/foobar; User=root; Command=/bin/ls/root
Redirection is not documented! Why? Because the shell had done the redirection before the command was run, Sudo did not see the redirect at all. This also has a benefit, the following means will not succeed:[[email protected] ~]$ sudo cat/etc/shadow >/dev/null[[email protected] ~]$ Cat/var/log/sudo ... Jul 23:10:24 localhost sudo:foobar:tty=pts/1; Pwd=/home/foobar; User=root; Command=/bin/cat/etc/shadow
Sudo has its own way to protect security. Execute sudo-v as root and look at sudo settings. Because of security concerns, some of the environment variables are not passed to the command behind Sudo, or are checked and then passed, such as: path,home, Shell, etc. Of course, you can also configure these environment variables through sudoers.[[email protected] ~]$ sudo ls/root >/etc/shadowbash:/etc/shadow: Insufficient permissions
As seen above, sudo is useful for controlling and reviewing root access, which enables system administrators to manage systems more efficiently and securely. Mastering the correct use of sudo is also good training for system administrators. This article is just a preliminary introduction to the use of sudo, see the Sudoers (5) and sudo (8) manual pages for more information.
Mastering the use of sudo
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
