"Sudo" is a very useful tool on the Unix/linux platform that allows system administrators to assign some reasonable "rights" to ordinary users to perform tasks that only superuser or other privileged users can accomplish, such as running some commands like MOUNT,HALT,SU. , or edit some system configuration files, such as/etc/mtab,/etc/samba/smb.conf. This has not only reduced the number of logins and administrative time of the root user, but also improved the security of the system.
I. Features of Sudo
Sudo's role is destined to be extra cautious in terms of security, or it could lead to illegal users grabbing root privileges. At the same time, it has to take into account the ease of use, so that the system administrator can more efficient and more convenient usage of it. The purpose of sudo designers is to give users as few permissions as possible but still allow them to complete their work. So, sudo
Has the following characteristics:
# 1. Sudo can restrict the specified user from running certain commands on the specified host.
# 2. sudo can provide logs, faithfully record what each user has done with sudo, and can upload logs to a central host or log server.
# 3. sudo provides the system administrator with a configuration file that allows the system administrator to centrally manage user permissions and the hosts used. Its default storage location is/etc/sudoers.
# 4.sudo uses a timestamp file to complete a system similar to "wicket". When the user executes sudo and enters the password, the user obtains a "ticket" with a default survival period of 5 minutes (the default value can be changed at compile time). After the timeout, the user must re-enter the password.
Two. sudo command
The sudo program itself is a binary file with the SUID bit set. We can check its permissions:
$ls-L/usr/bin/sudo
---s--x--x 2 root root 106832 02-12 17:41/usr/bin/sudo
Its owner is root, so each user can execute the program as root. Programs that have the SUID set can give the user the owner's euid at run time. This is why the SUID program must be carefully written. But setting a command file's suid and running it with sudo is a different concept, and they play a different role.
sudo configuration is recorded in the/etc/sudoers file, which we will explain in detail below. The configuration file indicates which users can execute which commands. To use sudo, the user must provide a specified user name and password. Note: sudo requires a password that is not the target user's password, but the user who executes sudo. If a user who is not in Sudoers executes the command through Sudo, sudo reports the event to the administrator. Users can see whether they are in sudoers by Sudo-v. If it is, it can also update your "ticket" on the time, if not, it will prompt you, but will not notify the administrator.
The sudo command format is as follows:
Sudo-k-l-v-h-k-l-vsudo [-HPSB] [-a auth_type] [-C class-] [-P prompt] [-u username#uid] {-e file [...]-i-s Comman D
Let's take a look at some of the other commonly used parameters of sudo:
option meaning function
Sudo-h help lists how to use, exit.
Sudo-v version Displays the release information and exits.
Sudo-l list lists the commands that the current user can execute. This option is available only to users in Sudoers.
Sudo-u username#uid User executes the command as specified. The following users are other than root, which can be either a user name or a #uid.
Sudo-k Kill clears the time on the "entry volume" and enters the password again the next time you use sudo.
Sudo-k sure Kill is similar to-K, but it also rips the "entry volume", which is to delete the timestamp file.
Sudo-b command Background executes the specified commands in the background.
Sudo-p prompt command Prompt can change the prompt to ask for a password, where%u is substituted for the user account name and%h displays the host name. Very user-friendly design.
SUDO-E file edit is not the execution of a command, but rather a modification of the document, equivalent to command sudoedit.
There are also some infrequently used parameters that can be found in the manual page sudo (8).
Three. Configure sudo
To configure sudo, you must edit the/etc/sudoers file, and only the superuser can modify it, and you must also use Visudo editing. There are two reasons why you can use Visudo, one is that it prevents
Two users modify it at the same time, and the second is that it can perform a limited grammar check. So, even if you are only a superuser, you'd better use Visudo to check the syntax.
Visudo default is to open the configuration file in VI, with VI to modify the file. We can modify this default at compile time. Visudo does not save a configuration file with syntax errors, it prompts you for problems and asks what to do with it, like this:
>>> sudoers file:syntax error, line $ <<
At this point we have three options: Type "E" is re-edit, type "X" is not saved exit, type "Q" is exit and save. If you do select Q, then sudo will no longer run until the error is corrected.
Now, let's take a look at the mysterious configuration file and learn how to write it. Let's start with a simple example: let the user foobar can execute all the root executable commands with sudo. To open the configuration file as root with Visudo, you can see a few lines similar to the following:
# Runas alias Specification
# User Privilege Specificationroot all= (All) all
As soon as we see it, Root has all the permissions, just follow the example of an existing root, we add a line below (preferably with tab as a blank):
Foobar all= (All) all
After saving the exit, switch to the Foobar user, and we execute the command with its identity:
[Email protected] ~]$ Ls/root
LS:/root: Insufficient Authority
[email protected] ~]$ sudo ls/root
PassWord:
Anaconda-ks.cfg Desktop Install.log Install.log.syslog
Well, let's limit Foobar's rights and let him do whatever he pleases. For example, we just want him to use LS and ifconfig like root, and change that line to:
Foobar localhost=/sbin/ifconfig,/bin/ls
To execute the command again:
[email protected] ~]$ sudo head-5/etc/shadow
Password:
Sorry, user foobar is not allowed to execute '/usr/bin/head-5/etc/shadow ' as Root on Localhost.localdomain.
[Email protected] ~]$ sudo/sbin/ifconfigeth0 linkencap:ethernet HWaddr 00:14:85:ec:e9:9b ...
Now let's take a look at what those three all mean. The first all refers to the host in the network, and we change it to the hostname, which indicates
Foobar can execute subsequent commands on this host. The "All" in the second parenthesis refers to the target user, who is the person who executes the command. Last one
All of course refers to the command name. For example, we want Foobar users to execute the KILL command on a Linux host as Jimmy or Rene, writing a configuration file:
Foobar linux= (Jimmy,rene)/bin/kill
But there is a question, foobar in the end to the status of Jimmy or Rene execution? At this point we should think of the sudo-u, it is used at such times. Foobar can use sudo-u jimmy kill pid or Sudo-u Rene kill PID, but this is a hassle, in fact we can not need to add-u every time, the Rene or Jimmy set as the default target users can. Add one more line to the top:
Defaults:foobar Runas_default=rene
Defaults If there is a colon, it is the default for the subsequent user, and if not, it is the default for all users. Like a line from a configuration file:
Defaults Env_reset
Another problem is that, in many cases, we're already logged in, and it's cumbersome to enter a password every time you use sudo. Could we not enter the password again? Of course, we can modify the configuration file as follows:
Foobar localhost=nopasswd:/bin/cat,/bin/ls
To sudo again:
[email protected] ~]$ sudo ls/rootanaconda-ks.cfg Desktop install.log
Install.log.syslog
Of course, you can also say "some commands the user Foobar not be able to run", by using the! operator, but that's not a good idea. Because, with! Operators "out" of all the commands are generally ineffective, a user can completely copy the command to another place, and then run after a name.
Four. Logs and security
Sudo is very thoughtful about security, not only logging, but also reporting to the system administrator if necessary. However, the log function of sudo is not automatic and must be turned on by the administrator. To do so:
# Touch/var/log/sudo
# vi/etc/syslog.conf
Add a line to the last face of the syslog.conf (Must be tab-separated) and save:
Local2.debug/var/log/sudo
Restart the log waiting process,
PS aux grep syslogd
Fill in the PID of the resulting syslogd process (the second column of the output is PID):
Kill–hup PID
In this way, sudo can write the log:
[email protected] ~]$ sudo ls/rootanaconda-ks.cfg
Desktop Install.log
Install.log.syslog
$cat/var/log/sudojul 22:52:54 localhost sudo:foobar:
TTY=PTS/1; Pwd=/home/foobar; User=root; Command=/bin/ls/root
However, with a small "flaw", sudo logs are not very faithful:
[email protected] ~]$ sudo cat/etc/shadow >/dev/null
[Email protected] ~]$
Cat/var/log/sudo ... Jul 23:10:24 localhost sudo:foobar:tty=pts/1;
Pwd=/home/foobar; User=root; Command=/bin/cat/etc/shadow
Redirection is not documented! Why? Because the shell had done the redirection before the command was run, Sudo did not see the redirect at all. This also has a benefit, the following means will not succeed:
[[email protected] ~]$ sudo ls/root >/etc/shadowbash:/etc/shadow: Insufficient permissions
Sudo has its own way to protect security. Execute sudo as root
-V, check the settings for sudo. Because of security concerns, some of the environment variables are not passed to the command behind Sudo, or are checked and then passed, such as: Path,home,
Shell and so on. Of course, you can also configure these environment variables through sudoers.
As seen above, sudo is useful for controlling and reviewing root access, which enables system administrators to manage systems more efficiently and securely. Mastering the correct use of sudo is also good training for system administrators. This article is just a preliminary introduction to the use of sudo, see the Sudoers (5) and sudo (8) manual pages for more information.
Sudo Detailed Description: Https://wiki.archlinux.org/index.php/Sudo_ (%e7%ae%80%e4%bd%93%e4%b8%ad%e6%96%87)
"Go" linux sudo command + personal case