Reasonably use su and sudo commands to ensure system user security

The Linux system provides two user permission management mechanisms: su and sudo. su is mainly used to switch users, while sudo users are used to improve execution permissions. The following describes in detail.

I. su command -- switch users
With the su command, you can switch to another user to have all the permissions of the user. Of course, the password of the target user needs to be verified during the switch (when switching from root to another user, the column is exceeded)
For example, you must enter the root password when switching the root identity.

In the preceding command operation, the option "-" is equivalent to "-- login" or "-l", indicating that the switch enters the logon shell environment of the target user, if this option is missing, only the identity is switched and the user environment is not switched.
By default, any user is allowed to use the su command, so as to have the opportunity to repeatedly try the login password of other users, which brings security risks. To enhance the use control of the su command, you can use the pam_wheel authentication module to allow only a few users to switch using the su command.

The implementation process is as follows:
1. Add the user who needs to use the su command to the wheel group.

2. modify the configuration file/etc/pam. d/su and enable pam_sheel authentication.
Vim/etc/pam. d/su
Auth required pam_wheel.so use_uid
Some content is omitted.
3. At this time, the user can use the su command, while other users who have not joined the wheel group cannot use the su command.

Ii. sudo command-Privilege Escalation
You can use the sudo command to grant some special permissions to some users. This user does not need to know the administrator password. However, this requires the Administrator to grant permissions in advance, allows users to execute commands as administrators.
The sudo command configuration file is in/etc/sudoers. You need to add the specified permissions of the specified user to the configuration file before the user can execute these permissions, you can use the mongodo command or vim command to edit the file. (Note: you must add it when using vim for editing! Force save)
In the configuration file/etc/sudoers, the basic configuration format of the Authorization Record is as follows.
User MACHING = COMMANDS
It consists of three parts: User, host, and command, that is, the commands that the user executes from those hosts.
User: the authorized user name or "% group name.
HOST: Use the host name of this configuration file, which is generally set to localhost.
Command (COMMABDS): to allow authorized users to execute commands in sudo mode, enter the full path of the command program. Separate multiple commands with commas.

1. Modify the/etc/sudores configuration file to authorize the specified user.
For example, authorize the user the permission to execute the ifconfig command.
[Root @ lcoalhost/] # mongodo
Some content is omitted.
User localhost =/sbin/ifconfig

2. Use the alias definition to authorize multiple users
When there are many users with the same authorization or a large number of authorization commands, you can use a centralized definition of aliases. You can define aliases in the user, host, and command sections (aliases must be capitalized) and set them by using the keywords User_Alias, Host_Alias, and Cmnd_Alias.
Set to allow users user1, user2, and user3 to execute rpm, yum, and other commands on the host localhost.
[Root @ lcoalhost/] # mongodo
Some content is omitted.
User_Alias USERS = user1, user2, user3
Cmnd_Alias PKGTOOLS =/bin/rpm,/usr/bin/yum
USERS localhost = PKGTOOLS
When authorizing a user, the command can use the wildcard "*" and the anti-symbol "!". It is particularly useful when you need to authorize all commands in a directory and cancel some of them.

3. Enable Logging for sudo
By default, operations performed in sudo mode are not recorded. To enable the sudo logging function, add the "Defaults logfile" option to the/etc/sudores file.
Add the sudo logging function as follows:
[Root @ lcoalhost/] # mongodo
Some content is omitted.
Defaults logfile = "/var/log/sudo"

4. the user uses the sudo command to execute the authorization command
For authorized users, when executing privileged commands in sudo mode, you only need to use the normal command line as the parameter of the sudo command. The user executes the ifconfig command as follows:

To execute the sudo command for the first time, you need to enter the password of the current user. The validity period is 5 minutes, that is, the sudo password is not used within 5 minutes after the password is entered, the next time you run the sudo command, you will be prompted to enter the password.
If you do not want to enter the password when executing the sudo command, you can modify the configuration file/etc/sudores as follows:
[Root @ lcoalhost/] # mongodo
Some content is omitted.
User localhost = NOPASSWD:/sbin/ifconfig
When the user executes the ifconfig command, the password is not prompted.
To view which sudo authorization commands the current user obtains, run the "sudo-l" command.

Recommended reading:

Use and enable the root account with Ubuntu sudo and su commands

Sudo: sorry, you must have a tty to run sudo

Configure sudo permissions in Linux

Temporary root permission for sudo Configuration

How to solve the problem that users cannot execute sudo in Linux

The Linux system administrator must not know the command: sudo