Root Super permission control in Linux

Source: Internet
Author: User
A super user is the owner of the highest permissions of the system and the only winner of system management. a super user has super permissions and is omnipotent. if the super user is not good at management, it will pose a threat to system security. In addition to avoiding the direct use of super user root to log on to the system as much as possible, we also need to learn to temporarily switch to Super

A super user is the owner of the highest permissions of the system and the only winner of system management. a super user has super permissions and is omnipotent. if the super user is not good at management, it will pose a threat to system security. In addition to avoiding the direct use of the root user to log on to the system as much as possible, we also need to learn to temporarily switch to the root user under normal users to complete the necessary system management work; from the perspective of user management and system security, it is extremely meaningful;

This article provides an example of the implementation commands su and sudo for common users to switch to the root user, hoping to facilitate learning for beginners;


Directory Index


1. understanding of super users and common users;

1. what is a super user;
2. understand the correspondence between UID and user
3. common users and disguised users
II. Role of super users (permissions) in system management

1. operate any file, directory, or process;
2. global system management;
3. irreplaceable super permissions;
3. use the su command to temporarily switch user identities;

1. conditions and power of su;
2. su usage;
3. Examples of su;
4. Advantages and disadvantages of su
IV. su authorized for use by sudo is also restricted

1. applicable conditions of sudo;
2. Compile the sudo configuration file/etc/sudoers;
3. alias rules in the/etc/sudoers configuration file
4. Authorization rules in/etc/sudoers:
5. other unfinished items in/etc/sudoers;
6. sudo usage;
5. postscript;
6. about this article;
7. thank you;
8. references;


++ ++
Body
++ ++


In Linux, root has the highest permissions, also known as the owner of super permissions. Operations that common users cannot perform can be completed by the root user, so they are also called Super management users.

In the system, every file, directory, and process belongs to a user. other common users cannot operate without user permission, except root users. The root user privilege is also manifested in the fact that the root user can read, modify, or delete files or directories (within the normal scope of the system) beyond any user or user group ); execute and terminate executable programs, add, create, and remove hardware devices, and modify the owner and permissions of files and directories, to meet the needs of system management (because root is the privileged user with the highest permissions in the system );


1. understanding of super users and common users;

 

1. what is a super user;

In all Linux systems, UID is used to differentiate user permission levels. users with UID 0 are deemed to have super permissions. Super users have the highest permissions agreed by the system to operate in the garden, so super users can complete all the tools for system management; we can check through/etc/passwd that the user with UID 0 is root, and only the UID corresponding to root is 0. From this point of view, root users are irreplaceable in the system and have unlimited permissions. Root users are super users in the system;


2. understand the correspondence between UID and user


When the system is installed by default, the system user is in a one-to-one relationship with the UID, that is, a UID corresponds to a user. We know that the user identity is identified by UID) in the description of the UID in the configuration file, the UID indicates that "UID is the identifier used to confirm the user permission. The role where the user logs on to the system is implemented by UID instead of the user name; it is dangerous to share a UID among several users. for example, we change the UID of a common user to 0 and share a UID with the root user, which in fact leads to confusion in system management permissions. If we want to use the root permission, we can implement it through su or sudo. do not share the same UID with the root user ;"

In the system, can the UID and user be in a one-to-many relationship? Yes. for example, we can allocate a UID of 0 to several users, which is the one-to-many relationship between the UID and the user. But this is indeed a little dangerous; users with the same UID have the same identity and permissions. For example, after we change the UID of beinan to 0 in the system, the normal user actually has the super permission. his abilities and permissions are the same as those of the root user; all beinan operations will be marked as root operations, because the UID of beinan is 0, and the user whose UID is 0 is root, is it a bit disturbing? It can also be understood that the user whose UID is 0 is root, and the UID of the root user is 0;

The one-to-one relationship between the UID and the user only requires the administrator to adhere to the rules for system management, because system security is still the first priority. Therefore, it is the best choice to retain super permissions to the only root user;

If we do not share the UID 0 value with other users, the root user is the only super-authorized user with UID = 0;

3. common users and disguised users

Compared with superusers, common users and virtual users (also known as disguised users) are restricted. However, in order to complete specific tasks, common users and disguised users are also required. Linux is a multi-user, multi-task operating system. multiple users are mainly reflected in the diversity of user roles, and different users have different permissions; this is the more secure nature of Linux than Windows systems. even the latest version of Windows 2003 cannot erase the brand of its single-user system;


II. Role of super users (permissions) in system management

 

What is the role of a super-privileged user (a user with a UID of 0) in system management? The main features are as follows;


1. operate any file, directory, or process;


However, it is worth noting that such operations are performed within the maximum permitted range of the system; some operations cannot be completed even if they are root users with super permissions;

For example, in the/proc directory,/proc is used to reflect the real-time status information of system running, so even root cannot do anything. its permissions are as follows:

[Root @ localhost ~] # Pwd
/Root
[Root @ localhost ~] # Cd/
[Root @ localhost/] # ls-ld/proc/
Dr-xr-x 134 root 0 2005-10-27/proc/

This is the directory, which can only be read and execution permissions, but has no write permission. we open the write permission of the/proc directory to the root user, and the root user cannot perform write operations;

[Root @ localhost ~] # Chmod 755/proc
[Root @ localhost/] # ls-ld/proc/
Drwxr-xr-x 134 root 0 2005-10-27/proc/
[Root @ localhost/] # cd/proc/
[Root @ localhost proc] # mkdir testdir
Mkdir: unable to create directory 'testdir': no file or directory


2. global system management;


Hardware management, file system understanding, user management, and global system configuration ...... If you are prompted that you do not have permissions when executing a command or tool, most of them require super permissions;

For example, if adduser is used to add users, this can only be done by users with super permissions;


3. irreplaceable super permissions;


As super permissions play an indispensable role in system management, we must use super permissions to complete system management tasks. In general, for system security, for general applications at the standard level, the root user is not required to complete the operation. the root user is only used to manage and maintain the system. for example, you can view and clean system logs, user addition and deletion ......

In an environment that does not involve system management, common users can do this, for example, writing a file, listening to music, and processing an image with gimp ...... Most common users can call common applications;

When we log on to the system as a user with normal permissions, some system configurations and system management must be completed by a super-permission user, such as managing system logs, adding and deleting users. How can we not directly log on with root, but switch from common users to root users to perform the work required for operating system management? this involves the issue of super permission management;

The process of obtaining super permissions is to switch normal user identities to super user identities. this process is mainly solved through su and sudo;


3. use the su command to temporarily switch user identities;

 

1. conditions and power of su

The su command is a tool for switching users. how can this problem be solved? For example, if we log on as a normal user beinan, but want to add a user task and execute useradd, the beinan user does not have this permission, and this permission is exactly owned by the root user. There are two solutions. one is to log out of the beinan user and log in again as the root user, but this method is not the best. The other is that we do not need to log out of the beinan user, you can use su to switch to the root directory to add users. after the task is completed, exit root. We can see that, of course, using su switching is a better way;

Su allows users to switch between users. if the super-permission user root switches to a common or virtual user without a password, what is power? That's it! The password verification is required for normal users to switch to other users;


2. su usage:


Su [OPTION parameter] [user]

-,-L ,? Log on to login and change to the switched user environment;
-C ,? Commmand = COMMAND: execute a COMMAND and then exit the user environment to be switched;

For more details, see man su;


3. Examples of su:


Su switches to the root user by default without adding any parameters, but does not go to the root user's home directory. that is to say, it is switched to the root user, however, the root logon environment is not changed. you can find the default logon environment in/etc/passwd, including the home directory and SHELL definition;

[Beinan @ localhost ~] $ Su
Password:
[Root @ localhost beinan] # pwd
/Home/beinan

Su plus parameter? To switch to the root user by default and change to the root user's environment;

[Beinan @ localhost ~] $ Pwd
/Home/beinan
[Beinan @ localhost ~] $ Su-
Password:
[Root @ localhost ~] # Pwd
/Root

Su parameter? User name

[Beinan @ localhost ~] $ Su? Root note: this and su? Is the same function;
Password:
[Root @ localhost ~] # Pwd
/Root

[Beinan @ localhost ~] $ Su? Linuxsir note: this is to switch to linuxsir user
Password: enter the Password here;
[Linuxsir @ localhost ~] $ Pwd note: view the current user location;
/Home/linuxsir
[Linuxsir @ localhost ~] $ Id note: Check the UID and GID information of the user, mainly to see whether the switch is over;

Uid = 505 (linuxsir) gid = 502 (linuxsir) groups = 0 (root), 500 (beinan), 502 (linuxsir)
[Linuxsir @ localhost ~] $

[Beinan @ localhost ~] $ Su? -C ls note: This is a combination of su parameters, indicating switching

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.