Security settings for Su and sudo in the ten-third Linux network security series

1. restricting users who use the SU command

The root user in the Linux system is too large, so in practice it is generally logged in as a normal user, and can be switched to the root user when needed. Switch user identities using the SU command.

However, we may not want all users to be able to switch to root, but just want to specify that a user can switch, such as allowing only Zhangsan users to switch identities using the SU command.

To restrict users who use the SU command, you need to set up two aspects.

First you need to enable the Pam_wheel authentication module,

[[email protected] ~]# vim/etc/pam.d/su ' remove The # before the next line in the file Auth Required pam_wheel.so Use_uid

This allows the user who executes the "su–root" command to be restricted and only members in the wheel group have permission to execute the command.

So the next thing to do is to add Zhangsan to the wheel group.

[Email protected] ~]# gpasswd-a zhangsan wheel [[email protected] ~]# ID zhangsan uid=501 (Zhangsan) gid=501 (Zhangsan) groups=501 (Zhangsan), ten (wheel)

This way, when you switch to root with an account that is not a member of the wheel group, the system rejects it.

For example, using Lisi to switch to root, even if you enter the correct root user password, you will be prompted with "incorrect password."

[Email protected] ~]$ su-root Password: SU: the password is incorrect

2. Elevate permissions with the sudo mechanism

Using the SU command to switch to the root user, you must enter the root user's password. For the administrator, you can log on to the system as a normal user, and then switch to the administrator account with the SU command, and for ordinary users if you can also use the SU command, which is obviously not conducive to system security, so for ordinary users more often use the sudo command.

The purpose of the sudo command is to allow authorized individual ordinary users to perform some authoritative administrative commands with root privileges.

If you create a user as a normal user Zhangsan, you will be prompted for no permissions:

[Email protected] ~]$ useradd test -bash:/usr/sbin/useradd: Insufficient Authority

Let Zhangsan use the sudo command to execute the command with root privileges. Note that normal users will be asked to provide their own password for verification when executing commands using sudo.

[Email protected] ~]$ sudo useradd test [sudo] password for Zhangsan: Zhangsan is not in the sudoers file. This incident would be reported.

Zhangsan still cannot create users with the sudo command, because only authorized users in Linux can execute sudo commands, and sudo can only execute commands that have been authorized.

So to use the sudo command first must go through the administrator's authorization settings, need to modify the configuration file "/etc/sudoers".

650) this.width=650; "style=" border-bottom:0px;border-left:0px;border-top:0px;border-right:0px; "title=" image " Border= "0" alt= "image" Src= "Http://img1.51cto.com/attachment/201410/26/70821_1414363989rKJz.png" height= "101"/ >

For example: Authorized ordinary user Zhangsan can execute all commands via sudo:

Note that the "/etc/sudoers" is a read-only file, and the modification finishes saving to use "wq!" when exiting Command.

If you want Zhangsan to execute only part of the command, you can specify the file path of the command that Zhangsan can execute in/etc/sudoers, and the file path of the command can be found through the which command.

For example: Authorization Zhangsan can only execute useradd and Userdel commands.

650) this.width=650; "title=" 1.jpg "alt=" wkiom1rnfr-htdpuaabxn2orjf8416.jpg "src=" http://s3.51cto.com/wyfs02/M02/ 4d/2a/wkiom1rnfr-htdpuaabxn2orjf8416.jpg "/>

Zhangsan each time you execute the sudo command to enter their own password, in order to save the ordinary user to execute the sudo command need to enter the password trouble, you can set the following in "/etc/sudoers":

650) this.width=650; "title=" 2.jpg "src=" Http://s3.51cto.com/wyfs02/M00/4D/2B/wKioL1RNfdrwWP7FAABCTGbIeJc249.jpg " alt= "Wkiol1rnfdrwwp7faabctgbiejc249.jpg"/>

In addition to user authorization, we can authorize user groups so that all member users within the user group have permission to execute the sudo command. If the authorized object is a user group, you need to add "%" before the group name.

For example, a member user in an authorized Managers group can add, delete, and change user accounts.

650) this.width=650; "title=" 3.jpg "src=" Http://s3.51cto.com/wyfs02/M00/4D/2A/wKiom1RNfazwCFJwAAB43g7g4XU062.jpg " alt= "Wkiom1rnfazwcfjwaab43g7g4xu062.jpg"/>

This article from "a pot of turbid wine" blog, reproduced please contact the author!

Security settings for Su and sudo in the ten-third Linux network security series