Several points of note for the SU and sudo commands in Linux

1 Su and Su-the difference

1.1 Command Description

Su corresponds to the no-login shell of the way the account login, the command line variable configuration or switch the variables before the account.

su-corresponding to the login shell method of the account login, this time equivalent to completely login to the new account to obtain the new account variable information

Therefore, in the process of writing a script, according to the configuration of the variables inside, we should choose "su" or "Su-" rationally. Enclose the no-login shell and login shell in the bird's book

Login Shell: A full login process is required to get bash, called the login shell. For example, you want to be logged in by Tty1 ~ Tty6, you need to enter the user's account number and password, this time to get bash called "Login Shell";

Non-login Shell: The way to get the bash interface does not need to repeat the move, for example, (1) you log on to Linux X window, and then the graphical interface of X to start the terminal, at this point, the interface does not need to re-enter the account and password, the bash The environment is called the Non-login shell. (2) You re-order bash in the original bash environment, and no password is entered, and the second bash (subroutine) is also the Non-login shell.

1.2 The difference between the two is verified by the command mode

#登陆前先查看下环境变量 [[email protected]~]$Echo$PATH/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user/.local/bin:/home/user/Bin[[email protected]~]$suPassword: #使用su登陆后的环境变量, no change, is still the pre-landing information Root.user:Echo$PATH/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user/.local/bin:/home/user/binroot.user:exitexit# exit, use Su-log in [[email protected]~]$su-Password: Last login: 69 months +  the: -: theHKT 2015pts/2At this time the environment variable is switched to the new login user's variable, so the Su andsu-There is a difference in root.~:Echo$PATH/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/Binroot.~: Exit Log out

2 command execution order issues in sudo command and sudoers files

Use Visudo to edit your custom password permissions today, with the following command:

==  !/usr/bin/passwd,/usr/bin/passwd [a-za-z0-9]*,!/usr/bin/passwd  rootusertest        all = (root)      cmdtest

Modify!/USR/BIN/PASSWD,/usr/bin/passwd [a-za-z0-9]*,!/USR/BIN/PASSWD Root

Inside these three comma-delimited commands, the following two command sequence changes, you can still change the root password, it is strange, search the network originally, is the execution order problem. The answer to the Netizen is as follows:

#The Sudoers Line was read in from left to right, and the right most stuff overriding the left.

#意思是: Sudoers command reads from left to right, commands on the left side always overwrite commands

3 sudoers File Customization detailed

1/etc/sudoers alias rules in a configuration file

The alias rule definition format is as follows:
Alias_type NAME = item1, item2, ...
Or
Alias_type NAME = item1, item2, item3:name = Item4, ITEM5
Alias type (Alias_type): Alias type includes the following four kinds of

Host_alias define host aliases;
User_alias user alias, alias member can be user, user group (previous to add% number)
The Runas_alias is used to define the RunAs alias, which specifies the "destination user", which is the user that sudo allows to switch to;
Cmnd_alias define command aliases;

2 Example

1user_alias Sysader=beinan,linuxsir,%beinan
2user_alias Diskader=lanhaitun
3runas_alias Op=root
4cmnd_alias sydcmd=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [a-za-z]*,!/usr/bin/passwd Root
5cmnd_alias dskcmd=/sbin/parted,/sbin/fdisk Note: Define command aliases Dskcmd, with members parted and Fdisk;
6SYSADER all= Sydcmd,dskcmd
7DISKADER all= (OP) dskcmd

Annotations:

First line: Define the user alias Sysader under the member Beinan, Linuxsir and Beinan user group under the member, the user group must be preceded by a% number;
Second line: Define user alias Diskader, member has Lanhaitun
Third line: Define the RunAs user, which is the target user's alias is op, under the member root
Line four: Define the SysCmd command alias, the member is separated by the number, the last!/usr/bin/passwd root indicates that the root password cannot be changed by passwd;
Line five: Define the command alias Dskcmd, under the member parted and Fdisk;
Line Six: represents all members under authorization Sysader, runs under all host names that may exist, or prohibits commands defined under Sydcmd and Dskcmd. More specifically, the members under the Beinan, Linuxsir, and Beinan user groups can run Chown, chmod, AddUser, passwd as root, but cannot change the root password, or they can run parted and Fdisk as root , the equivalent rule of this rule is;
Beinan,linuxsir,%beinan ALL=/BIN/CHOWN,/BIN/CHMOD,/USR/SBIN/ADDUSER,/USR/BIN/PASSWD [A-Za-z]*,!/usr/bin/passwd Root,/sbin/parted,/sbin/fdisk
Line seventh: represents all members under authorization Diskader, can run Dskcmd as OP, does not require a password, and more specifically Lanhaitun can run parted and Fdisk commands as root, with the equivalent rule:
Lanhaitun all= (Root)/sbin/parted,/sbin/fdisk

3 Support for wildcard characters

Wildcard (also called Meta character)
sudo allows shell-style wildcard characters to be used in path names and command-line arguments in sudoers. Wildcard matching is achieved through POSIX's Fnmatch standard program. Note that this is not a regular expression.
* Match any set of 0 or more characters
? Match any one character
[...] Matches any one of the characters in the specified range in curly braces
[!...] Matches any character that is not in the specified range in the curly braces
\x any one character "X" is recognized as a simple "X". This is used to escape some special characters such as "*", "?", "[", "]" and "}".
Note that the wildcard character in the pathname does not match the forward slash ("/"). When matching command-line arguments, because the slash is not matched by wildcards, this causes/usr/bin/* to match/usr/bin/who without matching/usr/bin/x11/xterm.
Exceptions to wildcard rules

Reference:

1 Brother Bird's Linux private cuisine third edition

2/etc/sudoers configuration file Detailed

3 [Go]sudoers-a list of which users can perform which commands

Several points of note for the SU and sudo commands in Linux