Su and sudo

sudo :

Su:switch User

User Switching in two ways:

(1) su-user, su-l user

(2) SU user

su-c ' COMMAND ' do not switch the user's identity, execute the command

sudo : (as if running as Administrator on window) executea command as another user , executing the specified one as another user ;

Command

Authorization mechanism implementation:

Authorization file,/etc/sudoers

Use of authorization files Help: Man sudoers

Two types of content:

(1) the definition of an alias, which is a variable;

(2) authorization entries, which can be authorized using aliases;

Authorization Entries (each line defines an authorization entry):

Who where= (whom) commands

Or you can understand this:

Users hosts= (runas) commands

Authorized editors:

When editing/etc/sudoers, it is not recommended to use VIM to edit directly, for the/etc/sudoers file has a certain format, so you need to visudo this special editing tool to edit the file, while using Visodu edit the file appears When the grammar is wrong, there will be a corresponding prohibition prompt;

[Email protected] ~]# Visudovisudo:/etc/sudoers.tmp unchanged

View/etc/sudoers

~]# less/etc/soduers## allow ROOT to run any commands anywhereroot all= (All) all# Here you can see why root can run all commands # # allows People in group wheel to run all Commands%wheel all= (all) all# means that all commands can be run in the wheel group

Note: The user's authorization via sudo can only be initiated with the sudo command;

sudo command:

sudo [options] COMMAND

-u:username : Runs the command as a specified user;

[Email protected] ~]# useradd centos[[email protected] ~]# sudo-u Yixuan Whoamiyixuan #表示root以yixuan的身份运行whoami

- L : Lists all commands that the user can execute in sudo mode;

[[email protected]~]# usermod -ag wheel yixuan  #添加用户到wheel组 [[email  Protected] ~] #id  yixuanuid=1001 (Yixuan) gid=1001 (Yixuan)  groups=1001 (Yixuan), (wheel) [email  protected] ~]# su - yixuanlast login: thu apr 28 08:40:15  cst 2016 on pts/0[[email protected] ~]$ sudo -lmatching defaults  entries for yixuan on this host:    requiretty, ! Visiblepw, always_set_home, env_reset, env_keep= "colors display hostname  Histsize inputrc kdedir    ls_colors ",  env_keep+=" MAIL PS1 PS2  qtdir username lang lc_address lc_ctype ",  env_keep+=" LC_COLLATE     lc_identification lc_measurement lc_messages ",  env_keep+=" LC_MONETARY LC_NAME  lc_numeric lc_paper lc_telePHONE ",     env_keep+=" Lc_time lc_all language linguas _xkb_charset  xauthority ", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binuser yixuan may run  the following commands on this host:     (All)  ALL              #这里看出在wheel组中可以执行所有的命令 [[email protected ] ~]$ sudo -u root useradd fedora[[email protected] ~]$ tail  -n1 /etc/passwdfedora:x:1002:1002::/home/fedora:/bin/bash[[email protected] ~]$

- k : Clears the successful result of user authentication previously cached;

Let's dissect the meaning of the items in the authorization:

W.H.O. :

username : Single user;

#uid : ID number of a single user;

%groupname : All users in the group;

% #gid : All users in the group;

User_alias : User alias;

where :

IP or hostname: single host;

netaddr : Network address;

Host_alias : host alias;                            

whom :

Username

#uid

Runas_alias: Indicates who is running as      

commands :

Command : Single command;

Directory : Specify all applications within the directory;

Sudoedit : Special permissions that can be used to grant sudo permission to other users;

Cmnd_alias : command aliases;                 

exercise: Use Useradd,usermod two commands for user Fedora Licensing

[[email protected] ~]# visudo************** omitted ***************## read drop-in  files from /etc/sudoers.d  (the # here does not mean a  Comment) #includedir  /etc/sudoers.d         #可以吧授权信息卸载/etc/ SUDOERS.D directory under fedora all= (root)        /usr/sbin/useradd,/usr/sbin/ Usermod[[email protected] ~]# su - fedoralast login: thu apr 28  09:09:12 cst 2016 on pts/0[[email protected] ~]$ sudo -l[sudo]  password for fedora:                       #这里是验证fedora, verify only once Matching defaults entries  for fedora on this host:    requiretty, !visiblepw,  Always_set_home, env_reset, env_keeP= "Colors display hostname histsize inputrc kdedir    ls_colors",  env_keep+= "Mail ps1 ps2 qtdir username lang lc_address lc_ctype",  env_keep+= "Lc_collate    lc_identification lc_measurement lc_messages",  env_keep+= "Lc_monetary lc_name lc_numeric lc_paper lc_telephone",     env_keep+= "Lc_time lc_all language linguas _xkb_charset xauthority",  secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binuser fedora may run the following  commands on this host:     (Root)  /usr/sbin/useradd,  (root)  / usr/sbin/usermod         #授权项

Ways to define aliases:

Alias_type name=item1, item2, ...                    

Alias_type:

User_alias

Host_alias

Runas_alias

Cmnd_alias

NAME : Alias name character, must use all uppercase letters;

Example: Use the USERDEL,USERADD,PASSWD command for Tom and Jerry to authorize root using the way you define aliases

[[email protected] sudoers.d]# useradd tom[[email protected] sudoers.d]#  Useradd jerry[[email protected] sudoers.d]# echo test | passwd --stdin  tomchanging password for user tom.passwd: all authentication tokens  updated successfully. [[email protected] sudoers.d]# echo test | passwd --stdin  Jerrychanging password for user jerry.passwd: all authentication tokens  updated successfully. [[Email protected] sudoers.d]# visudo#fedora all= (Root)        /usr/sbin/useradd,/usr/sbin/usermoduser_alias useradmins=tom,jerrycmnd_alias useradmincmnds=/ Usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwduseradmins all= (Root)    useradmincmnds[[ Email protected] sudoers.d]# su - tom[[email protected] ~]$ sudo /usr/sbin/useradd nihaouseradd: warning: the home  Directory already exists. Not copying any file from skel directory into it. creating mailbox file: file exists[[email protected] ~]$ test[[email  protected] ~]$ tail -n1 /etc/passwdnihao:x:1006:1006::/home/nihao:/bin/bash[[email  protected] ~]$

Note: The above case description passwd can also change the root password, right, so in order to system security, need to do so!!!

Example:

#includedir  /etc/sudoers.d#fedora all= (Root)       /usr/sbin/useradd,/ Usr/sbin/usermoduser_alias useradmins=tom,jerrycmnd_alias useradmincmnds=/usr/sbin/useradd,/usr/sbin /userdel,/usr/bin/passwd [a-z]*,!/usr/bin/passwd root,/usr/sbin/userdeluseradmins all= (Root)    USERADMINCMNDS[[email protected] ~]$ sudo -l[sudo] password  for tom: matching defaults entries for tom on this host:     requiretty, !visiblepw, always_set_home, env_reset, env_keep= "COLORS  display hostname histsize inputrc kdedir    ls_colors ",  env _keep+= "Mail ps1 ps2 qtdir username lang lc_address lc_ctype",  env_ keep+= "Lc_collate    lc_identification lc_measurement lc_messages",  env_ keep+= "Lc_monetary lc_naMe lc_numeric lc_paper lc_telephone ",     env_keep+=" LC_TIME LC_ALL  language linguas _xkb_charset xauthority ",  secure_path=/sbin\:/bin\:/usr/sbin\:/usr/ binuser tom may run the following commands on this host:      (Root)  /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [a-z]*,  !/usr/bin/passwd root, /usr/sbin/userdel[[email protected] ~]$ sudo /usr/ bin/passwd rootsorry, user tom is not allowed to execute  '/usr/ Bin/passwd root '  as root on bogon.

！ means that the authorization filters the permissions to modify the root password.

"Note" In the whole process of using the sudo command, we are only using the current user's password for authentication, but what if we switch to Administrator root?

Root Super Admin has password: Exit directly

Root Super Administrator does not have a password: You cannot verify the identity of the switch root, so you can use

[[email protected] ~]$ sudo -l[sudo] password for tom: matching  defaults entries for tom on this host:    requiretty, ! Visiblepw, always_set_home, env_reset, env_keep= "colors display hostname  Histsize inputrc kdedir    ls_colors ",  env_keep+=" MAIL PS1 PS2  qtdir username lang lc_address lc_ctype ",  env_keep+=" LC_COLLATE     lc_identification lc_measurement lc_messages ",  env_keep+=" LC_MONETARY LC_NAME  lc_numeric lc_paper lc_telephone ",     env_keep+=" LC_TIME LC_ALL  Language linguas _xkb_charset xauthority ",  secure_path=/sbin\:/bin\:/usr/sbin\:/usr/ binuser tom may run the following commands on this host:      (Root)  /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [a-z]*, !/usr/bin/passwd root,  /usr/sbin/userdel,    /bin/su[[email protected] ~]$ sudo su -  rootLast login: Thu Apr 28 08:07:45 CST 2016 from  192.168.1.108 on pts/0[[email protected] ~]#  or "centos all= (root)  ALL"

However, these operations are recorded in/var/log/messages

Common Tags:

NOPASSWD: Indicates that a user uses sudo without a password

PASSWD:

Example:

Fedora all= (Root) nopasswd:/usr/sbin/useradd,/usr/sbin/usermod, PASSWD:/usr/sbin/userdel

This article is from the "Touch Dream" blog, so be sure to keep this source http://xuelong.blog.51cto.com/10573089/1768472

Su and sudo