Su and sudo

Example of SU:

Su switches to the root user by default without adding any parameters, but does not go to the root user's home directory. That is to say, it is switched to the root user, however, the root logon environment is not changed. You can find the default logon environment in/etc/passwd, including the Home Directory and shell definition;

 

[beinan@localhost ~]$ su
Password:
[root@localhost beinan]# pwd
/home/beinan

Su adds the parameter-, indicating that the system switches to the root user by default and changes to the root user environment;

 

[beinan@localhost ~]$ pwd
/home/beinan
[beinan@localhost ~]$ su -
Password:
[root@localhost ~]# pwd
/root

Su parameter-User Name

 

[Beinan @ localhost ~] $ Su-root note: this is the same as Su;
Password:
[Root @ localhost ~] # Pwd
/Root

 

[Beinan @ localhost ~] $ Su-linuxsir Note: switching to linuxsir user
Password: enter the password here;
[Linuxsir @ localhost ~] $ PWD Note: view the current user location;
/Home/linuxsir
[Linuxsir @ localhost ~] $ Id Note: Check the UID and GID information of the user, mainly to see whether the switch is over;
Uid = 505 (linuxsir) gid = 502 (linuxsir) groups = 0 (Root), 500 (beinan), 502 (linuxsir)
[Linuxsir @ localhost ~] $

 

[Beinan @ localhost ~] $ Su--C ls Note: This is a combination of Su parameters, indicating that the system switches to the root user and changes to the root environment. Then, it lists the files in the root directory and exits the root user;
Password: Enter the root password here;
Anaconda-ks.cfg desktop install. Log install. log. syslog testgroup testgroupbeinan testgrouproot
[Beinan @ localhost ~] $ PWD Note: view the current user's location;
/Home/beinan
[Beinan @ localhost ~] $ Id Note: view the current user information;
Uid = 500 (beinan) gid = 500 (beinan) groups = 500 (beinan)

Su is indeed convenient for management. By switching to root, all system management tools can be completed, as long as the root password is handed over to any common user, he can switch to root to complete all system management work. However, there are also insecure factors after su switches to root.

The su authorized by sudo is also restricted.

The sudo command execution process is that the current user switches to the root (or another specified user), and then runs the command as root (or another specified user). After the command is executed, directly return to the current user. The premise is that the sudo configuration file/etc/sudoers must be used for authorization;

1. Compile the sudo configuration file/etc/sudoers;

The sudo configuration file is/etc/sudoers. We can use its dedicated editing tool visodu. The advantage of this tool is that when adding rules is not accurate, when saving and exiting, an error message is displayed. After configuration, you can switch to the user you authorize and use Sudo-L to check which commands can be executed or disabled;

In the/etc/sudoers file, each row counts as a rule. The rule with the # sign in front can be treated as a description and is not executed. If the rule is too long and cannot be listed in one row, you can use the \ number to continue rows. In this way, a rule can also have multiple rows;

/Etc/sudoers rules can be divided into two categories; one is alias definition, the other is authorization rules; the alias definition is not mandatory, but authorization rules are required;

2. Alias rules in the/etc/sudoers configuration file

The alias rule Definition Format is as follows:

 

Alias_Type NAME = item1, item2, ...

Or

Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 3. Authorization Rules in/etc/sudoers:


An authorization rule is an execution rule for assigning permissions. the alias we mentioned earlier is mainly used to facilitate the alias reference for authorization. If there are only a few users in the system, the permissions are actually Limited, you do not need to define aliases, but directly authorize the system users. Therefore, aliases are not required in authorization rules;

Authorization rules are not disorganized. We only provide a basic and simple method. For details about how to write authorization rules, see man sudoers.

Authorize user host = command action

These three elements are indispensable, but you can specify to switch to a specific user before the action. Here, the user who specifies to switch should use the () number. If you do not need a password to directly run the command, nopasswd: parameter should be added, but these can be omitted; example;

Instance 1:

beinan ALL=/bin/chown,/bin/chmod

If we add this line in/etc/sudoers, it means that beinan can be in any system where the host name may appear, you can switch to the root user to run the/bin/chown and/bin/CHMOD commands, and view the commands that beinan allows and disables on this host through Sudo-L;

It is worth noting that the/bin/shown and/bin/CHMOD commands are omitted here, And the/bin/CHMOD commands are switched to the root user by default; it also omits whether the beinan user is required to enter the verification password. If the password is omitted, the verification password is required by default.

To illustrate this in more detail, we can construct a more complex formula;

Authorized user host = [(to which users or user groups to switch to)] [whether password verification is required] command 1, [(to which users or user groups)] [Whether password verification is required] [command 2], [(to which users or user groups to switch to)] [whether password verification is required] [command 3] ......

Note:

The content in [] can be omitted. commands and commands are separated by commas (,). The examples in this article show which are omitted and where spaces are required;
In [(to which users or user groups to switch to)], if omitted, the default value is root. If it is all, it indicates that all users can be switched; note that the target user to be switched to must be included with the (), such as (all), (beinan)

Example 2:

beinan ALL=(root) /bin/chown, /bin/chmod

If we remove the line from the first instance and replace it with this line, it means that beinan can run/bin/chown under root in any host with any possible host names, you can switch to any user to execute the/bin/chmod command and view the commands that beinan allows and disables on this host through Sudo-L;

Example 3:

 

beinan ALL=(root) NOPASSWD: /bin/chown,/bin/chmod

What if I change it to this example? It indicates that beinan can run/bin/chown under root on any host that may contain the host name without entering the password of beinan; in addition, you can switch to any user to execute the/bin/chmod command, but beinan needs to enter its own password when running chmod; use Sudo-L to view the commands that beinan allows and disables on this host;

If a password is required for a command action, we can find that the system requires the user password by default. Except for the non-specific addition, the user does not need to enter the password, therefore, add the nopasswd: Parameter before executing the action;

Some may not be familiar with system management commands and do not know their usage, which affects his understanding of sudoers definitions. Next we will give a simple example, examples of service power;

Example 4:

For example, if we want to use the beinan ordinary user to pass the content of the more/etc/shadow file, the following may occur;

 

[Beinan @ localhost ~] $ More/etc/shadow
/Etc/shadow: insufficient Permissions

In this case, we can use sudo more/etc/shadow to read the file content. We need to authorize beinan in/etc/soduers;

So we can first Su to the root user to change/etc/sudoers through mongodo; (for example, we use the beinan user to log on to the system)

[Beinan @ localhost ~] $ Su
Password: Note: Enter the root password here.
Run visodu below;
[Root @ localhost beinan] # mongodo Note: Run mongodo to modify/etc/sudoers.

Add the following line to exit and save. Exit and save. Here, VI is used, and the VI editor is used for doing so. As for VI usage, I will not talk about it much;

Beinan all =/bin/more indicates that beinan can switch to root and execute more to view the file;

Return to the beinan user and run the exit command;

 

[root@localhost beinan]# exit
exit
[beinan@localhost ~]$

View what commands can beinan execute through sudo?

 

[Beinan @ localhost ~] $ Sudo-l
Password: Note: enter the password of the beinan user here.
User beinan may run the following commands on this host: Note: on this host, the beinan user can run more with the root permission; more with the root permission, you can view the content of any text file;
(Root)/bin/more

Finally, let's see if the beinan user can see the content of the/etc/shadow file;

 

[beinan@localhost ~]$ sudo more /etc/shadow

Beinan can not only view the content of the/etc/shadow file, but also the content of other files that can only be viewed under root permissions, such;

 

[beinan@localhost ~]$ sudo more /etc/gshadow

For the beinan user to view and read all the system files, I just want to view the/etc/shadow content for him; you can add the following line;

 

beinan ALL=/bin/more /etc/shadow

Digress: some brothers will say that I can see all the content I want to see by switching Su to the root user. Haha, right. But aren't we talking about sudo's usage now? If there are multiple users on the host who do not know the password of the root user but want to view some files they do not see, the administrator needs to authorize them. This is the benefit of sudo;

Example 5: The exercise user group is written in/etc/sudoers;

If the user group appears in/etc/sudoers, add the "%" sign before it, for example, % beinan. There cannot be spaces in the middle;

 

%beinan ALL=/usr/sbin/*,/sbin/*

If we add the above line in/etc/sudoers, it indicates all the members in the beinan user group, under all possible host names, all commands under the/usr/sbin and/sbin directories can be switched to the root user;

Example 6: cancel the execution of a program;

To cancel the execution of a program, you must add it before the command action! In this example, the wildcard * usage is also displayed;

 

Beinan all =/usr/sbin/*,/sbin /*,! /Usr/sbin/fdisk Note: add this rule to/etc/sudoers. However, you must have the beinan user group and beinan is in this group;

This rule indicates that the beinan user runs all programs under/usr/sbin and/sbin on all hosts with all possible host names, except for the fdisk program;

[Beinan @ localhost ~] $ Sudo-l
Password: Note: enter the password of the beinan user;
User beinan may run the following commands on this host:
(Root)/usr/sbin /*
(Root)/sbin /*
(Root )! /Sbin/fdisk

[Beinan @ localhost ~] $ Sudo/sbin/fdisk-l
Sorry, user beinan is not allowed to execute '/sbin/fdisk-L' as root on localhost.

Note: you cannot switch to the root user to run the fdisk program;

Example 7: Use of aliases;

If we can view the host localhost through hostname, we will not define the host alias here, and use all to match all possible host names; in addition, there are beinan, linuxsir, and lanhaitun users who can better understand things through small examples. Although sudo is simple and easy to use, it is indeed difficult to understand what it means; the best way is to look at examples and man soduers;

 

User_alias sysader = beinan, linuxsir, % beinan
User_alias diskader = lanhaitun
Runas_alias op = root
Cmnd_alias sydcmd =/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-Z] *,! /Usr/bin/passwd Root
Cmnd_alias dskcmd =/sbin/parted,/sbin/fdisk Note: defines the command alias dskcmd, which has the following members: parted and fdisk;
Sysader all = sydcmd, dskcmd
Diskader all = (OP) dskcmd

Note:

The first line:Define the user alias sysader to have members in the beinan, linuxsir, and beinan user groups. The user group must be preceded by a "%" sign;
Row 2:Define the user alias diskader, which has lanhaitun
Row 3:Define the RunAs user, that is, the target user's alias is op, with a member Root
Row 4:Define the alias of the syscmd command. The members are separated by commas! /Usr/bin/passwd root indicates that the root password cannot be changed through passwd;
Fifth line:Define the command alias dskcmd, which has the parted and fdisk members;
Row 6:All members under sysader are authorized to run or disable commands defined by sydcmd and dskcmd on all hosts that may have host names. Clearly, members of beinan, linuxsir, and beinan user groups can run chown, chmod, adduser, and passwd as root, but cannot change the root password; you can also run parted and fdisk as root. The equivalence rule of this rule is;

 

beinan,linuxsir,%beinan ALL=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,/sbin/parted,/sbin/fdisk

Row 7:Authorize all members under diskader to run dskcmd as op without a password. More specifically, lanhaitun can run parted and fdisk commands as root; the equivalence rules are as follows:

 

lanhaitun ALL=(root) /sbin/parted,/sbin/fdisk

Some may say that I want to switch to root without entering the user's password and run the commands under sydcmd and dskcmd. Should I add nopasswd: where should it be better? Understand the following example;

 

SYSADER ALL= NOPASSWD: SYDCMD, NOPASSWD: DSKCMD

4. other unfinished items in/etc/sudoers;

In the authorization rules, there are also noexec: And exec usage, you can check man sudoers to understand; also, you need to know about the usage of wildcards in the Rules. This is not much to mention. After all, it is just an entry-level document. The soduers configuration file is much simpler and easier. It depends on your own application.

5. sudo usage;

As mentioned above, the/etc/sudoers rule writing aims to allow the user to read the rules in the configuration file through sudo for matching and authorization, so as to replace the identity for command operations, then, tasks that cannot be completed under their permissions are completed;

For more information, see man sudo.

Sudo [Parameter options] command
-L list the available and forbidden commands on the host. Generally, After configuring/etc/sudoers, use this command to check and test whether the configuration is correct;
-V verifies the user's timestamp. If you enter the user's password after running sudo, you can directly perform the sudo operation without entering the password in a short time; -V can be used to track the latest timestamp;
-U indicates to execute a specific operation as a user;
-K deletes the timestamp. The next sudo Command requires the password to be provided;

Column Name:

First, modify the/etc/sudoers file through mongodo and add the following line;

 

beinan,linuxsir,%beinan ALL=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,/sbin/parted,/sbin/fdisk

Then, it lists the commands that beinan users can use or are forbidden to use on the host through sudo;

 

[Beinan @ localhost ~] $ Sudo-l note: list the available or forbidden commands that a user can switch to on the host;
Password: enter your user password here;
User beinan may run the following commands on this host:
(Root)/bin/chown Note: you can switch to the root and use the CHOWN command;
(Root)/bin/chmod Note: you can switch to root and use the CHMOD command;
(Root)/usr/sbin/adduser Note: you can switch to root and use the adduser command;
(Root)/usr/bin/passwd [A-Za-Z] * Note: You can use the passwd command to switch to root;
(Root )! /Usr/bin/passwd root note: you can switch to root, but cannot execute passwd root to change the root password;
(Root)/sbin/parted Note: you can switch to root to run parted;
(Root)/sbin/fdisk Note: you can switch to root to execute fdisk;

After listing available commands through Sudo-l above, I want to use the CHOWN command to change the owner of the/OPT directory to beinan;

[Beinan @ localhost ~] $ LS-LD/OPT Note: view the owner of/OPT;
Drwxr-XR-x 26 Root 4096 October 27 10:09/OPT note: the answer is the root user and root user group;
[Beinan @ localhost ~] $ Sudo chown beinan: beinan/OPT Note: chown is used to change the owner to beinan user and beinan user group;
[Beinan @ localhost ~] $ LS-LD/OPT Note: Check whether the/OPT owner has changed;
Drwxr-XR-x 26 beinan 4096 10:09/OPT

The above example shows that the beinan user can switch to the root user and execute the passwd command to change the user password. However, the above Sudo-L output clearly states that the root password cannot be changed; that is to say, except for the root password, the beinan user cannot change the password of other users. Next we will test it;

A common user cannot change the password of other users except his or her own password. However, if you change to the root identity to execute the command, you can change the password of other users;

For example, if you have a user named linuxsir in the system, we want to change the password of the user,

 

[Beinan @ localhost ~] $ Passwd linuxsir Note: Do not run passwd directly through sudo to change the password of the linuxsir user;
Passwd: only root can specify a user name. Note: failed. The prompt is "root" only;
[Beinan @ localhost ~] $ Sudo passwd linuxsir Note: through the definition of/etc/sudoers, let beinan switch to root and execute the passwd command to change the password of linuxsir;
Changing password for user linuxsir.
New Unix Password: enter a new password;
Retype new Unix Password: Note: Enter it again;
Passwd: All authentication tokens updated successfully. Note: The change is successful;