Excerpt from: http://zxf261.blog.51cto.com/701797/748756
Sudo is a commonly used Linux tool that allows ordinary users to use superuser privileges, allowing the system administrator to let ordinary users perform some or all of the root commands, such as HALT,REBOOT,SU and so on. This not only reduces the login and administration time of the root user, but also improves security. sudo is not a substitute for the shell, it is for each command. There are several main features of this:
1.sudo can restrict users from running certain commands on a single host.
The 2.sudo provides a rich log that details what each user has done. It can upload logs to a central host or log server.
3.sudo uses a timestamp file to perform a similar "ticket-check" system. When the user calls sudo and enters its password, the user obtains a ticket with a survival period of 5 minutes (this value can be changed at compile time).
The 4.sudo configuration file is a sudoers file that allows system administrators to centrally administer user permissions and use the host. The location where it is stored defaults to/etc/sudoers, and the attribute must be 0411.
Use of sudo
Permissions: Users who are present in the/etc/sudoers
Usage: sudo command
Description: Executes the instruction as a system administrator, that is, instructions executed via sudo appear to be executed by the root himself.
Parameters:
-V Show version number
-H will show the version number and instructions for how to use it
-L Displays the permissions of itself (the user who executes sudo)
-V because Sudo does not execute in the first execution or in n minutes (n preset is five) will ask the password, this parameter is to confirm again, if more than n minutes, will also ask the password
-K will force the user to ask the password the next time sudo is executed (whether or not more than N minutes)
-B The instruction to be executed is placed in the background execution
-P Prompt can change the prompt for password, where%u will be substituted for the user's account name,%H will display the host name
-U username/#uid do not add this parameter, which means to execute the instruction as root, and add this parameter, you can execute the instruction as username (#uid is the user number of the username)
-S executes the shell specified by the shell in the environment variable, or the shell specified in the/etc/passwd
-h Specifies the home (home directory) in the environment variable as the user's home directory where you want to change the identity (if you do not add the-u parameter is the system administrator root)
command to execute AS System administrator (or change to other person with-u)
Example:
Sudo-l List the current permissions
SUDO-V listing version information for sudo
Directive Name: sudoers (the command cannot be found under FC5, but it can be used with man.) )
Used to show users who can use sudo
Configuration of the Sudoers
Sudoers is the main profile of Sudo, under Linux usually in/etc directory, if it is Solaris, the default does not install sudo, compiled after installation usually in the installation directory of the ETC directory, but regardless of where the sudoers file, sudo provides a command to edit the file: Visudo to modify the file. It is highly recommended to use this command to modify the sudoers, as it will help you verify that the file is configured correctly, and if it is not correct, you will be prompted which configuration is wrong when you save the exit.
To get to the bottom, here's how to configure Sudoers
First write the default configuration for sudoers:
#############################################################
# sudoers file.
#
# This file must is edited with the ' Visudo ' command as root.
#
# See the Sudoers Mans page for the details about how to write a sudoers file.
#
# Host alias Specification
# User alias Specification
# CMND alias Specification
# Defaults Specification
# User Privilege Specification
Root all= (All) all
# Uncomment to allow people in group wheel to run all commands
#%wheel all= (All) all
# same thing without a password
#%wheel all= (All) Nopasswd:all
# Samples
#%users All=/sbin/mount/cdrom,/sbin/umount/cdrom
#%users Localhost=/sbin/shutdown-h Now
##################################################################
1. The simplest configuration, so that ordinary user support has all the root permissions
After executing Visudo, you can see that there is only one configuration by default:
Root all= (All) all
Then you'll add one more configuration to the bottom:
Support All= (All) all
In this way, normal user support can perform all commands that root privileges
After logging in as a support user, execute:
sudo su-
Then enter the support user's own password, you can switch to the root user
2. Allow normal user support to perform certain commands that root can perform on only a few servers
First you need to configure some alias, so that in the following configuration permissions, it will be convenient, do not write large sections of the configuration. Alias is divided into 4 main types
Host_alias
Cmnd_alias
User_alias
Runas_alias
1) Configure Host_alias: Is the list of hosts
Host_alias Host_flag = hostname1, hostname2, Hostname3
2) Configure Cmnd_alias: Is the list of commands that are allowed to execute, plus the command before! Indicates that this command cannot be executed.
command must use absolute path, to avoid other directories with the same name command is executed, resulting in security risks, so the use of the time is also used absolute path!
Cmnd_alias Command_flag = Command1, Command2, Command3,!command4
3) Configure User_alias: Is the list of users with sudo permissions
User_alias User_flag = user1, User2, User3
4) Configure Runas_alias: Is the list of what the user is doing (for example, root, or Oracle)
Runas_alias Runas_flag = Operator1, Operator2, Operator3
5) Configure permissions
The format for configuring permissions is as follows:
User_flag host_flag= (Runas_flag) Command_flag
If password authentication is not required, configure it in this format
User_flag host_flag= (Runas_flag) Nopasswd:command_flag
Example configuration:
############################################################################
# sudoers file.
#
# This file must is edited with the ' Visudo ' command as root.
#
# See the Sudoers Mans page for the details about how to write a sudoers file.
#
# Host alias Specification
Host_alias EPG = 192.168.1.1, 192.168.1.2
# User alias Specification
# CMND alias Specification
Cmnd_alias SQUID =/opt/vtbin/squid_refresh,!/sbin/service,/BIN/RM
Cmnd_alias ADMPW =/usr/bin/passwd [a-za-z]*,!/usr/bin/passwd,!/usr/bin/passwd root
# Defaults Specification
# User Privilege Specification
Root all= (All) all
Support Epg= (All) nopasswd:squid
Support Epg= (All) NOPASSWD:ADMPW
# Uncomment to allow people in group wheel to run all commands
#%wheel all= (All) all
# same thing without a password
#%wheel all= (All) Nopasswd:all
# Samples
#%users All=/sbin/mount/cdrom,/sbin/umount/cdrom
#%users Localhost=/sbin/shutdown-h Now
###############################################################
sudo usage and sudoers configuration in Linux