Sudo usage and sudoers configuration in linux, sudosudoers
From: http://zxf261.blog.51cto.com/701797/748756
Sudo is a common tool in linux that allows common users to use superuser permissions. It allows system administrators to execute some or all of the root commands, such as halt, reboot, and su. This not only reduces the login and management time of the root user, but also improves the security. Sudo is not a substitute for shell. It is intended for every command. It has the following features:
1. sudo allows users to run certain commands only on a host.
2. sudo provides a wide range of logs that detail what each user has done. It can upload logs to the central host or log server.
3. sudo uses a timestamp file to execute a similar "ticket checking" system. When the user calls sudo and enters its password, the user receives a 5-minute ticket (this value can be changed during compilation ).
4. The sudo configuration file is a sudoers file, which allows the system administrator to centrally manage user permissions and hosts. It is stored in/etc/sudoers by default, and the attribute must be 0411.
Use of sudo
Permission: User in/etc/sudoers
Usage: sudo command
Note: execute commands as system administrators. That is to say, commands executed through sudo are like commands executed by the root user.
Parameters:
-V: display version number
-H: the version number and instructions are displayed.
-L display the permissions of the user (the user who executes sudo)
-V because sudo is not executed during the first execution or within N minutes (N is set to 5), the password is asked. this parameter is re-confirmed. If it exceeds N minutes, will also ask the password
-K will force the user to ask the password for the next sudo execution (whether or not the password exceeds N minutes)
-B: Execute the command in the background.
-P prompt can change the password prompt, where % u is replaced by the user's account name, and % h displays the Host Name
-U username/# The uid does not contain this parameter, which indicates that the command is to be executed as root, but this parameter is added, commands can be executed as username (# uid is the user number of this username)
The SHELL specified by the shell in the-s execution environment variable, or the shell specified in/etc/passwd
-H: Specify the HOME directory in the environment variable as the user's HOME directory for identity change (if the-u parameter is not added, the system administrator root is used)
Command the command to be executed as a system administrator (or changed to another person as a-u)
Example:
Sudo-l lists the current Permissions
Sudo-V lists sudo version information
Command name: sudoers (the command cannot be found under fc5, but man can check its usage .)
Used to display users who can use sudo
Sudoers Configuration
Sudoers is the main configuration file of sudo. in linux, sudo is usually located in the/etc directory. If it is solaris, sudo is not installed by default. After compilation and installation, sudoers is usually located in the etc directory of the installation directory, however, no matter where the sudoers file is located, sudo provides a command to edit the file: Modify do to modify the file. We strongly recommend that you use this command to modify sudoers, because it will help you verify that the file configuration is correct. If it is incorrect, it will prompt you which segment of configuration is wrong when saving and exiting.
The following describes how to configure sudoers.
First, write the default configuration of sudoers:
######################################## #####################
# Sudoers file.
#
# This file MUST be edited with the 'mongodo 'command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification
Root ALL = (ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# % Wheel ALL = (ALL) ALL
# Same thing without a password
# % Wheel ALL = (ALL) NOPASSWD: ALL
# Samples
# % Users ALL =/sbin/mount/cdrom,/sbin/umount/cdrom
# % Users localhost =/sbin/shutdown-h now
######################################## ##########################
1. The simplest configuration gives normal user support all root permissions
After you execute mongodo, you can see that there is only one configuration by default:
Root ALL = (ALL) ALL
Then you can add a configuration below:
Support ALL = (ALL) ALL
In this way, general user support can execute all the commands with the root permission
After logging on as a support user, run:
Sudo su-
Enter the password of the support user to switch to the root user.
2. allow normal user support to run only some commands that the root user can execute on a certain number of servers.
First, you need to configure some Alias. In this way, it is easier to configure the permission below, so you do not need to write the configuration of Large segments. Alias is mainly divided into four types
Host_Alias
Cmnd_Alias
User_Alias
Runas_Alias
1) Configure Host_Alias: Host list
Host_Alias HOST_FLAG = hostname1, hostname2, hostname3
2) Configure Cmnd_Alias: the list of commands that can be executed! This command cannot be executed.
The command must use an absolute path to avoid the execution of commands with the same name in other directories, resulting in security risks. Therefore, the absolute path is also used!
Cmnd_Alias COMMAND_FLAG = command1, command2, command3 ,! Command4
3) Configure User_Alias: A list of users with sudo permissions.
User_Alias USER_FLAG = user1, user2, user3
4) Configure Runas_Alias: the list of identities (such as root or oracle) that the user executes.
Runas_Alias RUNAS_FLAG = operator1, operator2, operator3
5) Configure permissions
The permission configuration format is as follows:
USER_FLAG HOST_FLAG = (RUNAS_FLAG) COMMAND_FLAG
If password verification is not required, configure it in this format.
USER_FLAG HOST_FLAG = (RUNAS_FLAG) NOPASSWD: COMMAND_FLAG
Configuration example:
######################################## ####################################
# Sudoers file.
#
# This file MUST be edited with the 'mongodo 'command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
Host_Alias EPG = 192.168.1.1, 192.168.1.2
# User alias specification
# Cmnd alias specification
Cmnd_Alias SQUID =/opt/vtbin/squid_refresh ,! /Sbin/service,/bin/rm
Cmnd_Alias ADMPW =/usr/bin/passwd [A-Za-z] *,! /Usr/bin/passwd ,! /Usr/bin/passwd root
# Defaults specification
# User privilege specification
Root ALL = (ALL) ALL
Support EPG = (ALL) NOPASSWD: SQUID
Support EPG = (ALL) NOPASSWD: ADMPW
# Uncomment to allow people in group wheel to run all commands
# % Wheel ALL = (ALL) ALL
# Same thing without a password
# % Wheel ALL = (ALL) NOPASSWD: ALL
# Samples
# % Users ALL =/sbin/mount/cdrom,/sbin/umount/cdrom
# % Users localhost =/sbin/shutdown-h now
######################################## #######################