Sudoers file parsing and sudoers Parsing
Category: LINUX
Today, a common user is added to the user group, and the user does not have sudo permissions. Therefore, the sudo configuration file is modified through sudo logs do and the root permission is granted to the common user. Later I thought about changing the access permission of the/etc/sudoers file to 777, and then editing the file directly. So I did not want to do that either. After the change, I found that I had dug a hole for myself and kept myself out of sudo.
/Etc/sudoers is The sudo configuration file, and its attribute must be 440. When I use sudo chmod 777/etc/sudoers to modify the access permission of the sudoers file, sudo cannot be reused. If you want to use sudo chmod 440/etc/sudoers to modify the access permission of the sudoers file, or if you use sudo, the following error occurs: sudo:/etc/sudoers is mode 0777, shocould be 0440. In this way, you can lock yourself out of sudo. In this case, it is no longer possible to switch to the root user through sudo su or sudo-I. In this case, you can use su root to switch to root. In this way, you can modify the access permission of the/etc/sudoers file. The problem is solved.
Later, I found an article on sudoers file parsing on the Internet, which will be pasted below.
Sudo is a tool that allows the system administrator to allow common users to execute some or all of the root commands, such as halt, reboot, and su. This not only reduces the login and management time of the root user, but also improves the security. Sudo is not a substitute for shell. It is intended for every command. It has the following features:
§ Sudo can restrict users from running certain commands only on a host.
§ Sudo provides a wide range of logs that detail what each user has done. It can upload logs to the central host or log server.
§ Sudo uses a timestamp file to execute a similar "ticket checking" system. When the user calls sudo and enters its password, the user receives a 5-minute ticket (this value can be changed during compilation ).
§ The Sudo configuration file is a sudoers file, which allows the system administrator to centrally manage user permissions and hosts used. It is stored in/etc/sudoers by default, and the attribute must be 0411.
Edit the configuration file command: mongodo
Default Configuration File Location:/etc/sudoers
[Root @ localhost ~] # Cat/etc/sudoers
# Sudoers file.
#
# This file MUST be edited with the 'mongodo 'command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# Runas alias specification
# User privilege specification
Root ALL = (ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# % Wheel ALL = (ALL) ALL
# Same thing without a password
# % Wheel ALL = (ALL) NOPASSWD: ALL
# Samples
# % Users ALL =/sbin/mount/cdrom,/sbin/umount/cdrom
# % Users localhost =/sbin/shutdown-h now
[Root @ localhost ~] #
You can use mongodo to edit the sudoers configuration file, but you can also directly modify the sudoers file. However, you 'd better check its sample before editing. sudoers file, which contains a very detailed example for reference.
# Part 1: user defined. Users are divided into three categories: FULLTIMERS, PARTTIMERS, and WEBMASTERS.
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, Hangzhou Fox, crawl
User_Alias WEBMASTERS = will, wendy, wim
# Part 2: classify operation types.
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
# Part 3: classify hosts. These are all randomly divided for better management.
Host_Alias iSCSI = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24,128.138 .242.0
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
# Part 4 defines the command and command path. The command must use an absolute path to avoid the execution of commands with the same name in other directories, resulting in security risks. Therefore, the absolute path is also used!
Cmnd_Alias DUMPS =/usr/bin/mt,/usr/sbin/dump,/usr/sbin/rdump ,\
/Usr/sbin/restore,/usr/sbin/rrestore
Cmnd_Alias KILL =/usr/bin/kill
Cmnd_Alias PRINTING =/usr/sbin/lpc,/usr/bin/lprm
Cmnd_Alias SHUTDOWN =/usr/sbin/shutdown
Cmnd_Alias HALT =/usr/sbin/halt,/usr/sbin/fasthalt
Cmnd_Alias REBOOT =/usr/sbin/reboot,/usr/sbin/fastboot
Cmnd_Alias SHELLS =/usr/bin/sh,/usr/bin/csh,/usr/bin/ksh ,\
/Usr/local/bin/tcsh,/usr/bin/rsh ,\
/Usr/local/bin/zsh
Cmnd_Alias SU =/usr/bin/su
# Different policies are used for different users. For example, by default, all syslogs are output directly through auth. The FULLTIMERS group does not need to see lecture (the message generated during the first running); millert does not need to enter a password when using sudo; and the path of logfile is/var/log/sudo. log and each line of log must contain the year.
Defaults syslog = auth
Ults: FULLTIMERS! Lecture
Ults: millert! Authenticate
Defaults @ SERVERS log_year, logfile =/var/log/sudo. log
# Members of the root and wheel groups have any rights. If you want to define a group of users, you can add % before the group name to set it.
Root ALL = (ALL) ALL
% Wheel ALL = (ALL) ALL
# FULLTIMERS can run any command on any host without entering its own password
Fulltimers all = NOPASSWD: ALL
# PARTTIMERS can run any command on any host, but you must first verify your password.
Parttimers all = ALL
# Jack can run any command in the defined CSNET (128.138.243.0, 128.138.242.0 and 128.138.204.0/24 subnets), but note that the first two do not need to match the subnet mask, and the next one must match the mask.
Jack CSNETS = ALL
# Lisa can run any command on the host defined as CUNETS (128.138.0.0) subnet.
Lisa CUNETS = ALL
# The user operator can run DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT, and all the commands in/usr/release/bin.
Operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT ,\
/Usr/logs/bin/
# Joe can run the su operator command
Joe ALL =/usr/bin/su operator
# Pete can change the password for users other than root.
Pete HPPA =/usr/bin/passwd [A-z] *,! /Usr/bin/passwd root
# Bob can run commands in the same way as root and operator in the OP user group on both the iSCSI and SGI machines.
Bob iSCSI = (OP) ALL: SGI = (OP) ALL
# Jim can run any command in the biglab network group. By default, "+" is the prefix of a network group.
Jim + biglab = ALL
# In secretaries, users can help manage printers and run the adduser and rmuser commands.
+ Secretaries ALL = PRINTING,/usr/bin/adduser,/usr/bin/rmuser
# Fred can directly run oracle or sybase databases.
Fred ALL = (DB) NOPASSWD: ALL
# John can run the su command on the ALPHA machine to all users except root.
John ALPHA =/usr/bin/su [! -] *,! /Usr/bin/su * root *
# Jen can run any command on machines except the SERVERS Host group.
Jen ALL ,! SERVERS = ALL
# Jill can run all the commands except the su and shell commands in/usr/bin/on SERVERS.
Jill SERVERS =/usr/bin /,! SU ,! SHELLS
# Steve can run any command in/usr/local/op_commands/on the CSNETS host as a common user.
Steve CSNETS = (operator)/usr/local/op_commands/
# Matt can run the kill command on his personal workstation.
Matt valkyrie = KILL
# Users in the WEBMASTERS user group can run any command with the www user name or su www.
WEBMASTERS www = (www) ALL, (root)/usr/bin/su www
# Any user can mount or umount a cd-rom on the CDROM host without entering a password.
All cdrom = NOPASSWD:/sbin/umount/CDROM ,\
/Sbin/mount-o nosuid \, nodev/dev/cd0a/CDROM
3. Use
Command name: sudo
User Permissions: users in/etc/sudoers
Usage: sudo-V
Sudo-h
Sudo-l
Sudo-v
Sudo-k
Sudo-s
Sudo-H
Sudo [-B] [-p prompt] [-u username/# uid]-s
Usage: sudo command
Note: execute commands as system administrators. That is to say, commands executed through sudo are like commands executed by the root user.
Parameters:
-V: display version number
-H: the version number and instructions are displayed.
-L display the permissions of the user (the user who executes sudo)
-V because sudo is not executed during the first execution or within N minutes (N is set to 5), the password is asked. this parameter is re-confirmed. If it exceeds N minutes, will also ask the password
-K will force the user to ask the password for the next sudo execution (whether or not the password exceeds N minutes)
-B: Execute the command in the background.
-P prompt can change the password prompt, where % u is replaced by the user's account name, and % h displays the Host Name
-U username/# The uid does not contain this parameter, which indicates that the command is to be executed as root, but this parameter is added, commands can be executed as username (# uid is the user number of this username)
The SHELL specified by the shell in the-s execution environment variable, or the shell specified in/etc/passwd
-H: Specify the HOME directory in the environment variable as the user's HOME directory for identity change (if the-u parameter is not added, the system administrator root is used)
Command the command to be executed as a system administrator (or changed to another person as a-u)
Example:
Sudo-l lists the current Permissions
Sudo-V lists sudo version information
Command name: sudoers (the command cannot be found under fc5, but man can check its usage .)
Used to display users who can use sudo