System Administrator essentials-su and sudo for linux permission management

Necessary system administrators & mdash; su and sudo of linux permission Management Summary: when performing permission operations on linux, this problem is often encountered: 1) why does sudo need to be added before apt-get to install software? After the installation is complete, run apt-get again without adding s... system Administrator required-detailed description of su and sudo in linux permission management: This problem is often encountered during permission operations on linux: 1) why does sudo need to be added before apt-get to install software? After the installation is complete, run apt-get again without adding sudo to the front? 2) Why do I display useris not in the sudoers when running sudocommand? 3) What is the difference between su and sudo? 4) when multiple users use the same host, how can they ensure security when authorizing many users to have root permissions? This article will answer the above questions. 1. su-run the shell to replace the USER and group ID, and modify the valid user id and group ID as USER. 1.1 Comparison between su and su-root (the latter is equal to su-) instances: hyk @ hyk-linux :~ $ SuPassword: (note that the pwd after switching has not changed.) root @ hyk-linux:/home # echo $ HOME/rootroot @ hyk-linux: /home # exit (exit is displayed later) exithyk @ hyk-linux :~ $ Su-rootPassword: (pwd changed after switching) root @ hyk-linux :~ # Echo $ HOME/rootroot @ hyk-linux :~ # Exit (logout is displayed later) logout from the above instance, we can see: su-, log on as root, and perform all operations after the actual user login (including setting environment variables ); the former is only simple information such as user switching and pwd. 1.2su disadvantages 1) unsafe su tool is not the best option in system management involving multiple people. su is only applicable to systems where one or two people participate in management, after all, su cannot be used by common users. the root password of a super user should be in the hands of a few users. 2) trouble: you need to inform everyone who needs root permissions of the root password. 2. sudo 2.1sudo background due to su's unrestricted permissions after switching to the super-permission user root, su cannot serve as the system managed by multiple administrators. If su is used to switch to a super user to manage the system, it is not clear which operations are performed by the administrator. Especially when many people are involved in server management, it is best to assign specific permissions to the technical expertise and management scope of each administrator, and specify the tools used to complete the work related to it, so we need to use sudo. Through sudo, we can delegate certain super permissions to specific users without requiring common users to know the root password. Therefore, sudo is safer than su with unrestricted permissions, therefore, sudo can also be referred to as restricted su. In addition, sudo requires authorization, so it is also called the authorization permission su; the sudo command execution process is that the current user switches to the root (or another specified user), and then runs the command as root (or another specified user). after the command is executed, directly return it to the current user. The premise is to use the sudo configuration file/etc/sudoers for authorization. note: hyk @ hyk-linux :~ $ Sudo apt-get install aaaa [sudo] password for hyk: No. when executing sudo, we need to enter the current user's hyk password instead of the root password. 2.2Sudo features: § sudo allows you to run certain commands only on a host. § Sudo provides a wide range of logs that detail what each user has done. It can upload logs to the central host or log server. § Sudo uses a timestamp file to execute a similar "ticket checking" system. When the user calls sudo and enters its password, the user receives a 5-minute ticket (this value can be changed during compilation ). That is to say, I just entered sudocat/etc/issue and then I can enter cat/etc/issue again without entering sudo again. § The sudo configuration file is a sudoers file, which allows the system administrator to centrally manage user permissions and hosts used. It is stored in/etc/sudoers by default, and the attribute must be 0411. 2.3.sudo usage permission: User usage that appears in/etc/sudoers: sudo-V sudo-h sudo-l sudo-v sudo-k sudo-s sudo-H sudo [-B] [-p prompt] [-u username/# uid]- s usage: sudocommand: execute the command as a system administrator. that is to say, the command executed by sudo is like executing the parameter by the root user: -V: Display version number-h: Display version number and instructions-l: Display yourself (the user who executes sudo) -v because sudo is not executed during the first execution or within N minutes (N is set to 5), the password is asked. this parameter is re-confirmed. if it exceeds N minutes, you will also ask the password-k will force the user to ask the password (whether or not it exceeds N minutes) during the next sudo execution) -B: Place the command to be executed in the background.-pprompt indicates a prompt to change the password. % u indicates a change. Is the user's account name. % h will display the host name-uusername/# uid without this parameter. this parameter indicates that the command is to be executed as root, and this parameter is added, the command can be executed as username (# uid is the username's user number)-s. The SHELL specified by the shell in the environment variable is executed, or, the shell-H specified in/etc/passwd sets the HOME directory in the environment variable) specify the home directory of the user who wants to change the identity (if the-u parameter is not added, it is the root of the system administrator). The command should be changed as the system administrator (or-u as another user) example of executed commands: sudo-l lists the current permissions sudo-V lists sudo version information 2.4.sudoers configuration sudoers is the main configuration file of sudo, which is usually in the/etc directory in linux, if it is solaris, sudo is not installed by default. after compilation and installation, sudo is usually under the etc directory of the installation directory. However, no matter where the sudoers file is, sudo provides an editor. Command: modify do to modify the file. We strongly recommend that you use this command to modify sudoers, because it will help you verify that the file configuration is correct. if it is incorrect, it will prompt you which segment of configuration is wrong when saving and exiting. The following describes how to configure sudoers first to write the default configuration of sudoers: ######################################## ###################### sudoers file. # This file MUST be edited with the 'Usually do 'command as root. # See the sudoers man page for the detailson how to write a sudoers file. # Host alias specification # User alias specification # Cmnd alias specification # Defaultsspecification # User privilege specificationroot ALL = (ALL) ALL # Uncom Ment to allow people in group wheel to run allcommands # % wheel ALL = (ALL) ALL # Same thing without apassword # % wheel ALL = (ALL) NOPASSWD: ALL # Samples # % usersALL =/sbin/mount/cdrom, /sbin/umount/cdrom # % userslocalhost =/sbin/shutdown-hnow ######################## ######################################## #2.4.1. the simplest configuration allows normal user support to execute mongodo with ALL root permissions. you can see that there is only one configuration by default: rootALL = (ALL) ALL. then you can add a configuration below: supportA LL = (ALL) ALL in this way, the general user support can execute ALL the commands with the root permission. after the support user logs on, execute: sudosu-and then enter the support user's own password, you can switch to the root user 2.4.2 so that the general user support can only be on several servers. to execute some commands that can be executed by the root user, you must first configure some Alias. in this way, when configuring the permission below, it is more convenient. you do not need to write the configuration of large segments. Alias is mainly divided into four types) configure Host_Alias: host list Host_AliasHOST_FLAG = hostname1, hostname2, hostname32) configure Cmnd_Alias: is the list of commands that can be executed, add! This command cannot be executed. you must use an absolute path to avoid the execution of commands with the same name in other directories, causing security risks. Therefore, you must use an absolute path when using this command! Cmnd_AliasCOMMAND_FLAG = command1, command2, command3 ,! Command43) configure User_Alias: the list of users with sudo permissions User_AliasUSER_FLAG = user1, user2, user34) configure Runas_Alias: the identity of the user (such as root or oracle) runas_AliasRUNAS_FLAG = operator1, operator2, operator35) the permission configuration format is as follows: USER_FLAGHOST_FLAG = (RUNAS_FLAG) COMMAND_FLAG if password verification is not required, configure USER_FLAGHOST_FLAG = (RUNAS_FLAG) NOPASSWD: COMMAND_FLAG in this format: ######################################## ##################################### s Udoers file. # This file MUST be edited with the 'Usually do 'command as root. # See the sudoers man page for the detailson how to write a sudoers file. # Host aliasspecificationHost_Alias EPG = 192.168.1.1, 192.168.1.2 # Useralias specification # Cmnd alias specificationCmnd_Alias SQUID =/opt/vtbin/squid_refresh ,! /Sbin/service,/bin/rmCmnd_AliasADMPW =/usr/bin/passwd [A-Za-z] *,! /Usr/bin/passwd ,! /Usr/bin/passwdroot # Defaults specification # User privilegespecificationroot ALL = (ALL) ALLsupport EPG = (ALL) NOPASSWD: SQUIDsupport EPG = (ALL) NOPASSWD: ADMPW # Uncomment to allowpeople in group wheel to run all command # % wheel ALL = (ALL) ALL # Same thing without a password # % wheel ALL = (ALL) NOPASSWD: ALL # Samples # % users ALL =/sbin/mount/cdrom,/sbin/umount/cdrom # % users localhost =/sbin/shutdown-hnow ##### ######################################## #### Note: each linux release often processes the sudoers file. at this time, we often need to use mansudoers to find the definition of relevant variables, and then set 2.5 authorization to manage sudo instance 1) problem: insufficient user permissions: hyk @ hyk-linux :~ $ Cat/etc/shadowcat:/etc/shadow: Permission denied2) solution: specify a user and authorize a specific command to use the Allow do command to view the/etc code as follows: defaults env_resetDefaults secure_path = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin: /bin "# Host alias specification # User alias specification # Cmnd alias specification # User privilege specificationroot ALL = (ALL: ALL) ALL # Members of the admin group may gain root privileges % adminALL = (ALL) ALL # Allow member S of group sudo to execute any command % sudo ALL = (ALL: ALL) ALL # See sudoers (5) for more information on "# include" directives: # includedir/etc/sudoers. d. note: env_reset: Ifset, sudo will reset the environment to only contain theLOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO _ * variables. any variables in the caller's environment thatmatch the env_keep and env_check lists are then added. the default content S of the env_keep and env_checklists are displayed when sudo is run by root withthe-V option. if the secure_path option is set, itsvalue will be used for the PATH environment variable. this flag is on by default. secure_path: Pathused for every command run from sudo. this optionis not set by default. add this line: % guestALL =/bin/cat indicates that the guest user group can switch to the root user group and run cat to view the file, save, and exit. In fact, due to the role of secure_path, the guestone user has been able to run all the commands in/bin such as more. 3) Verify: check which commands can be executed by guestone through sudo: command line input: guestone @ hyk-linux :~ $ Sudo-l external reference: [1] linuxsu and sudo commands http://www.2cto.com/os/201304/203693.html