The sudo command that the Linux administrator must know

"Sudo" is a very useful tool on the Unix/linux platform that allows system administrators to assign some reasonable "rights" to ordinary users to perform tasks that only superuser or other privileged users can accomplish, such as running some commands like MOUNT,HALT,SU. , or edit some system configuration files, such as/etc/mtab,/etc/samba/smb.conf. This has not only reduced the number of logins and administrative time of the root user, but also improved the security of the system.

　　I. Features of Sudo

Sudo's role is destined to be extra cautious in terms of security, or it could lead to illegal users grabbing root privileges. At the same time, it has to take into account the ease of use, so that the system administrator can more efficient and more convenient usage of it. The purpose of sudo designers is to give users as few permissions as possible but still allow them to complete their work. So, sudo
Has the following characteristics:

# 1. Sudo can restrict the specified user from running certain commands on the specified host.
# 2. sudo can provide logs, faithfully record what each user has done with sudo, and can upload logs to a central host or log server.
# 3. sudo provides the system administrator with a configuration file that allows the system administrator to centrally manage user permissions and the hosts used. Its default storage location is/etc/sudoers.
# 4.sudo uses a timestamp file to complete a system similar to "wicket". When the user executes sudo and enters the password, the user obtains a "ticket" with a default survival period of 5 minutes (the default value can be changed at compile time). After the timeout, the user must re-enter the password.

　　Two. sudo command

The sudo program itself is a binary file with the SUID bit set. We can check its permissions:

　　

<span style= "FONT-SIZE:18PX;" > $ls-L/usr/bin/sudo---s--x--x 2 root root 106832 02-12 17:41/usr/bin/sudo</span>

Its owner is root, so each user can execute the program as root. Programs that have the SUID set can give the user the owner's euid at run time. This is why the SUID program must be carefully written. But setting a command file's suid and running it with sudo is a different concept, and they play a different role.

sudo configuration is recorded in the/etc/sudoers file, which we will explain in detail below. The configuration file indicates which users can execute which commands. To use sudo, the user must provide a specified user name and password. Note: sudo requires a password that is not the target user's password, but the user who executes sudo. If a user who is not in Sudoers executes the command through Sudo, sudo reports the event to the administrator. Users can see whether they are in sudoers by Sudo-v. If it is, it can also update your "ticket" on the time, if not, it will prompt you, but will not notify the administrator.

The sudo command format is as follows:

　

<span style= "FONT-SIZE:18PX;" >sudo-k-l-v-h-k-l-vsudo [-HPSB] [-a auth_type] [-C class-] [-P prompt] [-u username#uid] {-e file [...]-i-s Co Mmand} Let's take a look at some of Sudo's other common parameters: the meaning of the option     sudo-h help     lists the use method, exits.    sudo-v     version Displays the release information and exits.    sudo-l     List     lists the commands that the current user can execute. This option is available only to users in Sudoers.    sudo-u Username#uid     User     executes the command as the specified user. The following users are other than root, which can be either a user name or a #uid.    sudo-k     Kill     to clear the time on the "entry volume" and enter the password again the next time you use sudo.    sudo-k     Sure Kill is     similar to-K, but it also rips the "entry volume", which is to delete the timestamp file.    Sudo-b Command     Background     executes the specified command in the background.    sudo-p prompt Command     Prompt     can change the prompt to ask for a password, where%u will be substituted for the user account name and%h will display the host name. Very user-friendly design.    sudo-e File     Edit     does not execute the command, but modifies the file, equivalent to the command sudoedit. </span>

There are also some infrequently used parameters that can be found in the manual page sudo (8).

　　Three. Configure sudo

To configure sudo, you must edit the/etc/sudoers file, and only the superuser can modify it, and you must also use Visudo editing. There are two reasons why you can use Visudo, one is that it prevents

Two users modify it at the same time, and the second is that it can perform a limited grammar check. So, even if you are only a superuser, you'd better use Visudo to check the syntax.

Visudo default is to open the configuration file in VI, with VI to modify the file. We can modify this default at compile time. Visudo does not save a configuration file with syntax errors, it prompts you for problems and asks what to do with it, like this:

<span style= "FONT-SIZE:18PX;" >>>> sudoers file:syntax error, line $ <<</span>

At this point we have three options: Type "E" is re-edit, type "X" is not saved exit, type "Q" is exit and save. If you do select Q, then sudo will no longer run until the error is corrected.

Now, let's take a look at the mysterious configuration file and learn how to write it. Let's start with a simple example: let the user foobar can execute all the root executable commands with sudo. To open the configuration file as root with Visudo, you can see a few lines similar to the following:

<span style= "FONT-SIZE:18PX;" ># Runas alias specification# User privilege Specificationroot    all= (All) all</span>

As soon as we see it, Root has all the permissions, just follow the example of an existing root, we add a line below (preferably with tab as a blank):

　　

<span style= "FONT-SIZE:18PX;" >foobar all= (All)    all</span>

After saving the exit, switch to the Foobar user, and we execute the command with its identity:

<span style= "FONT-SIZE:18PX;" >[[email protected] ~]$ LS/ROOTLS:/root: Insufficient permissions [[email protected] ~]$ sudo ls/rootpassword:anaconda-ks.cfg Desktop ins Tall.log install.log.syslog</span>

Well, let's limit Foobar's rights and let him do whatever he pleases. For example, we just want him to use LS and ifconfig like root, and change that line to:

　　

<span style= "FONT-SIZE:18PX;" >foobar localhost=    /sbin/ifconfig,   /bin/ls</span>

To execute the command again:

<span style= "FONT-SIZE:18PX;" >[[email protected] ~]$ sudo head-5/etc/shadowpassword:sorry, user foobar is not allowed to execute '/usr/bin/head -5/etc/shadow ' as Root on Localhost.localdomain. [Email protected] ~]$ sudo/sbin/ifconfigeth0      linkencap:ethernet HWaddr 00:14:85:ec:e9:9b...</span>

Now let's take a look at what those three all mean. The first all refers to the host in the network, and we change it to the hostname, which indicates
Foobar can execute subsequent commands on this host. The "All" in the second parenthesis refers to the target user, who is the person who executes the command. Last one
All of course refers to the command name. For example, we want Foobar users to execute the KILL command on a Linux host as Jimmy or Rene, writing a configuration file:

　　

<span style= "FONT-SIZE:18PX;" >foobar    linux= (jimmy,rene)    /bin/kill</span>

But there is a question, foobar in the end to the status of Jimmy or Rene execution? At this point we should think of the sudo-u, it is used at such times. Foobar can use sudo-u jimmy kill pid or Sudo-u Rene kill PID, but this is a hassle, in fact we can not need to add-u every time, the Rene or Jimmy set as the default target users can. Add one more line to the top:

<span style= "FONT-SIZE:18PX;" > Defaults:foobar runas_default=rene</span>

Defaults If there is a colon, it is the default for the subsequent user, and if not, it is the default for all users. Like a line from a configuration file:

<span style= "FONT-SIZE:18PX;" > Defaults    env_reset</span>

Another problem is that, in many cases, we're already logged in, and it's cumbersome to enter a password every time you use sudo. Could we not enter the password again? Of course, we can modify the configuration file as follows:

　　

<span style= "FONT-SIZE:18PX;" >foobar localhost=nopasswd:     /bin/cat,/bin/ls</span>

To sudo again:

<span style= "FONT-SIZE:18PX;" >[[email protected] ~]$ sudo ls/rootanaconda-ks.cfg Desktop install.loginstall.log.syslog</span>

Of course, you can also say "some commands the user Foobar not be able to run", by using the! operator, but that's not a good idea. Because, with! Operators "out" of all the commands are generally ineffective, a user can completely copy the command to another place, and then run after a name.
Four. Logs and security

Sudo is very thoughtful about security, not only logging, but also reporting to the system administrator if necessary. However, the log function of sudo is not automatic and must be turned on by the administrator. To do so:

<span style= "FONT-SIZE:18PX;" ># touch/var/log/sudo# vi/etc/syslog.conf</span>

Add a line to the last face of the syslog.conf (Must be tab-separated) and save:

　　

 

<span style= "FONT-SIZE:18PX;" >local2.debug                    /var/log/sudo</span>

Restart the log waiting process

<span style= "FONT-SIZE:18PX;" >ps aux grep syslogd</span>

　　

Fill in the PID of the resulting syslogd process (the second column of the output is PID):

　

　

<span style= "FONT-SIZE:18PX;" >kill–hup pid</span>

In this way, sudo can write the log:

　　

<span style= "FONT-SIZE:18PX;" >[[email protected] ~]$ sudo ls/rootanaconda-ks.cfgdesktop install.loginstall.log.syslog$cat/var/log/sudojul 28 22:52:54 localhost sudo:   foobar:tty=pts/1; Pwd=/home/foobar; User=root; Command=/bin/ls/root</span>

However, with a small "flaw", sudo logs are not very faithful:

　　

<span style= "FONT-SIZE:18PX;" >[[email protected] ~]$ sudo cat/etc/shadow >/dev/null[[email protected] ~] $cat/var/log/sudo ... Jul 23:10:24 localhost sudo:   foobar:tty=pts/1; Pwd=/home/foobar; User=root; Command=/bin/cat/etc/shadow</span>

 

Redirection is not documented! Why? Because the shell had done the redirection before the command was run, Sudo did not see the redirect at all. This also has a benefit, the following means will not succeed:

　

　

<span style= "FONT-SIZE:18PX;" >[[email protected] ~]$ sudo ls/root >/etc/shadowbash:/etc/shadow: Insufficient rights </span>

Sudo has its own way to protect security. Execute sudo as root
-V, check the settings for sudo. Because of security concerns, some of the environment variables are not passed to the command behind Sudo, or are checked and then passed, such as: Path,home,
Shell and so on. Of course, you can also configure these environment variables through sudoers.

As seen above, sudo is useful for controlling and reviewing root access, which enables system administrators to manage systems more efficiently and securely. Mastering the correct use of sudo is also good training for system administrators. This article is just a preliminary introduction to the use of sudo, see the Sudoers (5) and sudo (8) manual pages for more information.

The sudo command that the Linux administrator must know