The sudo tool can help you allocate part of the system management responsibilities to others without having to grant full root access permissions. It is a setuid program. You only need to enter your own password to execute the command after sudo.
Use the root account, run/usr/bin/mongodo to edit the list of users who can call the sudo command. The default sudo list looks similar to the following:
Reference root ALL = (ALL) ALL
Unfortunately, many system management directly regard this as a template and then authorize it to other users, just like this:
Reference root ALL = (ALL) ALL
Work ALL = (ALL) ALL
Test ALL = (ALL) ALL
In this mode, the work and test accounts have full root permissions and do not need the password of the root account. If the accounts you authorize are completely trustworthy, this is a good method. Unfortunately, trust is not so clear.
Therefore, we need to grant permissions to specific accounts according to the minimum principle. First, let's look at the syntax of the sudo list file. In The sudo list, each line should look like the following:
Reference user machine = (valid user) command
The first column (user) specifies the account to be authorized. The second column (machine) is defined on those machines, and this execution takes effect. The advantage is that the same configuration file is used on multiple machines.
For example, assume that a developer needs to obtain the root access permission on the development server, but not on other servers.
Reference steven beta.xplore.cn = (ALL) ALL
The third column (the valid user in parentheses) specifies the account that actually executes the command, which facilitates an account to allow another account to execute specific commands, instead of a root account:
Reference steven mail.xplore.cn = (mailman) ALL
The last column (command) specifies the commands that can be executed in the sudo environment for this account:
Reference kevin ns.xplore.cn = (bind)/usr/sbin/rndc,/usr/sbin/named
If you think the list is too long for a specified user, machine, or command (for example, many accounts have the same authorization, and an account needs to specify the command and machine list too long ), we can use the Alias syntax in The sudo list. The Alias syntax is similar to that in the shell environment variable. You can think of it as a variable:
Reference user_Alias ADMINS = wgzhao, kevin, steven
User_Alias WEBMASTERS = xplore, glemir, xinhe
Runas_Alias DAEMONS = bind, www, ftp
Host_Alias WEBSERVERS = www.xplore.cn, www.lawburn.com
Cmnd_Alias PROCS =/bin/kill,/bin/killall,/usr/bin/skill,/usr/bin/top
Cmnd_Alias APACHE =/usr/bin/apachectl
Webmasters webservers = (www) APACHE
Admins all = (DAEMONS) ALL
All of the above are for accounts. In fact, you can specify a group account in the first column, which means that all accounts belonging to this group can be authorized in this way. In syntax, you only need to add a % number before the group account, just like this:
Reference % mail WEBSERVERS = (mail) sendmail
Now, all accounts in the mail group can use the mail account on the server defined by WEBSERVERS to execute the sendmail command.
In addition, there is also a useful sign, that is, NOPASSWD :. If this flag is set, the account after the current authorized account is executed does not need to enter the password of the Current Account:
Reference xplore ALL = (ALL) NOPASSWD: PROCS
This allows the account xplore to execute kill, killall, skill, and top commands with any account without entering a password.
