View and switch Linux User identities one day (su + sudo)

In the previous two sections, we introduced the basic knowledge of users and user groups and how to manage users and user groups. Next let's take a look at other user-related commands.
Finger tool for viewing user information
Chfn tool for changing user information
Id: view the UID, GID, and user group of the user.
Su User Switching Tool
Sudo uses another user to execute commands (execute a command as another user), su is used to switch users, and then the user to complete the corresponding tasks, however, sudo can directly execute the following commands. For example, sudo can execute root authorization without the root password. Only root can execute the corresponding commands; however, you must edit/etc/sudoers through mongodo;
Except do visodo is the command for editing/etc/sudoers. You can also directly use vi to edit/etc/sudoers;

Sudoedit and sudo functions are similar;

View user identity information
Finger
Let's look at an example.
[Root @ yufei ~] # Finger-s root
Login Name Tty Idle Login Time Office Phone
Root pts/0 Jan 11 13: 45 (192.168.6.1)

The-s parameter is used to list some user login information (logon time and terminal, including the user's office information)

[Root @ yufei ~] # Finger-l root
Login: root Name: root
Directory:/root Shell:/bin/bash
On since Tue Jan 11 :45 (CST) on pts/0 from 192.168.6.1
No mail.
No Plan.

-L parameters are used to list user details (such as full name, Home Directory, SHELL, login information, email information, and scheduled tasks)
Note: the Plan here is not a scheduled task. You can understand it as a user's schedule. This is actually the content in the. plan file in the user's home directory. See the following demo.
[Root @ yufei ~] # Echo "I will study RHEL6 during this year."> ~ /. Plan
[Root @ yufei ~] # Finger-l root
Login: root Name: root
Directory:/root Shell:/bin/bash
On since Tue Jan 11 :45 (CST) on pts/0 from 192.168.6.1
No mail.
Plan:
I will study RHEL6 during this year.

NOTE: If no user name is added after finger, it is used to query information of all users logging on to the system.

In the above example, we found that there is still information about Office and Office Phone in the user information, which we did not talk about earlier. How is this information written into the system? This is the command we will talk about below.
Chfn # it can be understood as change finger
[Root @ yufei ~] # Chfn-help
Usage: chfn [-f full-name] [-o office] [-p office-phone] [-h home-phone] [-- help] [-- version]
Let's take a look at the example.
[Root @ yufei ~] # Chfn-f adminstrator
Changing finger information for root.
Finger information changed.
[Root @ yufei ~] # Finger-l root
Login: root Name: adminstrator
Directory:/root Shell:/bin/bash
On since Tue Jan 11 :45 (CST) on pts/0 from 192.168.6.1
No mail.
Plan:
I will study RHEL6 during this year.
In Name: The information added just now is displayed. It's very easy.

Note:
1. If no parameters are added after chfn, the system will prompt you to enter them one by one. Press enter by default. You can try it yourself.
2. This command also adds the corresponding content to the fifth field in our/etc/passwd and separates the numbers.

Similar commands to chfn include chsh.
[Root @ yufei ~] # Chsh-help
Usage: chsh [-s shell] [-- list-shells] [-- help] [-- version] [username]
Is it clear at first glance. I will not give you an example here. I believe you can understand it as well.

Id # view information related to UID and GID (UID and GID all have IDs. Is this the origin of this command? Haha ......)
[Root @ yufei ~] # Id
Uid = 0 (root) gid = 0 (root) groups = 0 (root), 1 (bin), 2 (daemon), 3 (sys), 4 (adm ), 6 (disk), 10 (wheel) context = unconfined_u: unconfined_r: unconfined_t: s0-s0: c0.c1023
You can view the user's UID, GID, and other user group groups, as well as the SELinux we will talk about later.
Note: There are several parameters for this command. However, you do not need to remember it. If no parameter is included, all the information is listed.

User identity Switching
We know that in many versions of Linux, the ROOT account is disabled by default. Why? We know that this ROOT account has the largest permissions and can do everything. If he accidentally executes rm-rf/(he cannot use ROOT to execute some commands) on any day ), then your system is in the beginning, and you have to reinstall it! If there is no important information in the system, you can handle it. If there is a lot of important information in it, you will have it!
Therefore, during system management, a general account is used and a non-ROOT account is used. Only ROOT accounts can be switched to ROOT accounts. This is also a good habit.
Sometimes, when installing software, we also need to execute it by a common user.
Therefore, user identity switching is required.

There are two main ways to convert a user to a root user:
Su-directly change the identity to root, provided that the root password is known.
The sudo command executes the root command, but sudo needs to be set in advance. Sudo only needs to enter the user's password to execute the command.

Su usage
Su
-: Indicates logging on to the system using the environment variable of a user during login.
If no user is added to the end, it indicates switching to the root identity.
-L: the same meaning-
-M: In contrast to the above-use the current user's environment variables instead of switching to the new user's environment variables.
-P: the same meaning as-m
-C: run the command only once.
Note: The most common parameters are "-" and. -C is also relatively time-consuming.
Let's look at an example.
First switch from root user to normal user
[Root @ yufei ~] # Pwd
/Root
[Root @ yufei ~] # Su yufei
[Yufei @ yufei root] $ pwd
/Root
Note that the preceding status indicates that the user name is yuifei, And the directory where the user is located is the/root directory, that is, the root user's home directory. This is the situation where the "-" parameter is not included and is not replaced with our own environment variables.
Let's take a look at the environment variables of yufei users.
[Yufei @ yufei root] $ env | grep yufei
HOSTNAME = yufei.opsers.org
USER = yufei
HOME =/home/yufei
LOGNAME = yufei
Then, the status of the root user is returned.
[Yufei @ yufei root] $ exit
Exit
[Root @ yufei ~] #
At this time, it will return to the root state.

Let's add "-" to see the effect.
[Root @ yufei ~] # Su-yufei
[Yufei @ yufei ~] $ Pwd
/Home/yufei
[Yufei @ yufei ~] $
A significant change has been made here and has been switched to the user's home directory. Of course, his environment variables have also taken effect!
[Yufei @ yufei ~] $ Env | grep yufei
HOSTNAME = yufei.opsers.org
USER = yufei
MAIL =/var/spool/mail/yufei
PATH =/usr/local/bin:/usr/local/sbin:/usr/sbin:/home/yufei/bin
PWD =/home/yufei
HOME =/home/yufei
LOGNAME = yufei
This is obviously different from the above. PATH is the most important environment variable!

Through the comparison above, I think you have understood their differences. Maybe you still don't understand this environment variable. However, it doesn't matter. Here you only need to understand it. In the subsequent courses, we will also talk about this environment variable.

Switching from a common user to a root user is also very simple.
[Yufei @ yufei ~] $ Su
Password:
[Root @ yufei] # env | grep root
HOME =/root
Although the root user identity has been changed, the root environment variable does not take effect and many commands cannot be executed. When a common user changes to a root user, enter the password of the root user.
[Root @ yufei] # su-
[Root @ yufei ~] # Env | grep root
USER = root
MAIL =/var/spool/mail/root
PATH =/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
PWD =/root
HOME =/root
LOGNAME = root
XAUTHORITY =/root/. xauthHE4blf
Why didn't I enter the root password? Because I have switched to the root user, but the environment variable does not take effect, run su-again to bring the root user's environment variable into effect.

Note: exit can be used to exit the su environment.

Next, we will demonstrate a-c parameter.
We know that common users cannot see/etc/shadow. Next we will use the-c parameter to execute the root user permission command for common users.
[Yufei @ yufei ~] $ Tail-n 3/etc/shadow
Tail: cannot open '/etc/shadow' for reading: Permission denied
[Yufei @ yufei ~] $ Su-c "tail-n 3/etc/shadow"
Password:
Opser_1: $6 $ cIFPSKDr $ rQV1fCHYfpUBSqgtpUGcO5A. Examples/UWHFgKuqx/: 14981: 0: 99999: 7: 15006:
Test_user1: $6 $ EL8UBf7P $ users/BuiNVBszO/UoycYIBZZygIH3oA3aKDOSA11: 14982: 0: 99999: 7 :::
Test_user2: $6 $ tTs0BG90 $ 7LLaUwF9pP/javash4/IPAwH1x4JE. rSXjYP/wbUq2kxPsXM4/example. Example/: 14982: 0: 99999: 7 :::
[Yufei @ yufei ~] $
At last, the identity of the yufei user has not changed, but we have already seen the content that should not be viewed. The premise is that you need to know the password of the root user, which is the biggest disadvantage of su. To make up for this deficiency, we have another command, sudo. As we have mentioned earlier, this sudo only needs to know the user's password, which is much safer. Next let's take a look at the use of this sudo!

Sudo usage
There are many parameters for this sudo. The following describes two commonly used
-U is followed by the switching user. If the user is not included, the user is the root user by default. The purpose is to use the user identity after-u.
-S is followed by the shell to be executed

[Root @ yufei ~] # Sudo-u yufei-s "touch/home/yufei/file"
[Root @ yufei ~] # Ls-l/home/yufei/file
-Rw-r-. 1 yufei 0 Jan 12 :20/home/yufei/file
Although I am using a file created by the root user, sudo-u is used to change the permission and owner of the file created by the root user.

[Root @ yufei ~] # Touch/home/yufei/file1
[Root @ yufei ~] # Ls-l/home/yufei/file *
-Rw-r-. 1 yufei 0 Jan 12 11: 20/home/yufei/file
-Rw-r-. 1 root 0 Jan 12 :21/home/yufei/file1
This question about file permissions will be discussed later.
Run the sudo command as a common user.
For the first time, I will give a prompt (skipped), but it does not matter. If you execute it again, it will be OK,
[Yufei @ yufei ~] $ Sudo-s "touch file2 ″
[Sudo] password for yufei:
Yufei is not in the sudoers file. This incident will be reported.

The above prompt says that the yufei user is not in the sudoers file. Why?
We can use man sudo to find that/etc/sudoers needs to be configured by ourselves.
There are two ways to configure this file: vi/vim and mongodo. In fact, this mongodo calls vi to edit this file, however, this commit do will also check whether the syntax you have edited is correct. We recommend that you use mongodo
Let's take a look at the content of this file.

The sudo user executes all the commands of the root user

Mongodo will open the file/etc/sudoers that I want to edit. In fact, the content in this file can be understood at a glance, and there are corresponding instructions.
[Root @ yufei ~] # Mongodo
......
# Allow root to run any commands anywhere
Root ALL = (ALL) ALL
......

Format description
Root ALL = (ALL) ALL
User host that can use the sudo command = commands that can be executed with a convertible identity

The above means that the root user can perform the sudo operation, and the root user can connect from any machine, switch to any user, and execute any command.
Note:
1. This command must be an absolute path
2. mongodo can only be executed by the root user.

If you want the yufei user to execute any command like root, you can add the following sentence to the configuration file:
Yufei ALL = (ALL) ALL
After saving and exiting, let's see the effect
[Root @ yufei ~] # Su-yufei
[Yufei @ yufei ~] $ Tail-n 3/etc/shadow
Tail: cannot open '/etc/shadow' for reading: Permission denied
[Yufei @ yufei ~] $ Sudo tail-n 3/etc/shadow
[Sudo] password for yufei:
Opser_1: $6 $ cIFPSKDr $ rQV1fCHYfpUBSqgtpUGcO5A. Examples/UWHFgKuqx/: 14981: 0: 99999: 7: 15006:
Test_user1: $6 $ EL8UBf7P $ users/BuiNVBszO/UoycYIBZZygIH3oA3aKDOSA11: 14982: 0: 99999: 7 :::
Test_user2: $6 $ tTs0BG90 $ 7LLaUwF9pP/javash4/IPAwH1x4JE. rSXjYP/wbUq2kxPsXM4/example. Example/: 14982: 0: 99999: 7 :::
The yufei user did not have the permission to view the shadow file. However, after sudo is used, the user can view the file because the yufei permission is granted.
Note:
1. When using sudo, enter the user's password instead of the root password.
2. You need to set such a large permission for a user. Make sure that this user will not cause losses to your machine.

Run the root command on the sudo user group.

If I want to grant the same permissions to several users, what should I do? Do you need to add one by one? Of course not. The sudoers file also contains similar user group statements.
[Root @ yufei ~] # Mongodo
......
# Allows people in group wheel to run all commands
# % Wheel ALL = (ALL) ALL
......
Here, the wheel is a user group. We can add users to this group first, and then change the configuration file to the following:
% Wheel ALL = (ALL) ALL
That is, remove the # above.
This operation is implemented by yourself. By the way, you can review the content we mentioned earlier!
All these operations require the user's own password. Can you not allow the user to enter the password? Of course.
# Allows people in group wheel to run all commands
# % Wheel ALL = (ALL) ALL
Below,
# Same thing without a password
# % Wheel ALL = (ALL) NOPASSWD: ALL
We only need to add NOPASSWD before ALL: to achieve this.

Restrict sudo users to execute commands

This gives the user the maximum permission. If you want to restrict the commands used by the user, how should we implement them?
In fact, there is an example in that file. Let's take a look.
[Root @ yufei ~] # Mongodo
Add the following line
Yufei ALL = (ALL) NOPASSWD:/sbin/shutdown
Go to test
[Root @ yufei ~] # Su-yufei
[Yufei @ yufei ~] $ Shutdown-r now
Shutdown: Need to be root
Prompt to use the root user for execution
[Yufei @ yufei ~] $ Sudo shutdown-r now

Broadcast message from root@yufei.opsers.org
(/Dev/pts/0)...

The system is going down for reboot NOW!
[Yufei @ yufei ~] $
Connection closed by foreign host.

Type 'help' to learn how to use Xshell prompt.
As you can see, without entering the password, normal users can execute our restart command.

There is a passwd Password Change command in the system. If you want to execute passwd through sudo for common users, problems will occur.
Add the following content to the sudo configuration file.
Yufei ALL = (ALL) NOPASSWD:/usr/bin/passwd
Switch to yufei user and run the passwd command through sudo,
[Yufei @ yufei ~] $ Sudo passwd
Changing password for user root.
You will find that this is to change the root user password. If a common user has changed your root password, you will not be pregnant! To avoid this situation, we can use the following method to limit it.
Yufei ALL = (ALL) NOPASSWD:/usr/bin/passwd [A-Za-z] *,! /Usr/bin/passwd ,! /Usr/bin/passwd root
The above means that the yufei user can execute/usr/bin/passwd [A-Za-z] * (that is, the command that can modify other people ). However, the command/usr/bin/passwd and/usr/bin/passwd root cannot be executed.
If you execute the command again, the following prompt will appear:
[Yufei @ yufei ~] $ Sudo passwd
Sorry, user yufei is not allowed to execute '/usr/bin/passwd' as root on yufei.opsers.org.

This reminds us that when we grant sudo user permissions, we must pay attention not to grant all permissions, especially some special commands.

Configure the sudo configuration file by alias

We can see the most Alias in the/etc/sudoers file. This Alias refers to the Alias, which refers to the group (username, command, host name) we need, it is implemented by alias.
User_Alias
Host_Alias
Cmnd_Alias
The format of these three aliases has been illustrated in the file. We will give you a demonstration through the example below.
[Root @ yufei ~] # Mongodo
Add the following three lines
User_Alias ADMPWD = user1, user2, user3
Cmnd_Alias ADMCMD =/usr/bin/passwd [A-Za-z] *,! /Usr/bin/passwd ,! /Usr/bin/passwd root
Admpwd all = (root) ADMCMD

Note:
1. The above user1, user2, and user3 are all users on the system.
2. the alias is followed by an uppercase alias, and the equals sign is followed by the content in the alias.
3. After adding an alias, do not do what I can or cannot do, just like the third sentence.
4. The interval between two sudo operations is five minutes. You do not need to enter a password for the second operation.

Combined Use of sudo + su
Through the above explanation, we may think of a situation where, through sudo + su, can a common user be switched to a root user without entering the root password? The answer is yes, so let's take a look at how to implement it.
Edit the sudo configuration file.
[Root @ yufei ~] # Mongodo
Add the following content
Yufei ALL = (root)/bin/su-
In this way, the common user can be switched to the root user through sudo without disclosing the root password.
[Root @ yufei ~] # Su-yufei
[Yufei @ yufei ~] $ Sudo su-
[Sudo] password for yufei:
[Root @ yufei ~] #
See [root @ yufei ~] # Now we know that we have succeeded!

From: yufei blog