Detailed explanation of sudo usage, authorization file, sudoers configuration example

Detailed explanation of sudo usage, authorization file, sudoers configuration example

Linux sudo command usage details: system permission management

concept

Purpose and characteristics

The su command allows ordinary users to switch to root to execute some privileged commands, but there are some problems, such as:

  1. Administrator password disclosure
  2. For a privileged operation, using root is equivalent to directly giving ordinary users full permission to control the system;

The solution to the hidden trouble caused by using su command on system installation is to use sudo command to execute privileged commands as an ordinary user. Sudo does not need to know the root password when executing commands

Its main features are as follows:
1. sudo can restrict users from running certain commands on only one host.
2. sudo provides logs that record what each user does.
3. Sudo uses a timestamp file - log to perform a similar "ticket checking" system. When the user calls sudo and enters its password, the user gets a ticket with a lifetime of 5 minutes (this value can be changed at compile time).
4. The configuration file is / etc/sudoers, and the attribute must be 0440. It allows the system administrator to centrally manage user permissions and hosts.

Syntax options

sudo [ -Vhl LvkKsHPSb ] │ [ -p prompt ] [ -c class│- ] [ -a auth_type ] [-u username│#uid ] command

Parameters:

optionmeaning
-VDisplay version number
-hThe version number and instruction instructions are displayed
-lDisplay the permissions of yourself (the user executing sudo), and you can use sudo to execute those commands
-kThe user will be forced to ask for the password the next time sudo is executed (whether it lasts more than N minutes or not)
-bThe command is placed in the background to let the system run by itself without affecting the current shell environment.
-p promptYou can change the prompt for asking for password, where% u will be replaced by the user's account name and% h will display the host name
-u username/uidIf this parameter is not added, the instruction will be executed as root. If this parameter is added, the instruction can be executed as username
-sExecute the shell specified by shell in the environment variable or the shell specified in / etc/passwd
-HSpecify the HOME directory in the environment variable as the user's HOME directory to change the identity (if the - u parameter is not added, it is the system administrator root)

sudo -u

The sudo command can only be run by root by default. The basic format of the command is:
[example 1]

[root@zaishu ~]# useradd lisi
[root@zaishu ~]# sudo -u lisi touch /tmp/lisi
[root@zaishu ~]# ll /tmp/lisi
-rw-r--r-- 1 lisi lisi 0 Nov 24 10:03 /tmp/lisi

You can use sudo to create a lisi file in the of lisi. You can see that the owner of the newly created lisi file is lisi.

[example 2]
Run sh -c as lisi to run a series of commands.

[root@zaishu ~]# sudo -u lisi sh -c "mkdir /tmp/zaishu; cd /tmp/zaishu; echo 'hello.zaishu.cn' > index.html" 
[root@zaishu ~]# ll /tmp/zaishu/
total 4
-rw-r--r-- 1 lisi lisi 16 Nov 24 10:07 index.html
[root@zaishu ~]# cat /tmp/zaishu/index.html 
hello.zaishu.cn

Authorization file (sudoers)

Application principle

sudo is used by ordinary users so that they can execute privileged commands. Ordinary users need to configure the authorization file before using it.
The operation of sudo command requires the following steps:
When running the sudo command, first verify whether the user has the permission to run sudo through the / etc/sudoers file;
After confirming that the user has the permission to use sudo command, the user enters his own password to confirm.
After the password is entered successfully, the command following the sudo command will be executed.

Authorization document modification

Modify / etc/sudoers to use visudo instead of vim. Because modifying the / etc/sudoers file needs to follow certain syntax rules, the advantage of using visudo is that when modifying the / etc/sudoers file, the syntax will be checked when exiting.

Therefore, the command to modify the / etc/sudoers file is as follows:

[root@localhost ~]# visudo
...Omit partial output
root ALL=(ALL) ALL  
# %wheel ALL=(ALL) ALL 

Meaning of authorization document

What commands do users / groups run through which hosts = (as whom)

root ALL=(ALL) ALL
#User name address of managed host = (available identity) authorization command (absolute path)
#%wheel ALL=(ALL) ALL
#%Group name address of managed host = (available identity) authorization command (absolute path)
modularmeaning
User name or group nameIndicates which user or group in the system. You can use the sudo command.
Address of managed hostUsers can manage servers with specified IP addresses. If ALL is written here, it means that the user can manage any host; If you write a fixed IP, it means that the user can manage the specified server. If the IP address of this machine is written here, it represents that the specified user can manage the current server from any IP address.
Usable identityIf you write root, it means that the following authorization commands will be executed as root, (ALL) means that you can switch to any identity. This field can be omitted.
Authorization commandTable this command uses an absolute path to write. The default value is ALL, which means that any command can be executed.

Example

1. Add command permissions to ordinary users

Create hulk and create a password for it

[root@zaishu ~]# useradd zaishu
[root@zaishu ~]# echo '123456' | passwd --stdin zaishu
Changing password for user zaishu.
passwd: all authentication tokens updated successfully.

Modify the configuration file and add the special permission useradd for zaishu

visudo
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
zaishu 	ALL=(root)      /usr/sbin/useradd       ##add permission

Switch to user zaishu and verify special permissions

[root@zaishu ~]# su - zaishu / / switch users
Last login: Wed Nov 24 10:50:21 CST 2021 on pts/0

[zaishu@zaishu ~]$ sudo -l
..
User zaishu may run the following commands on zaishu:
    (root) /usr/sbin/useradd  //View the special permissions this user has

[zaishu@zaishu ~]$ sudo /usr/sbin/useradd  test2
[zaishu@zaishu ~]$ tail -1 /etc/passwd
test2:x:1103:1103::/home/test2:/bin/csh    

Check the log / vat/log/secure to trace the sudo commands of ordinary users.

[root@zaishu ~]# tail -f /var/log/secure
Nov 24 10:50:21 zaishu su: pam_unix(su-l:session): session closed for user zaishu
Nov 24 10:50:50 zaishu su: pam_unix(su-l:session): session opened for user zaishu by root(uid=0)
Nov 24 10:50:59 zaishu sudo:  zaishu : TTY=pts/0 ; PWD=/home/zaishu ; USER=root ; COMMAND=list
Nov 24 10:52:47 zaishu sudo:  zaishu : TTY=pts/0 ; PWD=/home/zaishu ; USER=root ; COMMAND=/usr/sbin/useradd test2
Nov 24 10:52:47 zaishu sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Nov 24 10:52:47 zaishu useradd[1458]: new group: name=test2, GID=1103
Nov 24 10:52:47 zaishu useradd[1458]: new user: name=test2, UID=1103, GID=1103, home=/home/test2, shell=/bin/csh

If you use the sudo command again in the same session, you do not need to enter a password, but you can use sudo -k to force the user to enter a password again

[zaishu@zaishu ~]$ sudo -k
[zaishu@zaishu ~]$ sudo /usr/sbin/useradd test3
[sudo] password for zaishu: 

2. Ordinary users can add multiple command permissions

Authorized ordinary users can restart the server
[ root@zaishu ~]#Visudo / / etc / sudoers add authorization

zaishu ALL=/sbin/shutdown -r now

Switch to user zaishu and verify special permissions
You can write multiple authorization commands separated by commas. User zaishu can use sudo -l to view the list of authorized commands:

[root@zaishu ~]# su - zaishu / / switch users
Last login: Wed Nov 24 10:50:50 CST 2021 on pts/0
[zaishu@zaishu ~]$ sudo -l		//View the list of currently authorized commands
[sudo] password for zaishu: 
..
User zaishu may run the following commands on zaishu:
    (root) /usr/sbin/useradd, /sbin/shutdown -r now  //View the list of currently authorized commands

[zaishu@zaishu ~]$ sudo /sbin/shutdown -r now //Perform restart
[sudo] password for zaishu: 
Connection closing...Socket close.

3. Add user permissions to the group

Add users and groups

[root@zaishu ~]# groupadd dba
[root@zaishu ~]# useradd u1 
[root@zaishu ~]# useradd u2
[root@zaishu ~]# useradd u3

Authorize system commands to groups

[root@localhost ~]# visudo
....
%dba     ALL=(ALL)    ALL

Add user to group

[root@zaishu ~]# usermod -a -G dba u1
[root@zaishu ~]# id u1
uid=1105(u1) gid=1106(u1) groups=1106(u1),1105(dba)

verification

[u1@zaishu ~]$ sudo init 6
....
[sudo] password for u1: 

Since u1 is added to the dba group, u1 can use the sudo command, while other users cannot. If you want other users to use the sudo command, you just need to add other users to the dba group.

4. Use alias

sudoers file supports grouping objects of the same kind by using aliases, which must use all uppercase letters

Host_Alias: host alias 
User_Alias: User Alias 
Runas_Alias: On which hosts and as whom do you run the alias
Cmnd_Alias: Command alias

Define an alias in the configuration file
[root@zaishu~]# visudo

Host_Alias USERHOSTS = 172.16.0.0/16,192.168.0.0/24    ##Define the host alias and on which machines special commands can be executed
Cmnd_Alias    USERADMIN=/usr/sbin/useradd,/usr/sbin/userdel    ##Define command aliases
root    ALL=(ALL)       ALL
zaishu   ALL=(root)      USERADMIN    ##zaishu defined here can execute all commands in the alias USERADMIN
zaishu   USERHOSTS=(ROOT)        USERADMIN    ##The alias can be executed on the machine in the alias USERHOSTS
[zaishu@localhost ~]# su - zaishu
[zaishu@localhost ~]$ sudo /usr/sbin/userdel -r u2 ##Delete user u2
[sudo] password for zaishu:

5. Prohibit a user from performing specific operations

zaishu ALL=(root) /usr/bin/passwd [a-zA-Z]*,!/usr/bin/passwd root
##zaishu can change the user password as root, but it is forbidden to change the root password.

summary

Detailed explanation of sudo usage, authorization file, sudoers configuration example.

Tags: Linux Operation & Maintenance bash

Posted on Tue, 23 Nov 2021 23:53:44 -0500 by trygve