Detailed explanation of sudo usage, authorization file, sudoers configuration example
Linux sudo command usage details: system permission management
Purpose and characteristics
The su command allows ordinary users to switch to root to execute some privileged commands, but there are some problems, such as:
- Administrator password disclosure
- For a privileged operation, using root is equivalent to directly giving ordinary users full permission to control the system;
The solution to the hidden trouble caused by using su command on system installation is to use sudo command to execute privileged commands as an ordinary user. Sudo does not need to know the root password when executing commands
Its main features are as follows:
1. sudo can restrict users from running certain commands on only one host.
2. sudo provides logs that record what each user does.
3. Sudo uses a timestamp file - log to perform a similar "ticket checking" system. When the user calls sudo and enters its password, the user gets a ticket with a lifetime of 5 minutes (this value can be changed at compile time).
4. The configuration file is / etc/sudoers, and the attribute must be 0440. It allows the system administrator to centrally manage user permissions and hosts.
sudo [ -Vhl LvkKsHPSb ] │ [ -p prompt ] [ -c class│- ] [ -a auth_type ] [-u username│#uid ] command
|-V||Display version number|
|-h||The version number and instruction instructions are displayed|
|-l||Display the permissions of yourself (the user executing sudo), and you can use sudo to execute those commands|
|-k||The user will be forced to ask for the password the next time sudo is executed (whether it lasts more than N minutes or not)|
|-b||The command is placed in the background to let the system run by itself without affecting the current shell environment.|
|-p prompt||You can change the prompt for asking for password, where% u will be replaced by the user's account name and% h will display the host name|
|-u username/uid||If this parameter is not added, the instruction will be executed as root. If this parameter is added, the instruction can be executed as username|
|-s||Execute the shell specified by shell in the environment variable or the shell specified in / etc/passwd|
|-H||Specify the HOME directory in the environment variable as the user's HOME directory to change the identity (if the - u parameter is not added, it is the system administrator root)|
The sudo command can only be run by root by default. The basic format of the command is:
[root@zaishu ~]# useradd lisi [root@zaishu ~]# sudo -u lisi touch /tmp/lisi [root@zaishu ~]# ll /tmp/lisi -rw-r--r-- 1 lisi lisi 0 Nov 24 10:03 /tmp/lisi
You can use sudo to create a lisi file in the of lisi. You can see that the owner of the newly created lisi file is lisi.
Run sh -c as lisi to run a series of commands.
[root@zaishu ~]# sudo -u lisi sh -c "mkdir /tmp/zaishu; cd /tmp/zaishu; echo 'hello.zaishu.cn' > index.html" [root@zaishu ~]# ll /tmp/zaishu/ total 4 -rw-r--r-- 1 lisi lisi 16 Nov 24 10:07 index.html [root@zaishu ~]# cat /tmp/zaishu/index.html hello.zaishu.cn
Authorization file (sudoers)
sudo is used by ordinary users so that they can execute privileged commands. Ordinary users need to configure the authorization file before using it.
The operation of sudo command requires the following steps:
When running the sudo command, first verify whether the user has the permission to run sudo through the / etc/sudoers file;
After confirming that the user has the permission to use sudo command, the user enters his own password to confirm.
After the password is entered successfully, the command following the sudo command will be executed.
Authorization document modification
Modify / etc/sudoers to use visudo instead of vim. Because modifying the / etc/sudoers file needs to follow certain syntax rules, the advantage of using visudo is that when modifying the / etc/sudoers file, the syntax will be checked when exiting.
Therefore, the command to modify the / etc/sudoers file is as follows:
[root@localhost ~]# visudo ...Omit partial output root ALL=(ALL) ALL # %wheel ALL=(ALL) ALL
Meaning of authorization document
What commands do users / groups run through which hosts = (as whom)
root ALL=(ALL) ALL #User name address of managed host = (available identity) authorization command (absolute path) #%wheel ALL=(ALL) ALL #%Group name address of managed host = (available identity) authorization command (absolute path)
|User name or group name||Indicates which user or group in the system. You can use the sudo command.|
|Address of managed host||Users can manage servers with specified IP addresses. If ALL is written here, it means that the user can manage any host; If you write a fixed IP, it means that the user can manage the specified server. If the IP address of this machine is written here, it represents that the specified user can manage the current server from any IP address.|
|Usable identity||If you write root, it means that the following authorization commands will be executed as root, (ALL) means that you can switch to any identity. This field can be omitted.|
|Authorization command||Table this command uses an absolute path to write. The default value is ALL, which means that any command can be executed.|
1. Add command permissions to ordinary users
Create hulk and create a password for it
[root@zaishu ~]# useradd zaishu [root@zaishu ~]# echo '123456' | passwd --stdin zaishu Changing password for user zaishu. passwd: all authentication tokens updated successfully.
Modify the configuration file and add the special permission useradd for zaishu
visudo ## Allow root to run any commands anywhere root ALL=(ALL) ALL zaishu ALL=(root) /usr/sbin/useradd ##add permission
Switch to user zaishu and verify special permissions
[root@zaishu ~]# su - zaishu / / switch users Last login: Wed Nov 24 10:50:21 CST 2021 on pts/0 [zaishu@zaishu ~]$ sudo -l .. User zaishu may run the following commands on zaishu: (root) /usr/sbin/useradd //View the special permissions this user has [zaishu@zaishu ~]$ sudo /usr/sbin/useradd test2 [zaishu@zaishu ~]$ tail -1 /etc/passwd test2:x:1103:1103::/home/test2:/bin/csh
Check the log / vat/log/secure to trace the sudo commands of ordinary users.
[root@zaishu ~]# tail -f /var/log/secure Nov 24 10:50:21 zaishu su: pam_unix(su-l:session): session closed for user zaishu Nov 24 10:50:50 zaishu su: pam_unix(su-l:session): session opened for user zaishu by root(uid=0) Nov 24 10:50:59 zaishu sudo: zaishu : TTY=pts/0 ; PWD=/home/zaishu ; USER=root ; COMMAND=list Nov 24 10:52:47 zaishu sudo: zaishu : TTY=pts/0 ; PWD=/home/zaishu ; USER=root ; COMMAND=/usr/sbin/useradd test2 Nov 24 10:52:47 zaishu sudo: pam_unix(sudo:session): session opened for user root by root(uid=0) Nov 24 10:52:47 zaishu useradd: new group: name=test2, GID=1103 Nov 24 10:52:47 zaishu useradd: new user: name=test2, UID=1103, GID=1103, home=/home/test2, shell=/bin/csh
If you use the sudo command again in the same session, you do not need to enter a password, but you can use sudo -k to force the user to enter a password again
[zaishu@zaishu ~]$ sudo -k [zaishu@zaishu ~]$ sudo /usr/sbin/useradd test3 [sudo] password for zaishu:
2. Ordinary users can add multiple command permissions
Authorized ordinary users can restart the server
[ root@zaishu ~]#Visudo / / etc / sudoers add authorization
zaishu ALL=/sbin/shutdown -r now
Switch to user zaishu and verify special permissions
You can write multiple authorization commands separated by commas. User zaishu can use sudo -l to view the list of authorized commands:
[root@zaishu ~]# su - zaishu / / switch users Last login: Wed Nov 24 10:50:50 CST 2021 on pts/0 [zaishu@zaishu ~]$ sudo -l //View the list of currently authorized commands [sudo] password for zaishu: .. User zaishu may run the following commands on zaishu: (root) /usr/sbin/useradd, /sbin/shutdown -r now //View the list of currently authorized commands [zaishu@zaishu ~]$ sudo /sbin/shutdown -r now //Perform restart [sudo] password for zaishu: Connection closing...Socket close.
3. Add user permissions to the group
Add users and groups
[root@zaishu ~]# groupadd dba [root@zaishu ~]# useradd u1 [root@zaishu ~]# useradd u2 [root@zaishu ~]# useradd u3
Authorize system commands to groups
[root@localhost ~]# visudo .... %dba ALL=(ALL) ALL
Add user to group
[root@zaishu ~]# usermod -a -G dba u1 [root@zaishu ~]# id u1 uid=1105(u1) gid=1106(u1) groups=1106(u1),1105(dba)
[u1@zaishu ~]$ sudo init 6 .... [sudo] password for u1:
Since u1 is added to the dba group, u1 can use the sudo command, while other users cannot. If you want other users to use the sudo command, you just need to add other users to the dba group.
4. Use alias
sudoers file supports grouping objects of the same kind by using aliases, which must use all uppercase letters
Host_Alias: host alias User_Alias: User Alias Runas_Alias: On which hosts and as whom do you run the alias Cmnd_Alias: Command alias
Define an alias in the configuration file
Host_Alias USERHOSTS = 172.16.0.0/16,192.168.0.0/24 ##Define the host alias and on which machines special commands can be executed Cmnd_Alias USERADMIN=/usr/sbin/useradd,/usr/sbin/userdel ##Define command aliases root ALL=(ALL) ALL zaishu ALL=(root) USERADMIN ##zaishu defined here can execute all commands in the alias USERADMIN zaishu USERHOSTS=(ROOT) USERADMIN ##The alias can be executed on the machine in the alias USERHOSTS
[zaishu@localhost ~]# su - zaishu [zaishu@localhost ~]$ sudo /usr/sbin/userdel -r u2 ##Delete user u2 [sudo] password for zaishu:
5. Prohibit a user from performing specific operations
zaishu ALL=(root) /usr/bin/passwd [a-zA-Z]*,!/usr/bin/passwd root ##zaishu can change the user password as root, but it is forbidden to change the root password.
Detailed explanation of sudo usage, authorization file, sudoers configuration example.