Brother Xu
need to finish reading
12
minutes
Speed reading in just 4 minutes
/ Do you really know how to use the su and sudo commands? /
1
1 su:switch user
1.1
Background Note
There are multiple users in Linux, such as root, master, worker, etc. So how do I switch from one user to another? For example, after logging in as the master user, you suddenly want to switch to the worker user to execute a command and operate a file under a worker user. There are many ways to switch users at this time
Log out of the current user and log in to the worker user
The second is to switch through the su command
1.2
Command format
su switch user # For example, switch from root user to master user [root@test /]$ su master
2
2 sudo: Execute commands as other users
2.1
The reason for the command
su does bring convenience to user switching. By switching to root, all system management tools can be completed. As long as the root password is given to any ordinary user, he can switch to root to complete all system management work. ; But after switching to root through su, there are also unsafe factors; For example, the system has 10 users, and they all participate in management. If these 10 users are involved in the use of super privileges, as an administrator, if you want other users to switch to root with super privileges through su, you must tell these 10 users the root privilege password; If these 10 users have root authority, they can do anything through root authority, which poses a threat to the security of the system to a certain extent. So sudo spawned. sudo can execute commands as another user without switching users.
2.2
Detailed explanation of command parameters
-V displays version number -h will display the version number and instructions on how to use the command -l shows the permissions of oneself (the user who executes sudo) -v Because sudo will ask for the password when it is executed for the first time or has not been executed within N minutes (N is defaulted to five), this parameter is to confirm again. If it exceeds N minutes, the password will also be asked. -k will force the user to ask for the password the next time sudo is executed (whether it has been N minutes or not) -b executes the instructions to be executed in the background -p prompt can change the password prompt, where %u will be replaced by the user's account name, and %h will display the host name -u username/#uid If this parameter is not added, it means that the command will be executed as root. If this parameter is added, the command can be executed as username (#uid is the user number of username). -s executes the shell specified by SHELL in the environment variable, or the shell specified in /etc/passwd -H specifies HOME (home directory) in the environment variable as the home directory of the user whose identity is to be changed (if the -u parameter is not added, it is the system administrator root) command The command to execute as the system administrator (or change to someone else with -u)
2.3
Command usage
Q: How to use the command?
A: Then there are 2 steps:
configuration file
authorized user
Detailed explanation:
After talking about the role of the sudo command, how do I use the sudo special permission command if I want to use it?
It is necessary to configure this file: /etc/sudoers
[root@test ~]$ ls -al /etc/sudoers -r--r----- 1 root root 4027 Aug 16 10:43 /etc/sudoers
How to edit this file? (Some students will say that just use vi. This is also a method)
The following recommends two ways to edit the configuration file
(Not recommended) vi /etc/sudoers When using vi, please note that we see that the file is read-only, so you must first authorize it to be written before you can edit it.
[root@test ~]$ chmod u + w /etc/sudoers [root@test ~]$ vi /etc/sudoers [root@test ~]$ chmod u-w /etc/sudoers(Recommended) visudo command: This command can directly open the editor
[root@test ~]$ visudo
Test scenario 1:
The authorization command here takes the worker user as an example. Authorize the worker user with the command /sbin/shutdown -c
Before authorization, execute the command under the worker user:
[worker@linux1 ~]$ shutdown -c Failed to talk to shutdownd, shutdown hasn't been canceled: Permission denied
Use visudo (under root user) to edit software authorization: add the following two lines
Authorized user/group hostname=(user allowed to switch to) NOPASSWD:Command action master ALL=(ALL) NOPASSWD:ALL
## Allows members of the users group to mount and unmount the # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now #Authorized user/group host name = (user allowed to switch to) NOPASSWD: command action master ALL=(ALL) NOPASSWD:ALL worker ALL=(master) /sbin/shutdown -c,/bin/sudo # no password required # worker ALL=(ALL) NOPASSWD:/sbin/shutdown -c
After authorization: When executing the command, you can see that you will be prompted to enter the password.
Explain why the password is allowed to be entered: the password here is the password for entering the sudo command, and the permissions we give to the worker are /sbin/shutdown -c and /bin/sudo commands, and these two commands require a password to be used , because NOPASSWD:/bin/sudo is not configured.
Because sudo is a worker command (worker ALL=(master) /sbin/shutdown -c, /bin/sudo) this command is not authorized without entering a password (NOPASSWD), so a password is required here.
Shutdown -c is executed by the master. It does not require a password, so it will be executed directly without entering a password.
# sudo uses -u to execute shutdown -c as the master user [worker@linux1 ~]$ sudo -u master sudo shutdown -c Password: [worker@linux1 ~]$ Broadcast message from root@bsa161 (Thu 2023-02-02 13:29:37 CST): The system shutdown has been canceled at Thu 2023-02-02 13:30:37 CST!
Test scenario 2:
Note: Under the worker user, edit the file aaa.txt belonging to the wilson user as wilson.
User: worker: There are no files in the /home/worker directory
User: wilson: There is a file aaa.txt in the /home/wilson directory
User: root
Do not authorize sudo to users worker and wilson
Log in as the worker user and execute the command vi to edit the /home/wilson/aaa.txt file
If the second step fails, execute sudo -u wilson vi /home/wilson/aaa.txt
If you cannot edit in the third step, you can authorize the vi command. Both users need passwords. The configuration is as follows
wilson ALL=(ALL) ALL worker ALL=(wilson) /bin/vi
Results of the
# directory display [root@linux1 ~]# ls /home/worker/ [root@linux1 ~]# ls /home/wilson/ aaa.txt aa.txt bbb.txt [worker@linux1 ~]$ sudo -u wilson vi /home/wilson/aaa.txt [sudo] password for worker:
2.4
Configuration file format introduction
define an alias
For example, I have a lot of commands related to /bin/chown and /bin/chmod. At this time, if it is longer to write them in the authorization area, we can classify them. So there is an alias, which can be understood as a command group.
For example:
Cmnd_Alias SYDCMD=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root (note here!)
Specific use cases
# 1. Define alias
User_Alias SYSADER=beinan,linuxsir,inan
User_Alias DISKADER=lanhaitun
Runas_Alias OP=root
Cmnd_Alias SYDCMD=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root (note here!)
Cmnd_Alias DSKCMD=/sbin/parted,/sbin/fdisk Note: Define the command alias DSKCMD, there are members parted and fdisk
SYSADER ALL=SYDCMD,DSKCMD
DISKADER ALL= (OP) DSKCMD
# Note:
# The first line: Define the user alias SYSADER to have members beinan, linuxsir, and members of the beinan user group, and the user group must be preceded by a % sign;
# The second line: define the user alias DISKADER, the member has lanhaitun
# The third line: Define the Runas user, that is, the alias of the target user is OP, and there is a member root under it
# The fourth line: Define the SYSCMD command alias, the members are separated by ,, and the last !/usr/bin/passwd root means that the root password cannot be changed through passwd;
# The fifth line: define the command alias DSKCMD, there are members parted and fdisk under it;
# Sixth line: Indicates that any member under SYSADER is authorized to run or prohibit the commands defined under SYDCMD and DSKCMD under any host name that may exist.
# More specifically, members of the beinan, linuxsir and beinan user groups can run chown, chmod, adduser, passwd as root, but cannot change the root password;
Also able to run parted and fdisk as root,
The equivalent rules for this rule are;
beinan,linuxsir,inan ALL=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,/ sbin/parted,/sbin/fdisk
# The seventh line: Indicates that any member under DISKADER is authorized to run DSKCMD as OP without a password; more specifically, lanhaitun can run parted and fdisk commands as root; the equivalent rules are:
lanhaitun ALL=(root) /sbin/parted,/sbin/fdisk
# If I want to switch to root and run commands under SYDCMD and DSKCMD without entering the user's password, where should I add NOPASSWD:? Refer to the example below;
SYSADER ALL= NOPASSWD: SYDCMD, NOPASSWD: DSKCMD
2.5
Authorized User Group
Command format, you need to add % in front of the group
# %group name ALL=(host source) command absolute path %gourp ALL=(ALL) /usr/bin/yumtest
wilson ALL=(ALL) /bin/ls # worker ALL=(wilson) /bin/ls,/bin/vi %worker ALL=(wilson) /bin/ls,/bin/viUser worker2 belongs to group worker2
The group worker to which the user worker belongs
Group wilson to which user wilson belongs
Steps:
Step 1: Log in as a user and execute sudo -u wilson vi /home/wilson/aaa.txt
[worker2@linux1 root]$ sudo -u worker2 vi /home/worker/aaa.txt worker2 is not in the sudoers file. The matter will be reported.Step 2: Configure user group permissions
wilson ALL=(ALL) /bin/ls # worker ALL=(wilson) /bin/ls,/bin/vi %worker ALL=(wilson) /bin/ls,/bin/viStep 3: Modify the group to which worker2 belongs to worker
[root@linux1 ~]# usermod -g worker worker2Step 4: Execute the command
[worker2@linux1 root]$ sudo -u wilson vi /home/worker/aaa.txt We trust that you already understand the daily considerations from your system administrator. It can be summed up in these three points: #1) Respect other people’s privacy. #2) Think before entering (consequences and risks). #3) With great power comes great responsibility. [sudo] Password for worker2: