This article mainly introduces the relevant information on the detailed configuration of sudo under Linux and its configuration file /etc/sudoers. Friends in need can refer to the following
Detailed explanation of sudo under Linux and the detailed configuration of its configuration file /etc/sudoers
1.Sudo introduction
sudo is a tool commonly used in Linux that allows ordinary users to use superuser privileges. It allows system administrators to let ordinary users execute some or all root commands, such as halt, reboot, su, etc. This not only reduces the root user's login and management time, but also improves security. Sudo is not a replacement for the shell, it is for each command.
Its main features include the following:
§ sudo can restrict users to run certain commands only on a certain host.
§ sudo provides rich logs, recording in detail what each user has done. It can transmit logs to a central host or log server.
§ sudo uses timestamp files to perform a similar "ticket check" system. When the user calls sudo and enters their password, the user is issued a ticket with a lifespan of 5 minutes (this value can be changed at compile time).
§ The sudo configuration file is the sudoers file, which allows system administrators to centrally manage user permissions and the hosts used. The default location where it is stored is /etc/sudoers, and the attribute must be 0411.
2. Configuration file/etc/sudoers
Its main configuration file is sudoers, which is usually in the /etc directory under Linux. If it is solaris, Sudo is not installed by default. After compiling installation it is usually in the etc directory of the installation directory. However, no matter where the sudoers file is, sudo provides a command to edit the file: visudo to modify the file. It is strongly recommended to use this command to modify sudoers, because it will help you verify whether the file configuration is correct. If it is incorrect, you will be prompted which configuration is wrong when saving exiting.
Getting back to the subject, here’s how to configure sudoers
First write the default configuration of sudoers:
############################################################# # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification # User alias specification # Cmnd alias specification # Defaults specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now ##################################################################
1. The simplest configuration allows the ordinary user support to have all the permissions of root
After executing visudo, you can see that there is only one default configuration:
root ALL=(ALL) ALL
Then you add a configuration below:
support ALL=(ALL) ALL
In this way, ordinary user support can execute root permissions All commands
After logging in as support user, execute:
sudo su -
Then enter the support user's own password to switch to the root user
2. Allow the ordinary user support to only execute certain commands that root can execute on certain servers
First of all, you need to configure some Alias, so that it will be more convenient when configuring permissions below, without having to write large sections of configuration. Alias are mainly divided into 4 types
Host_Alias Cmnd_Alias User_Alias Runas_Alias
1) Configure Host_Alias: It is the list of hosts
Host_Alias HOST_FLAG = hostname1, hostname2, hostname3
2) Configure Cmnd_Alias: It is the list of commands allowed to be executed
Cmnd_Alias COMMAND_FLAG = command1, command2, command3
3) Configuration User_Alias: is the list of users with sudo permissions
User_Alias USER_FLAG = user1, user2, user3
4) Configure Runas_Alias: It is a list of the user's identity (such as root, or oracle)
Runas_Alias RUNAS_FLAG = operator1, operator2, operator3
5) Configure permissions
The format of configuration permissions is as follows:
##USER_FLAG HOST_FLAG=(RUNAS_FLAG) COMMAND_FLAG
USER_FLAG HOST_FLAG=(RUNAS_FLAG) NOPASSWD: COMMAND_FLAG
Configuration example:
############################################################################ # sudoers file. # # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Host alias specification Host_Alias EPG = 192.168.1.1, 192.168.1.2 # User alias specification # Cmnd alias specification Cmnd_Alias SQUID = /opt/vtbin/squid_refresh, /sbin/service, /bin/rm # Defaults specification # User privilege specification root ALL=(ALL) ALL support EPG=(ALL) NOPASSWD: SQUID # Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL # Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL # Samples # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now ##################################################
The above is the detailed content of Detailed explanation of sudo under Linux and the detailed configuration of its configuration file /etc/sudoers. For more information, please follow other related articles on the PHP Chinese website!