Control of super authority in the Linux system

xiaoxiao2021-03-19 200

Author: North-South-North sponsor: eTony, pandonny, lazy cat, Arch from: LinuxSir.Org Summary: Supervisor is the highest authority of the owner of the system, system management is the only competent person; because the authority and reach the super-powerful Sluit, if management is not good, there will be a threat to system security. In addition to avoiding using direct use of superuser root login systems, we must also learn to translate the necessary system management in the ordinary users under the superuser root; it is very meaningful from user management and system security perspective. of;

This article switching the regular user to the ROOT user's implementation command SU and sudo do instantissions; hoping to learn convenience for beginners;

Catalog index

First, understanding the superuser and ordinary users;

1. What is a super user; 2. Understand the corresponding relationship between UID and users 3, ordinary users and camouflage users

2. The role of superuser (permission) in system management

1. Operation for any file, catalog, or process; 2. For system management involving system global; 3, an irreplaceability of super privileges;

Third, use the su command to temporarily switch user identity;

1, SU applicable conditions and power; 2, SU usage; 3, SU example; 4, Su's advantages and disadvantages

Fourth, SUDO licensing SU is also restricted

1. SUDO applicable conditions; 2. Starting from writing sudo configuration file / etc / sudoers; Unburen, 6, sudo usage;

Five, postscript;

6. About this article;

Seven, thank you;

Eight, reference documents;

Nine, related documents;

In the Linux operating system, the ROOT permissions are the highest, also known as the owner of super-authority. Operations that ordinary users cannot perform, the root users can complete, so they are also known as super management users.

In the system, each file, directory, and processes belong to a certain user, no user license other ordinary users are unable to operate, except for root. Room users are also manifested in root to exceed any user and user groups to read, modify, or delete files or directories (within the normal license range of the system); execution, termination of the executable program; Add, create, and removal, etc., you can also modify files and directories to make a modification to suit system management (because root is the highest privilege user in the system); First, for super users and ordinary users Understanding;

1, what is a super user; in all Linux systems, the system is distinguished by the UID, and the UID is determined by the system to be superused. Super users have the highest permission to operate in the system, so that the super user can complete all the tools for system management; we can check the UID 0 users through / etc / passwd, and only the root corresponding to the UID For 0, from this point, the root user is an irreplaceable to high and unrestricted authority in the system. Root users are superuser in the system;

2, understand the correspondence between UID and users

When the system is installed by default, the system user and uid are one-to-one pair relationship, which means a UID corresponding to one user. We know that the user identity is confirmed by the UID. We talk about the UID in the User (User) and User Group (GROUP Profile Detailed "" UID is the identity of the user privilege, the user login system The role is implemented by the UID, not the username; sharing a few users is dangerous, for example, we change the UID of ordinary users to 0, and root shared a UID, this in fact caused the system Manage the permissions. If we want to use root privileges, you can implement it through SU or SUDO; you can't allow a user and root to share the same UID; "

Can you make UIDs and users in the system? Yes, such as we can assign a UID to a value to several users, which is a couple of UIDs and users. But this is indeed a bit risky; the same UID users have the same identity and permissions. For example, we have changed the UID of Beinan to 0 in the system, in fact, this ordinary user has super privileges, just like the capacity and authority; all the operations of the user Beinan will be identified as root. Operation, because Beinan's UID is 0, and the UID is 0 user is root, is it a little disturb? It can also be understood that the user of the UID is 0 is the root, the UID of the root user is 0;

One-to-one correspondence of UID and users, just require administrators to manage system management, because system security is still the first. So we still reserve super privileges to root this only user is the best choice;

If we do not share the UID value to other users, only root users are only UID = 0, the root user is the only super-permission user; 3, ordinary users and camouflage users and super users are ordinary users And virtual (also known as camouflage users), ordinary and camouflage users are limited users; but in order to complete specific tasks, ordinary users and camouflage users are also necessary; Linux is a multi-user, multitasking operating system, more The user mainly reflects the diversity of the user's role. The permissions allocated by different users are different; this is also the Linux system more secure than Windows systems, even the latest version of Windows 2003, can not be erased Brand of user system; two. The role of superuser (permission) in system management

What is the role of super-permissions users (UID 0 users) What role in system management? Mainly manifested in two points; 1. Operation of any file, directory or process;

But it is worth noting that this operation is in the system's highest license range; some operations are also unfinished by ROOT with super privileges;

For example, / proc directory, / proc is used to respond to real-time status information of the system run, so even if it is root; its permissions are as follows

[root @ localhost ~] # PWD / root [root @ localhost ~] # CD / [root @ localhost /] # ls -ld / proc / dr-xr-xr-x 134 root root 0 2005-10-27 / proc /

This is this directory, but it can only be read and executed, but there is absolutely no write authority; that is, we open the / proc directory write permission to root, and root users cannot write;

[root @ localhost ~ # chmod 755 / proc [root @ localhost /] # ls -ld / proc / drwxr-xr-x 134 root root 0 2005-10-27 / proc / [root @ localhost /] # CD / Proc / [root @ localhost proc] # mkdir testdirmkdir: Unable to create directory 'TestDir': No file or directory

2. For system management involving system global;

Hardware management, file system understanding, user management, and system global configurations, etc., if you perform a command or tool, prompt you without permission, mostly need super authority to complete;

For example, use AddUser to add users, this can only be done with users through super privileges;

3, irreplaceability of super authority;

Due to the indispensable important role of super authority in system management, in order to complete the system management task, we must use super authority; in general, for system security, for general regular level applications, no root users are required to do Root users are only used to manage and maintain systems; such as the system log view, clean up, user added and delete ...

Under the environment where the system management is not involved, ordinary users can complete, such as writing a file, listening to music; handling a picture with gim, etc., etc. Based on the call of ordinary applications, most ordinary users can carry out;

When we log in to the system with normal privileges, some system configuration and system management must be done through super-permission users, such as the management, add and delete users of the system log. How can I log in directly to ROOT, but can switch from ordinary users to root users to perform operating system management needs, which involves super-authority management issues; get super-privileges, the process of switching ordinary users The process of superuser identity; this process is mainly solved by SU and SUDO;

Third, use the su command to temporarily switch user identity;

1, SU's applicable conditions and power su order is how to switch users, how to understand? For example, we log in with a normal user Beinan, but to add user tasks, execute the useeradd, beinan users do not have this permission, and this permission is exactly owned by root. The solution cannot be two, one is to exit the Beinan user, re-login with root users, but this method is not the best; the other is that we don't have to withdraw from the Beinan user, you can use the SU to switch to root to add users. Work, wait after the task is completed, exit root. We can see that it is a better way to switch through SU;

The SU can switch between the user, if the super-permissions user root switches to ordinary or virtual users, what is the power? This is! For ordinary users switch to any other user, they need password verification;

2, SU usage:

Su [option option parameter] [User] -, -L, --Login logs in and changed to the switching user environment; -c, --commmmand = command executes a command, and then exits the user environment you switched;

For more details, please see Man Su;

3. Example of SU:

SU does not add any parameters, the default is to switch to the root user, but did not go to the root user directory, that is, although it is switched to root users, it does not change the root login environment; user default login environment , Can be found in / etc / passwd, including home directories, shell definition, etc .;

[Beinan @ localhost ~ $ supassword: [root @ localhost beinan] # PWD / Home / Beinan

SU plus parameters - indicates that the default switch to the root user, and changes to the root user;

[Beinan @ localhost ~ $ PWD / home / beinan [beinan @ localhost ~ $ su -password: [root @ localhost ~] # PWD / root

SU parameters - username

[Beinan @ localhost ~] $ su - root Note: This and Su - is the same function; Password: [root @ localhost ~] # PWD / root

[Beinan @ localhost ~] $ su - LinuxSir Note: This is to switch to LinuxSir User Password: Note: Enter a password here; [LinuxSir @ localhost ~] $ PWD Note: View the location of the user; / HOME / LinuxSir [ LinuxSir @ localhost ~] $ ID Note: View the user's UID and GID information, mainly to see if it is switched; UID = 505 (LinuxSir) GID = 502 (LinuxSir) Groups = 0 (root), 500 (Beinan), 502 (LinuxSir) [LinuxSir @ localhost ~] $ [Beinan @ localhost ~] $ su - -c ls Note: This is the parameter combination of SU, indicating to the root user, and change to the root environment, then list the root home directory File, then exit root users; password: Note: Enter the root password here; Anaconda-ks.cfg desktop install.log install.log.syslog TestGroup TestGroupBeinan TestGroupRoot [Beinan @ localhost ~] $ PWD Note: View the current user Position; / home / beinan [beinan @ localhost ~] $ ID Note: View current user information; uid = 500 (beinan) gID = 500 (beinan) Groups = 500 (Beinan)

4, SU's advantages and disadvantages;

SU has to make it easy to manage. By switching to root, you can complete all system management tools. Just hand over the root password to any ordinary user, he can switch to root to complete all system management;

However, after SU switched to root, there is an unsafe factor; such as 10 users, and are involved in management. If these 10 users involve super-permissions, as an administrator wants to switch other users to save to Super Permissions, you must tell these 10 users; if these 10 users are There is root authority, you can do anything through root permissions, which causes the security association to a certain extent; think about Windows, it is a nightmare;

"There is no unsafe system, only unsafe people", we must definitely guarantee that these 10 users can manage the system according to the normal operation process, any one of the major mistakes for system operations, can cause system crash or data loss. ;

So the SU tool is not the best choice in the system management of multiplayer participation. SU only applies to one or two people involved in the management, after all, Su does not allow ordinary users to be limited;

Super User root password should be in hand in a few users, this is definitely true! Therefore, the existence of the call is still a certain reason;

Fourth, SUDO licensing licensed SU, also restricted SU

1. SUDO applicable conditions; Since the SU is switched to the super-permission user root, the permissions are unlimited, so Su does not have the system managed by multiple administrators. If you switch to the super user with SU to manage the system, it cannot be clear which work is operated by which administrator. Especially for multiple people's management of the server, it is best to have a technical specialty and management scope for each administrator, and targeted decentralized permissions, and which tools are agreed to complete the work related to it. At this time, we must use sudo. With SUDO, we can make some super-permissions to be targeted, and no ordinary users know the root password, so SUDO is more secure, so SUDO can be called A restricted SU; additional sudo is a license to be licensed, so it is also known as the license of the license;

The process of the SUDO execution command is the current user to switch to root (or other specified user), then execute the command as root (or other specified switching user), after execution, return to the current user; The premise is to authorize by Sudo's profile / etc / sudoers;

2, start from writing sudo profile / etc / sudoers;

Sudo's profile is / etc / sudoers, we can use his dedicated editing tool VisoDu, this tool is the advantage of adding rules and not prompting us when saving exit; after configuring, you can switch Under your authorized users, it is possible to perform or disable by sudo -l.

The / etc / sudoers file is a rule, with # 号 in front, can be regarded as an explanation, does not execute; if the rule is very long, when the line is not, you can use / you to continue, this seems A rule can also have multiple lines;

/ etc / sudoers rules can be divided into two categories; a class is an alignment definition, and the other is an authorization rule; an alignment definition is not necessary, but the authorization rule is necessary;

3, / etc / sudoers configuration file in the name rules

The unknown rules definition format is as follows:

Alias_Type Name = Item1, item2, ...

Alias_type name = item1, item2, item3: name = item4, item5

Alias type (Alias_Type): The alias type includes the following four

Host_alias defines host alias; user_alias user alias, alias members can be users, user groups (previously added%) Runas_alias is used to define Runas alias, this alias is "destination user", ie SUDO allows to switch to users; cmnd_alias Define command alias;

Name is an alias, NMAE's naming is to include uppercase letters, underscores, and numbers, but must begin with a capital letter, such as synadm, syn_adm, or synad0 is legal, synamda or 1synad is illegal;

Item is translated Chinese translation is a project, where we can translate into members, if there are multiple members, members and members are separated by a half-angle, and the members must be effective and the facts are presented by the one. What is effective? For example, the host name, you can pass the user's hostname (or IP address), if you are just a local operation, you can view only by the hostname command; the username of course is existing in the system, must be in / etc / paswd Presented; for defined command alias, members must also exist in the system (need absolute path) in the system; Item member is subject to host_alias, user_alias, runas_alias, cmnd_alias, define what type of alias, what type of alias Members match. When we define the host alias with Host_Alias, the member must be associated with the host, such as the host name (including the host name of the remote login), IP address (single or whole), mask, etc. When the user logs in, it can pass w Command to view the login user host information; when using user_alias, and runas_alias, you must use the system user as a member; when the cmnd_alias defines the alias of the execution command, it must be the system existing file, the file name can be represented by wildcard, configure Cmnd_alias The command requires an absolute path;

Among them, RunAs_alias and user_alias are a bit similar, but with user_alias is definitely not the same concept, RunAs_alias defines a member of a system user to switch under RunaS_alias; we will explain in an instance in the authorization rules;

The alias rule is a rule for each line. If an individual name rules can't be able to pass / continue; the definition of the same type alias can also be defined, and several alias can be defined, and they are separated by: numbers,

Host_Alias ht01 = localhost, ST05, ST04, 10, 0, 0, 4, 255.255.255.0, 192.168.1.0 / 24 Note: Define host alias HT01, listing members host_alias ht02 = ST09, ST10 Note: Host alias HT02, there is Two members; host_alias ht01 = localhost, ST05, ST04, 10, 0, 0, 4, 255.255.255.0, 192.168.1.0 / 24: ht02 = ST09, ST10 Note: The above two pairs of mainframe can be implemented And the alias is used: number segmentation;

Note: When we define the host alias by host_alias, the project can be a host name, which can be a single IP (the whole IP address can also be), or it can be a network mask; if it is a host name, it must be a network of machines, And these machines can communicate with each other through host names. What is it to communicate or visit each other through the host name? For example, a ping host name, or accesses the host name remotely. In our local area network, if you let your computer access to communication via hostname, you must set /etc/hosts/eetc/resolv.conf, but also have DNS to parse, otherwise you cannot access each other by host name; when you set the host alias If the item is the host name of the project is the host name, you can view the host name of the local host through the hostname command. If you check the login host is the source, you can confirm the host name or IP address of other clients. For the definition of the host alias, it seems to be a bit complicated, which is actually very simple. If you don't understand what Host_alias is going, you can also set the host alias, and you can match all possible hosts through all when defining the authorization rules. If you understand the knowledge of the host more, you do need more to learn.

User_Alias sysad = beinan, linuxsir, bnnb, lanhaitun Note: Define user alias, there are four members; need to exist in the system; user_alias Netad = Beinan, BNNB Note: Define user alias Netad, I want this alias The user will manage the network, so taken the alias of Netad; user_alias webmaster = linuxsir Note: Define user alias WebMaster, I want to manage the website with this username; user_alias sysad = beinan, linuxsir, bnnb, lanhaitun: Netad = Beinan , BNNB: WebMaster = LinuxSir Note: The alia name of the above three lines can be implemented by this line. Please see the previous description, is it in line?

Cmnd_alias usermag = / usr / sbin / adduser, / usr / sbin / userdel, / usr / bin / passwd [a-za-z] *, / bin / chown, / bin / chmod Note: The member under the alias must be The absolute path of the file or directory; cmnd_alias diskmag = / sbin / fdisk, / sbin / partedcmnd_alias netmag = / sbin / ifconfig, / etc / init.d / networkcmnd_alias kill = / usr / bin / killcmnd_alias PWMAG = / usr / sbin / reboot , / usr / sbin / haltcmnd_alias shells = / usr / bin / sh, / usr / bin / csh, / usr / bin / ksh, / usr / local / bin / tcsh, / usr / bin / RSH, / / usr / local / bin / zsh Note: This line defines the command alias is a bit long, can be broken by / numbers; cmnd_alias su = / usr / bin / su, / bin, / sbin, / usr / sbin, / usr / bin

In the above example, there is Kill and PWMAG command alias definition, we can merge into a row, which is equal to price; cmnd_alias kill = / usr / bin / kill: PWMAG = / usr / sbin / reboot, / usr / sbin / halt Note: This line represents Kill and PWMAG command alias, and merges KILL and PWMAG's aliases to be written in one line;

Runas_alias op = root, operatorrunas_alias dbadm = mysql: op = root, Operator Note: This line is equivalent to the above two lines; as in how to understand Runas_alias, we must understand the instance of the authorization rule;

4, Authorization Rules in / etc / sudoers:

Authorization rules is the implementation rules of allocation rights. The definition alias we have tested later is mainly for more convenient authorization to reference alias; if there are only a few users in the system, in fact, the lower decentralization is limited, but you can do not define an alias, but The system user is directly authorized, so the alias in the authorization rule is not necessary;

Authorization rules are not free, we only say that the foundation is a bit, relatively simple, if you want to learn more about the authorization rule, please see Man Sudoers

Authorized User Host = Command Action

These three elements are missing, but they can be specified to switch to a specific user before the action, and the user specifies that the handover is used to enclose, if the password is not required to run the command directly, should add NOPASSWD: parameters, But these can be omitted;

Example 1:

Beinan all = / bin / chown, / bin / chmod

If we add this line in / etc / sudoers, it indicates that Beinan can switch to the root user to execute / bin / chown and / bin / chmod commands in the system where any possible hostname is, viewed by sudo -l. Beinan allows and prohibits running commands on this host;

It is worth noting that the specified switch is omitted to which user execute / bin / shown and / bin / chmod command; if the omission is omitted, the default is to switch to the root user; at the same time, it is also required to need Beinan. The user enters the verification password, if omitted, the default is to verify the password.

For more detailed description, we can construct a more complicated formula;

Authorized User Host = [(Switch to Which User Groups)] [Do you need a password verification] command 1, [(switch to which user or user group)] [Do you need a password verification] [Command 2], [(switch to Which users or user groups)] [Do you need password verification] [Command 3] ......

annotation:

All in [] is omitted; the command is separated from the command; through this article, it can be used to see which is omitted, which places need to have spaces; [(switch to which users or users Group)], if omitted, the default is the root user; if it is all, the representative can switch to all users; note that the destination user to be switched must be used (), such as (all), (beinan)

Example 2:

Beinan all = (root) / bin / chown, / bin / chmod

If we remove the line in the first instance, replace it into this line; indicating that Beinan can switch to ROOT under the host of the host name that may appear, you can switch to any user Recruitment / bin / chmod command, view Beinan allows and prohibits running commands on this host; instance 3: beinan all = (root) NOPASswd: / bin / chown, / bin / chmod

If you change to this example? It is indicated that Beinan can switch to root in the host of any possible hostname, do not need to enter the password of the Beinan user; and can switch to any user to execute / bin / chmod command, but Beinan is required to enter your own password when executing Chmod; view Beinan to allow the command to allow and disable the run on this host;

Regarding a command action, it is not a password. We can find that the system is required in the default, unless special points indicate that the user needs to enter the own password, so join the NOPASSWD: parameter before performing the action;

There may be some brothers don't understand the order of system management. I don't know how to use it, this affects his understanding of sudoers definition. Let's give an example of the easiest, most service. Example 4:

For example, when we want to use Beinan's ordinary users through the more / etc / shadow file, the following may occur;

[Beinan @ localhost ~ $ more / etc / shadow / etc / shadow: permissions are not enough

At this time we can use sudo more / etc / shadow to read the contents of the file; just need to authorize Beinan in / etc / sodurs;

So we can change / etc / sudoers under SU to root users; (for example, we are logged in to the system in Beinan users)

[Beinan @ localhost ~] $ supassword: Note: Enter the root password here to run VisoDu; [root @ localhost beinan] # Visudo Note: Run Visudo to change / etc / sudoers

Join the following line, exit save; exit save, here you will use VI, Visudo is also used for the VI editor; as for Vi's usage, there is not much to say;

Beinan all = / bin / more means Beinan can switch to root to perform more to view the file;

Return to Beinan users, use the exit command;

[root @ localhost beinan] # EXIXIT [Beinan @ localhost ~] $

View Beinan What commands can be performed by Sudo?

[Beinan @ localhost ~] $ sudo -lpassword: Note: Enter the beinan user's password User Beinan May Run The Following Commands on this Host: Note: Clearly description here On this desk, Beinan users can use root privileges Run more; more to view any text files under root privileges; (root) / bin / more

Finally, let's see if Beinan users have the ability to see the content of the / etc / shadow file; [Beinan @ localhost ~] $ sudo more / etc / shadow

Beinan can not only see the content of the / etc / shadow file, but also see the contents of other files that only root privileges can see, such as

[Beinan @ localhost ~ $ sudo more / etc / gshadow

For Beinan users to view and read all system files, I just want to take the / etc / shadow's content to let him see; can join the following line;

Beinan all = / bin / more / etc / shadow

Exterior: Some brethren will say, I can see all the content you want to see through SU. Haha, yes. But is we not telling Sudo's usage now? If there are multiple users on the host and don't know the root user's password, you want to view some files they can't see, and you need administrators to authorize; this is the benefits of sudo;

Example 5: Exercise User Groups in / etc / sudoers; if the user group appears in / etc / sudoers, the front should be added to the%, such as% Beinan, and there is no space in the middle;

% Beinan All = / usr / sbin / *, / / / *

If we add all members under / etc / sudoers, all members under the Beinan user group, can switch to the root user under all possible host names, under the ROOT user running / usr / sbin and / sbin directory All commands;

Example 6: Exercise cancels the implementation of a type of program;

Cancel the execution of a program of a program, add it to the command action! Number; in this example, the usage of wildcards is also available;

Beinan all = / usr / sbin / *, / sbin / *,! / usr / sbin / fdisk Note: Add this rule to / etc / sudoers; but you have to have the beinan user group, and beinan is also this group Talent;

This rule indicates that Beinan users run / usr / sbin and / sbin all programs on all hosts that may exist host names, except for FDISK programs;

[Beinan @ localhost ~] $ sudo -lpassword: Note: Enter the password of Beinan users here; User Beinan May Run The Following Commands On this Host: (root) / usr / sbin / * (root) / Sbin / * (root )! / sbin / fdisk

[Beinan @ localhost ~ $ sudo / sbin / fdisk -lsorry, user beinan is not allowed to execute '/ sbin / fdisk -l' as root on localhost.

Note: You cannot switch to ROOT users to run the FDISK program;

Example 7: Practice of the use of alias;

If we can view HostName, we can see the host alias with HostName, and use all to match the host name that may appear; and there is Beinan, LinuxSir, Lanhaitun users; mainly through small examples It is better to understand; SUDO is easy to use, but it is difficult to understand it. / bin / chown, / bin / chmod, / usr / sbin / add = / usr / bin / passwd rootcmnd_alias dskcmd = / sbin / partd, / sbin / FDISK Note: Define command alias DSKCMD, there are members parted and fdisk; sysader all = Sydcmd, dskcmddiskader all = (op) DSKCMD

annotation:

First line: Define members of the user's beinan, LinuxSir, and Beinan users under the user group, must be added to the account in front of the user group; second line: Define user alias Diskader, member has Lanhaitun Third line: Define Runas users, That is, the object user's alias is OP, and there is a member root fourth line: define the syscmd command alias, the members are used, the number is separated, the last! / Usr / bin / passwd root means can't change the root password by passwd; Five lines: Define the command alias DSKCMD, there is member parted and fdisk; sixth line: Indicate all members of the authorized Sysader, run or disable the commands defined under the host of all possible hostnames. More specifically, members under Beinan, LinuxSir and Beinan users can run Chown, Chmod, Adduser, Passwd as root, but cannot change the root password; you can run partd and fdisk as root, this rule, etc. The price rule is;

Beinan, LinuxSir,% Beinan All = / bin / chown, / bin / chmod, / usr / sbin / add = / usr / bin / passwd [a-za-z] *,! / usr / bin / passwd root, / sbin / place, / sbin / fdisk

Chain VI: Represents all members of the license, can run DSKCMD as OP, do not need password; more clearly say that Lanhaitun can run partted and fdisk commands as root; its equivalent rules are:

Lanhaitun all = (root) / sbin / parted, / sbin / fdisk

Some brothers may say that I want to switch to root and run the command under Sydcmd and DSKCMD, and where is it? Understand the following example, you can understand;

Sysader all = nopasswd: sydcmd, nopasswd: dskcmd

5, / etc / sudoers other unreasonable matters;

In the authorization rule, there are NOEXEC: and EXEC usage, check MAN Sudoers understands; there is also a understanding of the usage in rules. These contents have not been said, after all, is just an entry. SODUERS configuration files are more simple, how difficult it is, it is difficult to see your own app. 6, SUDO usage;

We write in the previously described / etc / sudoers, the ultimate goal is to enable users to implement match and authorization through SUDO to read rules in the configuration file, so that they can replace the identity for command operations, which in turn is not completed under their permissions Task;

We only say the simplest usage; more detailed please refer to Man Sudo

SUDO [Parameter Options] Command -l Lists the user available and disabled on the host; generally configuring / etc / sudoers, use this command to view and test whether it is configured correctly; -v authenticates the user Time stamp; If the user runs SUDO, enter the user's password, you can do Sudo operation directly in a short period of time; use -V to track the latest time stamp; -u Specify to perform a specific operation with a user ; -K Delete the timestamp, the next sudo command requires a password to provide a password;

First we change the / etc / sudoers file through Visudo, join the following line;

Live in:

Beinan, LinuxSir,% Beinan All = / bin / chown, / bin / chmod, / usr / sbin / add = / usr / bin / passwd [a-za-z] *,! / usr / bin / passwd root, / sbin / place, / sbin / fdisk

Then list the commands that the Beinan user can switch the user can use by SUDO by sudo;

[Beinan @ localhost ~] $ sudo -l Note: List the user can pass the user's available or disabled command on the host; Password: Note: Enter your user password here; User Beinan May Run The Following Commands On this host: (root) / bin / chown Note: You can switch to root with a chown command; (root) / bin / chmod Note: You can switch to root with chmod command; (root) / usr / sbin / adduser note : You can switch to root with adduser command; (root) / usr / bin / passwd [a-za-z] * Note: You can switch to root with passwd command; (root)! / Usr / bin / passwd root Note : You can switch to root, but you can't execute the routem password; (root) / sbin / part note: You can switch to root; (root) / sbin / fdisk Note: You can switch to root to perform FDISK ;

After listed the available commands, I want to change the / OPT directory by the chown command to become Beinan;

[Beinan @ localhost ~] $ ls -ld / opt Note: View / OPT home; DrwxR-XR-X 26 root root 4096 October 27 10:09 / OPT Note: The answer is home to root users and root users Group; [Beinan @ localhost ~] $ sudo chown beinan: beinan / opt Note: Change the Lord to Beinan users and Beinan users through Chown; [Beinan @ localhost ~] $ ls -ld / opt Note: View / OPT The Lord has changed; DRWXR-XR-X 26 Beinan Beinan 4096 October 27 10:09 / Opt We found that Beinan users can switch to root after performing the passwd command to change the user password; but Sudo above l Output and clear text written cannot change the password of the root; that is, the password of the root cannot be changed, and the password of other users can change. Let's test below;

For an ordinary user, in addition to changing your own password, he cannot change the password of other users. But if you change to the root identity execution command, you can change the password of other users;

For example, there is LinuxSir this user in the system, we want to try to change the password of this user,

[Beinan @ localhost ~] $ passwd LinuxSir Note: Do not run passwd directly via SUDO to change the password of LinuxSir users; passwd: Only root can Specify a user name. Note: Failure, prompts only via root; [Beinan @ localhost ~ Sudo Passwd LinuxSir Note: We pass the definition of / etc / sudoers, let Beinan switch to root to perform the passwd command to change the password of LinuxSir; Changing Password for user LinuxSir.new Unix Password: Note: Enter a new password; return New Unix Password: Note: Enter again; passwd: all authentication tokens updated successfully. Note: Change success;

postscript:

This article is an important component of the document management document. I plan to start writing user management control tools tomorrow, such as useradd, userdel, usermod, is a tool for managing users; of course, I will also write user inquiry tools and other management related;

About this article:

Super Permissions Management This document is the most cost-effective document I wrote. I am afraid of writing; although this document is the easiest document, I understand it, but I can't express it, and no matter how it is expressed, I have It feels too complicated to see questions. It is more than a week before and after before and after, it is not necessary to write this document for more than a dozen hours. Write a lot of words. If you don't see it, you will delete override. The number of writes is not ten times. Changed it again, wrote it again, people collapsed, I don't know when it is the end;

In my opinion, this document has to be changed; I don't know if beginners can understand, at least I need beginners feedback, thank you;

Of course, the guidance of the master, I will be more welcome. . . . . .

Acknowledgment:

Thank Pandonny Brothers about SUDO conceptual provisional aid; thank you Etony brothers provide amendments to the proposal; thank you lazy cat brothers to correct document concepts and catalogs, and join index; Thanks to the ARCH correction documentation About the SUDO authorization rule definition in the SUDO authorization rule definition; Reference documentation:

SU, SUDO, SUDOERS Help Document

9cbs

New Post(0)