Give ordinary users Special permissions in the Linux system, the administrator often more than one person, if each administrator is managed with root, I can't figure out who should do. So the best way is: Administrators create some ordinary users, assign some system management to them. We can't use SU to make them directly into root, because these users must know the root password, which is unsafe, and does not meet our division of labor. The general approach is to use the settings of the rights, classify the working nature, allowing users of the special identity to become the same working group, and set the working group permissions. For example: To manage the website data, the user's process httpd owner is WWW, you can set the user wwwadm and WWW for the same working group, and set the Apache default storage web directory / usr / local / httpd / HTDOCS's working group permission is readable, writable, executable, which belongs to each user of this working group to manage the web page. But this is not the best solution. For example, administrators want to grant an ordinary user shutdown, then the above way is not very ideal. At this point you may think, I only let this user can execute the shutdown command as root. It's all right, but unfortunately you can't achieve this in the usual Linux system, but you have a tool to achieve such functions - Sudo. SUDO assigns privilege to different users by maintaining a privilege to username mapping, these privileges can be identified by some of the different commands listed in the database. In order to obtain a special item, qualified users simply enter SUDO and the command name simply, follow the prompts to enter the password again (the user's own password, not the root user password). For example, SUDO allows normal users to format disks, but they do not give other root user privileges. 1. Sudo tools are configured by file / etc / sudoers that contains all users who have access to sudo tools and define their privileges. A typical / etc / sudoers entry is as follows: Liming all = (all) all this entry allows the user limited to access all applications as a super user, such as user limited needs to run commands as a superuser, he only needs to simply be in front of the command Plus the prefix Sudo. Therefore, to execute the command format as the root user, limit can be entered as follows: Code: # sudo / usr / sbin / useradd SAM Note: The command wants to write an absolute path, / usr / sbin is not in the regular user's search path, Or join this path: path = $ path: / usr / sbin; export path. In addition, the path of different system commands is not the same, you can use the command "whereis command name" to find its path. This displays the following output: Code: We trust you have received the usual lecture from the local System Administrator It usually boils down to these two things:. # 1) Respect the privacy of others # 2) Think before you type. PASSWORD: If Liming correctly enters the password, the command USERADD will be performed as root user. Note: Profile / etc / sudoers must use the command Visudo to edit.
Just add the corresponding username, hostname, and licensed command list to file / etc / sudoers in standard format, and save it to take effect, then look at an example. 2, example: Administrator needs to allow GEM users to execute the reboot and shutdown commands on the host Sun, add: Code: Gem Sun = / usr / sbin / reboot, / usr / sbin / shutdown Note: Command must To use an absolute path to avoid the same name command of other directories being executed, thereby causing security hidden dangers. Then save the exit. When the GEM user wants to execute the reboot command, just run the following command at the prompt: Code: $ sudo / usr / sbin / reboot Enter the correct password, you can restart the server. If you want to define a group of users, you can add% to the group name, set it to it, such as: Code:% Cuug All = (ALL) ALL 3, and other, you can use an alias to simplify the configuration file. The concept of an alias is similar, with user alias, host alias and command alias. Multiple users can first define one alias, and then use alias when they can do any commands, this configuration takes effect for all users. The same is true for host alias and command alias. Note Before using: user_alias, host_alias, cmnd_alias item, add the corresponding name after it, also separated by a comma, for example: code: Host_alias server = no1 user_alias admins = Liming, gem cmnd_alias shutdown = / usr / sbin / halt, / usr / sbin / shutdown, / usr / sbin / rebootdown, / usr / sbin / reboot application server = shutdown 4, then see this example: Code: admin: ALL indicates allowed Admin No password performed everything, where "NOPASSWD:" is defined, the user does not need to enter a password when the user performs operation. 5, Sudo command can also add some parameters to complete some auxiliary features, such as code: $ sudo -l will display information similar to this: Code: User Liming May Run The Following Commands on this Host: (root) / usr / SBIN / Reboot Description root allows the user limited to execute the / usr / sbin / reboot command. This parameter allows users to see which commands can be executed in SUDO. 6. Type all the parameters at the command prompt, and some other parameters are as follows: Code: -v Displays the version number. -H Displays the use parameters of the sudo command. -V because Sudo does not execute during the first execution or in N minutes (n preset to 5) will ask the password. This parameter is re-confirmed, if more than N minutes, you will ask your password. -K will force the user to ask the password when SUDO will be executed next time (no matter if there is more than N minutes). -B Place the command to be executed on the background. -P prompt can change your password's prompt, where% U will replace the user's account name,% h displays the host name.
