In UNIX systems, administrators are often not just a person. If each administrator is managed with root, it is not possible to figure out what to do. So the best way is: Administrator as the ROOT of the system, then create some ordinary users, assign some system management to them. We can't use SU to make them directly into root, because these users must know the root password, which is unsafe, and does not meet our division of labor. The general approach is to use the settings of the right to classify the working nature, allowing users of special identity to become the same working group, and set the working group privilege. For example: To manage the website data, the user's process httpd owner is WWW, you can set the user wwwadm and WWW for the same working group, and set the Apache default storage web directory / usr / local / httpd / HTDOCS's working group permissions are readable, writable, executable, so that each user belonging to this workgroup can manage the web page. But this is not the best solution. For example, administrators want to grant an ordinary user shutdown, then the above way is not very ideal. At this point you may think, I only let this user execute the shutdown command as root. Completely correct! It is a pity that this function cannot be achieved in the usual UNIX system, but tools already have such functions - SuDO. SUDO assigns privilege to different users by maintaining a privilege to username mapping, these privileges can be identified by some of the different commands listed in the database. In order to obtain a special item, the qualified user only needs to simply enter sudo and the command name after the command line is entered again (the user's own password, not the root user password). For example, SUDO allows normal users to format disks, but they do not give other root user privileges. Sudo is a free software, we can download the latest version from the website: http://www.courtesan.com/sudo/, you can also get a lot of useful document information about Sudo, which is the latest version of this article For SUDO-1.6.6.tar.gz, perform the following steps to install: # gzip -d sudo-1.6.6.tar.gz (decompressed) # tar xvf sudo-1.6.6.tar (unpack) # CD Sudo-1.6.6 # ./configure (Collecting the system of the system, configuring the Makefile file, prepare for actual compilation) # make (compile) # make install (install) This is the installation step of the sudo source code version, you also You can download sudo's binary installation package, such as Solaris's package package or Linux RPM package, etc. The SUDO tool is configured by file / etc / sudoers that contains all lists of users who have access to sudo tools and define their privileges. A typical / etc / sudoers entry is as follows: limding all = (all) ALL This entry allows the user limited to access all applications as a super user, such as user limited needs to run commands as a superuser, he just needs to add it before command Prefix Sudo.
Therefore, to execute the command format as the root user, limit can enter the following command: # sudo / usr / sbin / format Note: The command wants to write an absolute path, / usr / sbin is not in the regular user's search path, you can join this Path: path = $ path: / usr / sbin; export path. In addition, the path of different system commands is not the same, you can use the command "whereis command name" to find its path. This displays the following output results: We trust you have received the usual lecture from the local SystemAdministrator It usually boils down to these two things:. # 1) Respect the privacy of others # 2) Think before you type.Password.: If LIMING correctly enters a password, the command Format will be executed as root user. Note: Profile / etc / sudoers must be edited using command / usr / local / sbin / visudo. Just add the corresponding username, hostname, and licensed command list to file / etc / sudoers in a standard format and save it. Look at an example: Administrator needs to allow "Baoshi" users to execute "reboot" and "shutdown" commands on the host "Sun", add: Baoshi Sun = / usr / sbin / reboot, / usr / Sbin / Shutdown Note: The command must use an absolute path to avoid the same name command to be executed, causing security hidden dangers. Then save the exit. When the Baoshi user wants to execute the reboot command, just run the following commands at the prompt: $ sudo / usr / sbin / reboot Enter the correct password, you can restart the server. If you want to define a group of users, you can add% to the group name, set it to it, such as% cuug all = (all) all, can also utilize an alias to simplify the configuration file. The concept of an alias is similar, with user alias, host alias and command alias. Multiple users can first define one alias, and then use alias when they can do any commands, this configuration takes effect for all users. The same is true for host alias and command alias. Note Before using: user_alias, host_alias, cmnd_alias item, you can add the corresponding name after it, and separately separate, for example, Host_Alias Server = NO1USER_ALIAS ADMINS = LIMING, Baoshicmnd_Alias Shutdown = / usr / sbin / halt, / usr / rebin / shutdown, / usr / sbin / reboot admin server = shutdown Review this example: Admins all = (all) NOPASSWD: ALL indicates that the admins are allowed to do everything without passwords, where "NOPASSWD:" item defines whether the user does not need to enter a password when the user performs operation.
