1.sudo命令简介
sudo是Linux系统管理指令,是允许系统管理员让普通用户执行一些或者全部root命令的一个工具。Linux系统下,为了安全,一般来说我们操作都是在普通用户下操作,但有时普通用户需要用到root权限,比如在安装软件的时候。这个时候如果我们切回root用户下效率就会比较低,所以用sudo命令就会很方便。Linux sudo命令以系统管理者的身份执行指令,也就是说,经由 sudo 所执行的指令就好像是 root 亲自执行。
sudo虽然有点类似于 su 命令,但 sudo 的不同之处在于它默认需要用户的密码进行身份验证,而不是 su 需要的目标用户的密码。Sudo 也不会产生 root shell;相反,它以提升的权限运行程序或命令,不像 su,它产生一个 root shell。
使用 sudo,系统管理员可以执行以下操作:
- 授予用户或用户组以提升或 root 权限运行某些命令的能力。
- 查看每个使用 sudo 的用户的用户 ID 的日志。
- 控制用户可以在主机系统上使用什么命令。
Sudo 会记录在 /var/log/auth.log 文件中执行的所有命令和参数的日志,可以在出现故障时进行分析。
2.sudoers 文件
sudo 使用默认的 sudoers 安全策略,并保留一个特殊的配置文件 /etc/sudoers。该文件可用于控制访问权限和密码提示超时
打开 /etc/sudoers 文件内容:
1 ## Sudoers allows particular users to run various commands as 2 ## the root user, without needing the root password. 3 ## 4 ## Examples are provided at the bottom of the file for collections 5 ## of related commands, which can then be delegated out to particular 6 ## users or groups. 7 ## 8 ## This file must be edited with the 'visudo' command. 9 10 ## Host Aliases 11 ## Groups of machines. You may prefer to use hostnames (perhaps using 12 ## wildcards for entire domains) or IP addresses instead. 13 # Host_Alias FILESERVERS = fs1, fs2 14 # Host_Alias MAILSERVERS = smtp, smtp2 15 16 ## User Aliases 17 ## These aren't often necessary, as you can use regular groups 18 ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 19 ## rather than USERALIAS 20 # User_Alias ADMINS = jsmith, mikem 21 22 23 ## Command Aliases 24 ## These are groups of related commands... 25 26 ## Networking 27 # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 28 29 ## Installation and management of software 30 # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 31 32 ## Services 33 # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable 34 35 ## Updating the locate database 36 # Cmnd_Alias LOCATE = /usr/bin/updatedb 37 38 ## Storage 39 # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount 40 41 ## Delegating permissions 42 # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 43 44 ## Processes 45 # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall 46 47 ## Drivers 48 # Cmnd_Alias DRIVERS = /sbin/modprobe 49 50 # Defaults specification 51 52 # 53 # Refuse to run if unable to disable echo on the tty. 54 # 55 Defaults !visiblepw 56 57 # 58 # Preserving HOME has security implications since many programs 59 # use it when searching for configuration files. Note that HOME 60 # is already set when the the env_reset option is enabled, so 61 # this option is only effective for configurations where either 62 # env_reset is disabled or HOME is present in the env_keep list. 63 # 64 Defaults always_set_home 65 Defaults match_group_by_gid 66 67 # Prior to version 1.8.15, groups listed in sudoers that were not 68 # found in the system group database were passed to the group 69 # plugin, if any. Starting with 1.8.15, only groups of the form 70 # %:group are resolved via the group plugin by default. 71 # We enable always_query_group_plugin to restore old behavior. 72 # Disable this option for new behavior. 73 Defaults always_query_group_plugin 74 75 Defaults env_reset 76 Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" 77 Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" 78 Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" 79 Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" 80 Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" 81 82 # 83 # Adding HOME to env_keep may enable a user to run unrestricted 84 # commands via sudo. 85 # 86 # Defaults env_keep += "HOME" 87 88 Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin 89 90 ## Next comes the main part: which users can run what software on 91 ## which machines (the sudoers file can be shared between multiple 92 ## systems). 93 ## Syntax: 94 ## 95 ## user MACHINE=COMMANDS 96 ## 97 ## The COMMANDS section may have other options added to it. 98 ## 99 ## Allow root to run any commands anywhere 100 root ALL=(ALL) ALL 101 102 ## Allows members of the 'sys' group to run networking, software, 103 ## service management apps and more. 104 # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS 105 106 ## Allows people in group wheel to run all commands 107 %wheel ALL=(ALL) ALL 108 109 ## Same thing without a password 110 # %wheel ALL=(ALL) NOPASSWD: ALL 111 112 ## Allows members of the users group to mount and unmount the 113 ## cdrom as root 114 # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom 115 116 ## Allows members of the users group to shutdown this system 117 # %users localhost=/sbin/shutdown -h now 118 119 ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) 120 #includedir /etc/sudoers.d
其中第100行:
root ALL=(ALL:ALL)ALL
第107行:
意味着 root 用户拥有无限的权限并且能够在系统上运行任何命令。
%wheel ALL=(ALL) ALL
允许组 wheel组内 的所有成员执行任何命令。
注意:sudoers 文件中的 ‘%’ 代表一个组,并不是对内容注释。
从 /etc/sudoers 文件的第一行可以看出:
# This file MUST be edited with the 'visudo' command as root不要尝试直接编辑 sudoers 文件。 使用具有 root 权限的 visudo 命令。
使用 sudo 运行命令很简单,只需要在命令前面加上 sudo 即可:
$ sudo command一般来说会提示输入密码,输入密码后回车即可。
$ sudo command
[sudo] password for user:
也可以先切换到超级用户(root),将 /etc/sudoers 修改为可编辑。
chmod 777 /etc/sudoers
对此文件进行修改后,将 /etc/sudoers 修改回只读模式。
chmod 440 /etc/sudoers
3.文件里的权限配置如何修改:
root ALL=(ALL:ALL) ALL
关于此权限设置的说明:
root 表示 此项规则应用于root用户
从左到右
第一个ALL 表示这项规则应用于所有主机
第二个ALL 表示root(用户)可以像所有用户一样运行命令,可以切换到所有用户
第三个ALL 表示root(用户)可以像所有组一样运行命令
第四个ALL 表示这项规则应用与所有命令。
所以这条权限设置的语句表示root用户可以使用sudo执行任何命令。
允许普通用户使用 sudo 命令
修改 /etc/sudoers
增加一行
greatdb ALL=(ALL) NOPASSWD: ALL
NOPASSWD: ALL 表示不输入密码也能执行所有命令。
或者 在100行
## Allow root to run any commands anywhere 下增加参数