- 积分
- 10358
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有帐号?开始注册
x
sudu命令# Y8 h. J" I6 J: F) } u' V
6 L* @2 O! t5 a/ m7 r: n用来以其他身份来执行命令,预设的身份为root。在/etc/sudoers中设置了可执行sudo指令的用户。若其未经授权的用户企图使用sudo,则会发出警告的邮件给管理员。用户使用sudo时,必须先输入密码,之后有5分钟的有效期限,超过期限则必须重新输入密码。
' Z0 J4 H5 `( }! a, Z0 U4 [
! L. e! j+ Q( E/ p0 i语法: sudo (选项) (参数)
2 M4 j1 ]9 |0 D7 {选项: (该部分只做了解)5 ~ x/ Y0 U1 O2 N; ~$ c3 n5 x
-b:在后台执行指令;
$ w" L6 D3 w, f" k) n" X) t" z( f3 d-h:显示帮助;1 }, S h8 F0 A: h, q9 ~7 B% i
-H:将HOME环境变量设为新身份的HOME环境变量;
+ S/ [: f& r6 ?! P8 a; P: z; q5 b-k:结束密码的有效期限,也就是下次再执行sudo时便需要输入密码;
1 T( o' R6 O" o; A4 U: R-l:列出目前用户可执行与无法执行的指令;
- ?& u& W2 g; d-p:改变询问密码的提示符号;
( J, Z/ C$ c6 @( a-s:执行指定的shell;
% S9 e" {7 G4 c. a* @: i-u<用户>:以指定的用户作为新的身份。若不加上此参数,则预设以root作为新的身份;
( B( q* x- M/ q, n0 Q$ T/ w. w) D-v:延长密码有效期限5分钟;" c$ h A& D' q2 x
-V :显示版本信息。6 G1 W0 e' H3 Y7 t1 @
9 d# c/ [8 C0 Z+ t% \1 n5 D: U# Dsudo文件配置3 u v3 x$ g1 o4 G
3 p3 ?/ c- Q' p) `) h7 i; s6 u7 r( V
配置sudo必须通过编辑/etc/sudoers文件,而且只有超级用户才可以修改它。使用visudo命令编辑/etc/sudoers配置文件,操作方法同vi命令。当对多个命令设置速sudo权限时,需要用逗号加空格隔开。使用visudo有两个原因,一是它能够防止两个用户同时修改它;二是它也能进行有限的语法检查。所以,即使只有你一个超级用户,你也最好用visudo来检查一下语法。
) s, G [( j6 f4 p8 M: p# L& P
+ [7 S% o9 s, Z5 \[root@3 ~]# visudo 更改sudo配置文件9 K5 q, O1 } W- g7 j8 H
4 w0 b3 @# [% x N& }
# This file MUST be edited with the 'visudo' command as root.
. }0 W$ P2 C- \# k必须在root用户使用visudo命令!
0 V% G2 q" z0 N' d
8 j9 O! j' c+ q* {. m## Allow root to run any commands anywhere
% c" g3 S. u+ [* Oroot ALL=(ALL) ALL
9 d2 G# m0 n9 G& F2 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat8 ^- p; I( n4 E9 X% D
对2用户进行授权(授权完毕后保存退出)( M+ Q; n6 w% U' B
: L9 b) \0 K% u
[root@3 ~]# su - 2 切换到普通用户7 \! k: W0 N! U1 n4 g* G
上一次登录:三 6月 14 10:23:01 CST 2017pts/1 上
2 A4 a# w& P# f8 o2 l1 P[2@3 ~]$ ls /root/1 o0 r# [& o' A$ u* a+ g& m5 I# V
ls: 无法打开目录/root/: 权限不够 - e0 I! H; y: f& |4 x& I- v
(!!!即,普通用户没有访问root用户的权限)
q. T9 g1 G& X0 Q[2@3 ~]$ sudo /usr/bin/ls /root/ . h5 Y3 s3 f* p* p2 }
使用sudo命下访问root用户
6 n- _) o8 T3 k I[sudo] password for adai001:
2 W2 d, y: W/ _3 |$ ganaconda-ks.cfg 访问成功!!!" o: `3 E4 |, q U; I; W
[2@3 ~]$ sudo /usr/bin/ls /root/
! D2 s1 I9 Q* |3 l8 G0 panaconda-ks.cfg 再次使用sudo命令时无需输入密码. g9 Z! l7 A' j
[2@3 ~]$ cat /root/ . k% J9 I4 H: M2 I7 Y
cat: /root/: 权限不够
3 J* @2 B6 N( F* w T) t5 ? a[2@3 ~]$ sudo /usr/bin/cat /root/* P. j0 z8 b8 X
/usr/bin/cat: /root/: 是一个目录/ I! C+ M; d; K5 C- q* Q1 _
注:
1 a, W5 e& T8 r- \1)在增添用户的同时需要对用户设置密码(此处设置的是12345678),用户和登录密码要同时成对存在!+ `4 y+ R/ ?0 \ H c- k, Y l
2)在编辑sudo配置文件时可以使用"NOPASSWD"前缀设置无密码使用权限,即在使用sudo命令时不用再输入用户密码!0 R: M# [, t4 ^8 J8 J6 F
/ Y- H0 G1 n. Z4 d6 ]; ksudo -i 详解
" Y7 w. `. y# |
. S$ ~; H. p& n O$ {& ^sudo : 暂时切换到超级用户模式以执行超级用户权限,提示输入密码时该密码为当前用户的密码,而不是超级账户的密码。不过有时间限制,Ubuntu默认为一次时长15分钟。
% Y: ?6 q( Q9 B2 o! N* c) B, j1 V" Q+ h( q" N2 L" T! ?& ~
su : 切换到某某用户模式,提示输入密码时该密码为切换后账户的密码,用法为“su账户名称”。如果后面不加账户时系统默认为root账户,密码也为超级账户的密码。没有时间限制。7 ~) J) K% m6 G, i; d5 x
- Y1 Z' x" y3 n# G5 h" msudo -i: 为了频繁的执行某些只有超级用户才能执行的权限,而不用每次输入密码,可以使用该命令。提示输入密码时该密码为当前账户的密码。没有时间限制。执行该命令后提示符变为“#”而不是“$”。想退回普通账户时可以执行“exit”或“logout” 。1 X* o1 `! K. U# `* ]% f* C$ d
2 G! U0 }" z! G; b5 h0 f4 K& h其实,还有几个类似的用法:; k: w( ~* g, x: x9 d
sudo /bin/bash:
$ P" z2 K7 w# G6 m这个命令也会切换到root的bash下,但不能完全拥有root的所有环境变量,比如PATH,可以拥有root用户的权限。这个命令和 sudo -s 是等同的。2 Q$ f! @ {7 P& a9 {9 A
" i6 b6 B1 i" s9 x2 ^
sudo -s : 如上
, h/ [( ~! p. g/ ^! o+ ]9 }+ O
) C5 H) ?* w* _. \' s5 v4 ?' D3 xsudo su : 这个命令,也是登录到了root,但是并没有切换root的环境变量,比如PATH。
% x5 F P, B6 t$ A- Y0 _! p( x& C5 W" U0 y
sudo su - : 这个命令,纯粹的切换到root环境下,可以这样理解,先是切换到了root身份,然后又以root身份执行了 su -,此时跟使用root登录没有什么区别。此结果貌似跟sudo -i的效果是一样的,但是也有不同,sudo只是临时拥有了root的权限,而su则是使用root账号登录了linux系统。
]. l0 I+ O* Y! H. ~) z5 G所以,我们再来总结一下:2 a' n; T; I0 A( J+ G, O& u
7 A, w9 c5 a1 h2 y
sudo su - 约等于 sudo -i
0 N+ @; e% R4 `: K5 t( \
, j2 J+ r/ k7 Gsudo -s 完全等于 sudo /bin/bash 约等于 sudo su* x4 }* u% |& V4 }$ [0 p
sudo 终究被一个"临时权限的帽子"扣住,不能等价于纯粹的登录到系统里。% Q" z& C! i; ~. a. r" B/ d/ e
) ^# e5 C& j' v3 \( G6 z% bsudo配置文件样例
% B' o3 @- }+ P; v3 r" ~0 ?6 U' j. |* b" g- c1 w6 l" E
#
! B7 r1 ?- B( O" \0 E6 y+ g# Sample /etc/sudoers file.* x% J3 g6 N# V- @0 Q6 K( o
#
% [" L8 u/ Y, h. m1 i# This file MUST be edited with the 'visudo' command as root.
3 X6 g/ C; m) |9 x8 n#/ W( N+ I- I$ J, b
# See the sudoers man page for the details on how to write a sudoers file.6 g2 K j+ o- v2 c2 e& |
#
+ v/ v1 D$ {& \1 _! ~1 |7 i1 g
3 I: a+ I) A5 P" H f- S##
+ F; g3 ~, j: n) B# User alias specification4 I: S) } \: ^
##( X q6 O* N4 D7 p s& M5 C
User_Alias FULLTIMERS = millert, mikef, dowdy
' |9 y. t9 u1 J* v2 S" }User_Alias PARTTIMERS = bostley, jwfox, crawl& X7 D3 \, \9 q$ a2 C" y, `2 }
User_Alias WEBMASTERS = will, wendy, wim A+ Q& _' w7 z4 O$ h; l
" I( Q9 G/ P3 d/ A, F) O
##6 z& G. p- ?/ ~- k" K: J3 g
# Runas alias specification( V4 h% K. @$ ?. f! H8 C. ?0 L& A3 _" \
##
* T6 c5 u) ~( b. v) P: f; X. L" TRunas_Alias OP = root, operator: I+ |+ K ?% _( v) B
Runas_Alias DB = oracle, sybase4 c) E- g( Y" n8 I. s
8 E$ [& z v. f6 _& G+ J0 g" H- W% A##0 |+ o; L% Y5 e& P: M
# Host alias specification1 W/ S5 s4 V0 t! _* s& |/ N
##
4 l0 M/ p' O4 R/ X4 zHost_Alias SPARC = bigtime, eclipse, moet, anchor:\1 e7 z7 W+ z9 v4 [9 ]2 c
SGI = grolsch, dandelion, black:\& }* S4 x1 s2 M4 B/ W
ALPHA = widget, thalamus, foobar:\; O+ [8 K" x5 U
HPPA = boa, nag, python' P) Y5 i5 j7 v1 _1 O: Y2 u
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3 M4 k. i+ a3 T4 S5 OHost_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! R& ~0 q K4 u) q$ F/ T6 GHost_Alias SERVERS = master, mail, www, ns8 d9 C& j* k, A# T ?4 L
Host_Alias CDROM = orion, perseus, hercules
( j$ c% |! ]' _$ N% @7 ~. j. D
2 M% j' F0 E) T1 |) o9 ^$ _##
! w0 h8 I# m7 Y* _$ W- E# Cmnd alias specification4 Z$ z0 |: D- z" _
##- i: P! n$ T! ]' ^1 V0 e) ~
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
+ n7 N# G h5 B6 b4 i k2 e" \ /usr/sbin/rrestore, /usr/bin/mt: B) j/ u( n5 f2 t s
Cmnd_Alias KILL = /usr/bin/kill, ]* z0 ^: D/ h6 E# k
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
0 j$ K" e; C3 ?# a6 h. o2 zCmnd_Alias SHUTDOWN = /usr/sbin/shutdown
" ?$ ]2 \. K0 H& @7 U" O9 mCmnd_Alias HALT = /usr/sbin/halt3 v1 x, U" |( z4 h, M: i1 v1 J1 w
Cmnd_Alias REBOOT = /usr/sbin/reboot
6 ?( |. H9 r5 K3 L* ^Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \- d* @$ J, @. z6 p
/usr/local/bin/tcsh, /usr/bin/rsh, \
. x- D& u1 l, J/ X) s /usr/local/bin/zsh
7 c! a* _2 G, t- u% B h3 Q8 Q2 rCmnd_Alias SU = /usr/bin/su) q' }8 O9 X) ^1 K) {
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \. X; p/ k0 F# v* M D( e
/usr/bin/chfn
4 C& l1 A* L! B; R4 Q' Y6 Q, ?2 b4 S" f ~' H9 g. P, g
##
* U8 K4 L# }+ G% X6 I p. e' t, l D# Override built-in defaults3 a. g) m' |3 r0 Z, U, x! x7 t9 U
##
( V' S" T j" c5 F# VDefaults syslog=auth( \8 E0 N& q9 M! i* o" e! m
Defaults>root !set_logname
# J4 j. s# D# L6 |7 o) ADefaults:FULLTIMERS !lecture5 W+ e9 P* K$ k4 ^; A& ^
Defaults:millert !authenticate
7 z& f. d! i$ J! u" @& |0 xDefaults@SERVERS log_year, logfile=/var/log/sudo.log) k3 ?4 Q b+ ]: K
9 ^. y8 f5 [/ h9 C5 u##3 j7 b2 t$ {) Q3 Z5 D
# User specification7 E7 n$ o% F+ @- j
##
V7 [* s4 D" T$ p5 ]/ R5 Z4 Q) V* O7 i1 S4 e1 n
# root and users in group wheel can run anything on any machine as any user/ ]$ X7 A* n% ^/ g
root ALL = (ALL) ALL+ I# q6 U; I- N1 R( A, e
%wheel ALL = (ALL) ALL
3 }& m5 c4 t2 k, P) V' k6 n3 [' \+ G" H) Q. K+ @
# full time sysadmins can run anything on any machine without a password
' e" c! d7 e4 P5 c' Y' g1 OFULLTIMERS ALL = NOPASSWD: ALL* Y; t" I9 f4 e, O
% r$ S$ F8 ~+ T$ _# part time sysadmins may run anything but need a password
3 k3 h. @4 `5 e. L" bPARTTIMERS ALL = ALL
7 V" p2 R! t0 S* E* \4 k* H$ _9 c x/ {% q& i2 a9 _
# jack may run anything on machines in CSNETS
& p( V X- d( _: K5 R- W4 o8 l5 m6 ^jack CSNETS = ALL3 A* l; l9 x; Z P( S) m/ X0 O7 `+ y+ d6 R
; q* {6 Z5 \2 p; t( e1 D5 D: W# lisa may run any command on any host in CUNETS (a class B network)% K6 p9 z# A% N
lisa CUNETS = ALL
5 Q0 u) u6 ]$ g% y b f
/ T4 u, x7 J0 A. Y3 ` a1 I. W# operator may run maintenance commands and anything in /usr/oper/bin/
% S6 v- u. |, J) Voperator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1 u; F: W" E' Q6 \' @ sudoedit /etc/printcap, /usr/oper/bin/
6 ]& `! \" r& o" T: q1 V# N8 `4 g
3 a# G$ |. Z) a% C& h! v. o! F5 J# joe may su only to operator$ _ y7 z( m( @
joe ALL = /usr/bin/su operator' x! |* ?+ z' X ]8 z. U# i
& A q- L9 ]0 |, G, T+ P. ?% `
# pete may change passwords for anyone but root on the hp snakes
- S. M1 X( J8 x4 @( G1 apete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root6 |4 a3 e. ?! c5 n5 h- Q0 t; H
9 s* u; [: k$ ^; G% B# bob may run anything on the sparc and sgi machines as any user
/ h) P8 F1 m4 w. A4 F+ ?# listed in the Runas_Alias "OP" (ie: root and operator)% x' o7 l9 K- m1 V# l# V$ s
bob SPARC = (OP) ALL : SGI = (OP) ALL
0 p+ N# S. K5 [) r1 t6 m; e4 B9 `9 {8 a: B$ L; n
# jim may run anything on machines in the biglab netgroup: W* }7 z' _9 u5 \6 E
jim +biglab = ALL# p& T Y9 E7 }! J
7 t8 `1 C# w6 G2 B/ |
# users in the secretaries netgroup need to help manage the printers
0 @' ^# B, t9 |8 E6 l4 O# as well as add and remove users
2 n2 Z2 k7 u- m" M0 K* m" N% i U+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser% H1 N5 `- y( y! }2 q$ b
7 ?; |- m+ t* [2 U5 q; B, \6 [# fred can run commands as oracle or sybase without a password
) m7 B8 C4 b4 z8 h# ]2 Sfred ALL = (DB) NOPASSWD: ALL# f- S, Y% I8 w4 v( v& V' \
" Q0 B1 l1 j2 E; b. m# on the alphas, john may su to anyone but root and flags are not allowed7 @ a2 C0 O) P
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*" H* t2 O/ i1 C1 e
/ H/ g$ l# ]" H
# jen can run anything on all machines except the ones
4 u0 ~" h6 h) j$ [0 e! l# in the "SERVERS" Host_Alias8 M8 X* B u" a+ S# S T
jen ALL, !SERVERS = ALL
4 H$ G% ?( s1 N
- o5 l( q; E- M) d# K# jill can run any commands in the directory /usr/bin/, except for
' O$ d% t. n& i# those in the SU and SHELLS aliases.$ b! s4 \+ |, R. C7 f
jill SERVERS = /usr/bin/, !SU, !SHELLS
# _4 }$ E I6 f7 u. p0 [7 b7 w( o' @! U0 d+ s
# steve can run any command in the directory /usr/local/op_commands/& d% E9 Y% c3 w) s9 n% i, W6 Y
# as user operator.
! h3 l; P; ^+ X; O9 H7 S. K7 S) hsteve CSNETS = (operator) /usr/local/op_commands/1 w: M) d% p- ~4 Z0 u; T
4 {9 A; {: s& o7 N2 k! ]
# matt needs to be able to kill things on his workstation when
) ~% N& |1 J8 U" d. S9 v# they get hung.7 A4 U# U" m3 ?2 O/ G
matt valkyrie = KILL
, P& [. ?- [( }3 m m O" A" }
1 d; x: L' _0 H: D7 W' v# users in the WEBMASTERS User_Alias (will, wendy, and wim)
N& h% E' f/ S0 A1 U$ ?! H# Z$ F# may run any command as user www (which owns the web pages)
# b1 d# T7 M D8 a# or simply su to www.7 u# D6 l2 i5 ^5 \% n$ N* S& i
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1 V) `9 C) L2 E) c- t0 y
+ J) G! B9 Q6 {4 S1 Z: `; _# anyone can mount/unmount a cd-rom on the machines in the CDROM alias5 \+ [. ?# [/ G* C m% u/ F
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ p) q) g1 [, P! l" C6 Z+ Y /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM, ?) d' X. G0 `& [, N
文件编辑状态下可以用“/”进行关键词查找,输入“:set nu(=number)”显示行号。 |
|
/4 
窥视卡
雷达卡
发表于 2018-12-27 10:19:51
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主
发表于 2018-12-27 10:51:09
