|
|
sudu命令8 y$ J: q P7 n8 [: ~
* _9 q3 i, h4 [, ^8 ~* e5 X( C用来以其他身份来执行命令,预设的身份为root。在/etc/sudoers中设置了可执行sudo指令的用户。若其未经授权的用户企图使用sudo,则会发出警告的邮件给管理员。用户使用sudo时,必须先输入密码,之后有5分钟的有效期限,超过期限则必须重新输入密码。
8 {( k1 Q- n& A+ o. ^2 a. g- I5 k. v% T5 Q( }, |) U B- p
语法: sudo (选项) (参数)
9 }; E2 ~2 H" m3 Y选项: (该部分只做了解)& E; C2 z, ~+ l5 q
-b:在后台执行指令;* [& @% E7 o) y
-h:显示帮助;
9 D$ j; W) m A1 @ K. w-H:将HOME环境变量设为新身份的HOME环境变量;
/ d& x* }- F" V6 G& ~- y ]; h-k:结束密码的有效期限,也就是下次再执行sudo时便需要输入密码;$ W, @) w( s' a" j5 N
-l:列出目前用户可执行与无法执行的指令;& J# I* W$ w5 ~9 e H2 [1 W0 j
-p:改变询问密码的提示符号;; w1 p! _* N8 D, u
-s:执行指定的shell;( b& {, R' e% g; C, r
-u<用户>:以指定的用户作为新的身份。若不加上此参数,则预设以root作为新的身份;) a/ J2 B6 I" Y8 o+ V4 s' k, J
-v:延长密码有效期限5分钟;
* ]" H) f6 u# b: A-V :显示版本信息。+ ]1 ?$ ~6 q4 ^4 O; f
; M' ^5 y* @: S a) l! V. r% Bsudo文件配置
% N. ^! }3 m' u8 K' C" D+ D c0 | t5 z$ x
配置sudo必须通过编辑/etc/sudoers文件,而且只有超级用户才可以修改它。使用visudo命令编辑/etc/sudoers配置文件,操作方法同vi命令。当对多个命令设置速sudo权限时,需要用逗号加空格隔开。使用visudo有两个原因,一是它能够防止两个用户同时修改它;二是它也能进行有限的语法检查。所以,即使只有你一个超级用户,你也最好用visudo来检查一下语法。 7 ~6 F' G! R6 y
" \6 P/ _" F4 F: B
[root@3 ~]# visudo 更改sudo配置文件- B4 P- b* v! S1 M2 ]! e7 p7 t& g
$ ^$ B/ K7 w7 w3 F {( u k# This file MUST be edited with the 'visudo' command as root. 8 r f0 {& J, |& e1 n: T
必须在root用户使用visudo命令!: ^4 d0 y+ i1 B# e; n* T
0 {( e3 f& Z% X4 { u) c
## Allow root to run any commands anywhere7 q7 x% [9 Q4 x2 x2 X6 x) {( O
root ALL=(ALL) ALL
/ u% T' Y. Q% n2 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
# N, f) H. e7 \$ y. D% M: r对2用户进行授权(授权完毕后保存退出)
6 F2 F. x U+ q V2 T7 k0 j 9 f3 }7 H) S7 x0 l* M, L* I8 e3 W
[root@3 ~]# su - 2 切换到普通用户
# |1 P! U6 C9 u! g& N- {上一次登录:三 6月 14 10:23:01 CST 2017pts/1 上/ J+ ~8 T% \1 e: K6 J
[2@3 ~]$ ls /root/& X( L# s3 t0 X t" d% @
ls: 无法打开目录/root/: 权限不够
4 s& |3 O9 c \3 Z(!!!即,普通用户没有访问root用户的权限)
7 |! }1 l1 ]8 E0 D! @[2@3 ~]$ sudo /usr/bin/ls /root/ 0 e1 K' |8 ]+ R; N* ^0 T
使用sudo命下访问root用户: Q" c3 |) @8 n" m2 @
[sudo] password for adai001: . W; Y. L M1 v
anaconda-ks.cfg 访问成功!!!
3 f" p* |4 l k9 ~( D6 Q[2@3 ~]$ sudo /usr/bin/ls /root/
0 f7 R6 z" {( A% V# }* {5 s& Q0 Nanaconda-ks.cfg 再次使用sudo命令时无需输入密码4 n" t: M& X) s7 l" j7 c* C* d3 \
[2@3 ~]$ cat /root/
5 |8 U, Z9 U) t7 i3 I Vcat: /root/: 权限不够) v4 C8 d v5 R( A- y$ w
[2@3 ~]$ sudo /usr/bin/cat /root/( V' A/ f. y/ e; x+ B- b6 {
/usr/bin/cat: /root/: 是一个目录( W0 u6 ` k5 _+ G. [! o
注:- n+ l- y5 V/ M1 m
1)在增添用户的同时需要对用户设置密码(此处设置的是12345678),用户和登录密码要同时成对存在!
0 S$ R# T4 T& q& w/ J2)在编辑sudo配置文件时可以使用"NOPASSWD"前缀设置无密码使用权限,即在使用sudo命令时不用再输入用户密码!/ n5 M% h0 [- y1 b' E2 s% f
+ n0 G8 E" P( ^3 L
sudo -i 详解' u# A9 G* A" |' M7 q
/ A# l a" _1 \, z! \sudo : 暂时切换到超级用户模式以执行超级用户权限,提示输入密码时该密码为当前用户的密码,而不是超级账户的密码。不过有时间限制,Ubuntu默认为一次时长15分钟。
7 N3 y4 M7 r. M
1 Z7 C3 @; j( ~& Wsu : 切换到某某用户模式,提示输入密码时该密码为切换后账户的密码,用法为“su账户名称”。如果后面不加账户时系统默认为root账户,密码也为超级账户的密码。没有时间限制。4 k+ d c( e% P3 |
; }( c+ W5 ^- F) x. tsudo -i: 为了频繁的执行某些只有超级用户才能执行的权限,而不用每次输入密码,可以使用该命令。提示输入密码时该密码为当前账户的密码。没有时间限制。执行该命令后提示符变为“#”而不是“$”。想退回普通账户时可以执行“exit”或“logout” 。+ L+ e& L! T) J
0 R# h8 t& L# u& ]; h
其实,还有几个类似的用法:
1 c) q8 k4 f* v+ f, J/ ]sudo /bin/bash:2 |) f3 E! e& \7 @% C3 j
这个命令也会切换到root的bash下,但不能完全拥有root的所有环境变量,比如PATH,可以拥有root用户的权限。这个命令和 sudo -s 是等同的。9 A F( d8 P) b3 n1 d% Z
' l& S/ |- P5 x* E4 C$ f
sudo -s : 如上
2 Y% Q4 i) U4 J1 H q- O8 W$ s/ [: G8 ~$ H
sudo su : 这个命令,也是登录到了root,但是并没有切换root的环境变量,比如PATH。. P0 O2 i/ y$ u" e1 w
2 q. O/ N$ \' V, L; q: m* t
sudo su - : 这个命令,纯粹的切换到root环境下,可以这样理解,先是切换到了root身份,然后又以root身份执行了 su -,此时跟使用root登录没有什么区别。此结果貌似跟sudo -i的效果是一样的,但是也有不同,sudo只是临时拥有了root的权限,而su则是使用root账号登录了linux系统。
+ \4 r: X! r) q( k3 I) |所以,我们再来总结一下:* t( M% X9 }5 e) ]7 [; w! W
( _3 s) d0 ?% r. |8 r6 Psudo su - 约等于 sudo -i7 k* s' h) x3 h
3 U3 S3 h. x2 c3 W
sudo -s 完全等于 sudo /bin/bash 约等于 sudo su
$ k( ? n& D7 C% S0 [sudo 终究被一个"临时权限的帽子"扣住,不能等价于纯粹的登录到系统里。) [4 W, E u# x! Y/ f
' V$ ^' Q. J; l: Osudo配置文件样例
. P/ e; ^) ^. I$ M1 J( |4 i- J7 b) |! N. T
#
* v: {0 T; R5 b7 K. a2 K# Sample /etc/sudoers file.8 W( L* B' d' b% U0 \% [
# {, o) O9 e/ X" E
# This file MUST be edited with the 'visudo' command as root., u( f* A9 v+ Q u {3 r
#! ~9 L1 x% Q6 m O. R( u4 z
# See the sudoers man page for the details on how to write a sudoers file.
# U+ I( |' Y$ |; [7 J) G#
' h. W6 Z* p5 r- h5 P
4 [& l3 O7 B$ V##
0 Z2 o$ }' G- }4 ~& f$ l! i# User alias specification
, ?( I. ?5 Z/ A" ^) M! D7 S##
/ Q7 G/ I# B" z- s4 ]! CUser_Alias FULLTIMERS = millert, mikef, dowdy# U1 x- l' P! Z3 l
User_Alias PARTTIMERS = bostley, jwfox, crawl6 c2 R! J; H6 W+ k5 P3 }
User_Alias WEBMASTERS = will, wendy, wim
2 N, ~! d% \6 ]. S. ?4 U* C c5 O3 ?( H
##
+ |! n8 P- t2 e7 R- S9 x! C1 k9 j. O7 H# Runas alias specification0 x6 e5 x, V" Z
##
; v9 w y$ w1 sRunas_Alias OP = root, operator9 h; L% {" X1 Z# }
Runas_Alias DB = oracle, sybase
9 y! M/ l/ x' \8 T8 E) y( C4 S
/ _1 _9 B- c; s" |& b) n T% V##: G% U+ W4 K. S, ^3 S
# Host alias specification
' M- p' f3 f8 S1 k) A$ u8 V: C- K3 w##2 B. u! [9 K; V
Host_Alias SPARC = bigtime, eclipse, moet, anchor:\
3 V$ F$ K. E7 N SGI = grolsch, dandelion, black:\
* f$ z! {- E2 c ALPHA = widget, thalamus, foobar:\/ i: ^/ c% t& y1 C/ [# h9 ?: Y2 u! O
HPPA = boa, nag, python
4 A. E3 S- L# d5 h7 KHost_Alias CUNETS = 128.138.0.0/255.255.0.0
2 O. H4 z$ C0 `0 A6 _( P+ O3 lHost_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
! r/ w# T5 P- ?Host_Alias SERVERS = master, mail, www, ns4 O a- q; A; V
Host_Alias CDROM = orion, perseus, hercules) z8 \8 H/ F7 X' ~: }" E9 e6 v+ I
6 F8 V8 w2 v. @: z4 z0 L### _% P6 F2 F0 d8 o
# Cmnd alias specification
8 t: b5 K4 z; X6 f1 s##8 x. I$ e) g% ^! H, |& l) H
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \8 j8 d! k S7 {5 z; ~
/usr/sbin/rrestore, /usr/bin/mt3 @0 ?- c) S; y6 E/ J% W
Cmnd_Alias KILL = /usr/bin/kill) o0 } \2 n0 x7 v6 G* F) C
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm5 R7 n& R/ T6 \ ?7 p4 R9 O
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
0 Z+ x0 c) @. Y; S6 WCmnd_Alias HALT = /usr/sbin/halt
5 Z$ O/ W5 L! s' W8 E" M8 M/ [7 d8 V6 VCmnd_Alias REBOOT = /usr/sbin/reboot" S+ N3 A5 r. H
Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \" S1 l7 R) i( }# g! Z+ z' L. s
/usr/local/bin/tcsh, /usr/bin/rsh, \
1 z% W/ q& [2 T' j. ?8 N /usr/local/bin/zsh
! S, |, t# a$ R5 f$ V+ yCmnd_Alias SU = /usr/bin/su/ r7 ^+ U0 U, I6 Y+ u
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
2 l' ?2 a8 v3 C* h5 t1 g+ g" I /usr/bin/chfn
* E8 v* s1 w# S% I& ]
; D. D' [% d3 }: d. @##
9 G: o8 J2 b# P# y0 T# Override built-in defaults
2 Y# C% r0 `/ W; M7 \& D##, \! A& F( R9 W+ B w8 f
Defaults syslog=auth" c: m0 H2 ]6 ?: f2 i' `
Defaults>root !set_logname
$ y- Z: Z( x: C' |; U) }, B4 X6 s; H+ qDefaults:FULLTIMERS !lecture( ~' K2 m0 F B; i( D5 k
Defaults:millert !authenticate
2 ?) \! K2 e) T1 t! _8 S2 h; n8 GDefaults@SERVERS log_year, logfile=/var/log/sudo.log8 E% @, f9 m/ @$ ]
E1 }5 U6 E1 e& k
##( B$ j* {* w$ b/ v" R
# User specification9 Q9 M* H" n/ F& I$ h
##( ?6 U( w! X! _; _
; ]4 N! E! z" Z% B# [( g$ E0 m# root and users in group wheel can run anything on any machine as any user- D$ n2 e7 Q3 Q# H& H; V* H
root ALL = (ALL) ALL. ?" m% ?$ G( \3 i7 W) Q: T/ b- r
%wheel ALL = (ALL) ALL: N% d. E e7 @/ h2 ~( Q
{) h3 i1 H2 f2 k# full time sysadmins can run anything on any machine without a password1 c9 t* R# Q0 h6 f- y( \% ~& T
FULLTIMERS ALL = NOPASSWD: ALL- B; l2 P; V; x2 t% E
) }* m+ Z& @/ d1 W% o3 p
# part time sysadmins may run anything but need a password8 Q, N! k) _6 u- y' M! Q0 e
PARTTIMERS ALL = ALL
+ Q w$ U! I8 P t U' c5 t9 N2 K" d Z8 t
# jack may run anything on machines in CSNETS" g. [. v& @5 c3 ^& p# e* d
jack CSNETS = ALL
' A( g+ T! q$ }7 W
8 k5 A1 d% R& V) Q1 [" `# lisa may run any command on any host in CUNETS (a class B network)
T# Q8 t$ i+ @, D. G# klisa CUNETS = ALL) e4 i. s. S- p
* d2 Q, k3 N/ ~* q
# operator may run maintenance commands and anything in /usr/oper/bin/! M- [1 t/ ]8 C! e$ m! M' U/ u! H7 d
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\& i: c- ^: N, b: X8 d( W1 l3 b
sudoedit /etc/printcap, /usr/oper/bin/
# G; g3 Q9 K9 `; q
& i' b4 B5 l5 F$ j# D) r6 `) X# joe may su only to operator
9 x" f; ]$ b& J* Zjoe ALL = /usr/bin/su operator! e, k- [% s# H9 Z! R( O
$ w$ K; M1 k& ^/ }# pete may change passwords for anyone but root on the hp snakes
2 A9 x, V" @% a9 f$ ~# }& p) rpete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root+ _+ A- Y/ n) i2 \7 Q
$ y' S0 }/ ?+ n7 Q2 C& r
# bob may run anything on the sparc and sgi machines as any user
* Q o* X6 ]# s# listed in the Runas_Alias "OP" (ie: root and operator)
r, n7 \0 n$ w' q! Y% d9 o( u9 Hbob SPARC = (OP) ALL : SGI = (OP) ALL/ e8 q5 p: i6 |
" K" e5 A/ b" E1 ~# v9 k# jim may run anything on machines in the biglab netgroup5 w! G B0 k: x5 U7 [4 v9 g1 l6 F
jim +biglab = ALL7 c3 [6 L5 z4 g5 ]- L
) @1 { s6 ]$ |" n# n6 X' n+ f# users in the secretaries netgroup need to help manage the printers0 z* D: \- l+ y* C6 u
# as well as add and remove users6 s! D1 [/ Q- M
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
. r) o6 g( S. K5 J' k1 W* l) y6 [' w
# fred can run commands as oracle or sybase without a password+ Q/ T$ w% R1 ?/ Q- H2 |" _( E
fred ALL = (DB) NOPASSWD: ALL/ Y& U. X5 |! a
g. h2 b4 g$ e2 j' H# on the alphas, john may su to anyone but root and flags are not allowed+ W N" ?! G; O9 q9 g
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*1 S; c$ p$ H4 t& h3 f5 f1 |6 ^
& U- B& l! H0 T* }/ f, T; |
# jen can run anything on all machines except the ones% |0 m5 I: O# S. v W
# in the "SERVERS" Host_Alias# M- ?9 {. \5 M* W6 ^
jen ALL, !SERVERS = ALL
; e( H" I0 g% Z G3 @" Q, P5 _9 [; X5 a& E- ~- H
# jill can run any commands in the directory /usr/bin/, except for
4 w8 Q$ `- Q& ~9 @) O/ J. n, y# those in the SU and SHELLS aliases. A. a( r3 e/ I/ {9 B
jill SERVERS = /usr/bin/, !SU, !SHELLS
% Y' h& q! ~8 x( U. U; I. F% T/ s$ `, Q
# steve can run any command in the directory /usr/local/op_commands/
2 Y7 d. h* B4 g9 V# as user operator.
g( h4 H/ w+ y7 l/ N$ m, w+ G) ]steve CSNETS = (operator) /usr/local/op_commands/- ^" @) {; C \( w1 {' y
' I+ f1 y" K; n: n0 D2 C8 X# matt needs to be able to kill things on his workstation when
' r+ J; s" \7 d4 z; a% @# they get hung.( Q5 Y l F, w- X4 S
matt valkyrie = KILL8 ~: h. @& S, O/ ?
" k' A; o3 `* z w9 e
# users in the WEBMASTERS User_Alias (will, wendy, and wim) l' J, c, Z6 K0 }$ T
# may run any command as user www (which owns the web pages)1 f: `/ v q4 }3 x
# or simply su to www.0 R! r/ ~$ [0 v2 t
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www& k# l, e" ]# H' f+ U
4 O! h% C9 X' {9 `! t; p5 W# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
7 R6 _9 w8 ^. I( V) u) X( {) z+ E8 [4 @% bALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- ~+ W8 ?- E0 Z /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM- t `* U/ Y( i) h0 ~0 B% u
文件编辑状态下可以用“/”进行关键词查找,输入“:set nu(=number)”显示行号。 |
|
发表于 2018-12-27 10:19:51
发表于 2018-12-27 10:51:09