|
|
sudu命令
; N- K- U; G2 ~, v1 B
% m) `: y& N; n `用来以其他身份来执行命令,预设的身份为root。在/etc/sudoers中设置了可执行sudo指令的用户。若其未经授权的用户企图使用sudo,则会发出警告的邮件给管理员。用户使用sudo时,必须先输入密码,之后有5分钟的有效期限,超过期限则必须重新输入密码。 ) X% q- N# J4 i, C+ h
6 ~; T9 `, |( G/ \$ a" [/ w5 p- `
语法: sudo (选项) (参数)
: F2 [0 Z7 [4 L$ J: h: m选项: (该部分只做了解)
$ y! K, t' W, `# c: F-b:在后台执行指令;/ t* ?# h K N
-h:显示帮助;
. S' }( z) C1 u-H:将HOME环境变量设为新身份的HOME环境变量;% q. u$ u! a! V: `* z- d
-k:结束密码的有效期限,也就是下次再执行sudo时便需要输入密码;: k) s+ }% G. k
-l:列出目前用户可执行与无法执行的指令;
$ V- K6 m- u ]: [-p:改变询问密码的提示符号;
2 \' V* ?" o5 u7 h0 v-s:执行指定的shell;( Z0 ~8 u5 y6 s4 v
-u<用户>:以指定的用户作为新的身份。若不加上此参数,则预设以root作为新的身份;
' E8 o& t: t8 f* t5 G-v:延长密码有效期限5分钟;
. k2 K" `4 h4 T3 k-V :显示版本信息。
" U U9 X( a3 [- M9 Z8 m- U' I+ T- }2 W! o# [4 H) M3 O( A
sudo文件配置: ] b6 y. I/ W$ {* [0 S* @0 P
- ?6 ^; M5 }5 x6 v$ ^, Q) f6 z
配置sudo必须通过编辑/etc/sudoers文件,而且只有超级用户才可以修改它。使用visudo命令编辑/etc/sudoers配置文件,操作方法同vi命令。当对多个命令设置速sudo权限时,需要用逗号加空格隔开。使用visudo有两个原因,一是它能够防止两个用户同时修改它;二是它也能进行有限的语法检查。所以,即使只有你一个超级用户,你也最好用visudo来检查一下语法。 " k) M4 j! w6 J. G9 _
& Y$ o w4 J- `) I6 g% y8 Z9 Q
[root@3 ~]# visudo 更改sudo配置文件% a5 {+ z( k4 @
! h" W7 r% c1 |) ^# This file MUST be edited with the 'visudo' command as root. 0 Z) j6 N: ?3 Y# U4 S( x/ s/ M8 A: y1 [
必须在root用户使用visudo命令!
# ~0 S. {& _. F8 _; O& U, U
9 D$ u5 ]3 q2 ^## Allow root to run any commands anywhere
. T! i6 B2 j) P5 i/ h5 ]0 r4 ?root ALL=(ALL) ALL
1 w/ E$ T$ S0 y5 H2 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat" [& M- ]' W% g" C( l
对2用户进行授权(授权完毕后保存退出)4 o( O2 X, T1 d
; n# \. O6 B, R# w; n- e' E8 M
[root@3 ~]# su - 2 切换到普通用户
! Q/ g/ o9 O. {: |( d上一次登录:三 6月 14 10:23:01 CST 2017pts/1 上
! l# d4 _. m/ L! ~( O[2@3 ~]$ ls /root/$ X9 M+ t0 ^7 x+ v
ls: 无法打开目录/root/: 权限不够 # ~, h8 _- y+ t5 w! W
(!!!即,普通用户没有访问root用户的权限)0 |5 H; o* D" p
[2@3 ~]$ sudo /usr/bin/ls /root/
8 k/ R- c( O3 a8 |% _1 Q, |0 u使用sudo命下访问root用户
' J0 T8 m! y1 A! }[sudo] password for adai001:
, o, l \% p+ _8 Lanaconda-ks.cfg 访问成功!!!
% z3 `# f( f5 q7 R1 n8 q' _& {; a$ c[2@3 ~]$ sudo /usr/bin/ls /root/% g% H8 a$ Z% Q9 c' a! W
anaconda-ks.cfg 再次使用sudo命令时无需输入密码
8 \8 a9 B; y% a+ }( q+ R[2@3 ~]$ cat /root/ 3 g: f' u7 G6 K( s& _4 j
cat: /root/: 权限不够6 U& M/ ]5 Q U
[2@3 ~]$ sudo /usr/bin/cat /root/
9 u* h8 a3 H1 g) L( A- _+ f- D! h/usr/bin/cat: /root/: 是一个目录
?, O0 k5 W$ J注:
' W: c8 F$ L; E( u; z) L1)在增添用户的同时需要对用户设置密码(此处设置的是12345678),用户和登录密码要同时成对存在!0 {# n8 G$ x# C) c
2)在编辑sudo配置文件时可以使用"NOPASSWD"前缀设置无密码使用权限,即在使用sudo命令时不用再输入用户密码!
6 |9 `4 h, Z% U+ l9 N. }" E) r5 ?- H# \' x: I u( V
sudo -i 详解7 _' F; O' E |2 u
) x) h/ A3 J6 m; q) s& Qsudo : 暂时切换到超级用户模式以执行超级用户权限,提示输入密码时该密码为当前用户的密码,而不是超级账户的密码。不过有时间限制,Ubuntu默认为一次时长15分钟。8 [& @7 B9 j# ]9 ~ n( e; Z# k
% f. ]0 B0 z3 [6 ~, N; K G. l
su : 切换到某某用户模式,提示输入密码时该密码为切换后账户的密码,用法为“su账户名称”。如果后面不加账户时系统默认为root账户,密码也为超级账户的密码。没有时间限制。
% J# ?5 Z/ [: `9 x4 c# O
: l- P2 p, p8 t8 s, g! Q3 zsudo -i: 为了频繁的执行某些只有超级用户才能执行的权限,而不用每次输入密码,可以使用该命令。提示输入密码时该密码为当前账户的密码。没有时间限制。执行该命令后提示符变为“#”而不是“$”。想退回普通账户时可以执行“exit”或“logout” 。0 _, K2 W" G9 g
$ J' c+ X+ K0 @9 f3 C
其实,还有几个类似的用法:6 `, i4 T! g7 w
sudo /bin/bash:5 W) u6 }+ q( ~! G% ^) [+ |
这个命令也会切换到root的bash下,但不能完全拥有root的所有环境变量,比如PATH,可以拥有root用户的权限。这个命令和 sudo -s 是等同的。
) {4 Y5 u$ @' g0 v' N* k# ^& M9 o9 C; a) Q5 h+ W
sudo -s : 如上& _: Q8 J$ x, u. c8 @( S1 `* Z
3 }+ n3 g' }5 E- L
sudo su : 这个命令,也是登录到了root,但是并没有切换root的环境变量,比如PATH。
% F7 @3 g6 w$ D& K
8 M$ G# b- y0 E) D0 fsudo su - : 这个命令,纯粹的切换到root环境下,可以这样理解,先是切换到了root身份,然后又以root身份执行了 su -,此时跟使用root登录没有什么区别。此结果貌似跟sudo -i的效果是一样的,但是也有不同,sudo只是临时拥有了root的权限,而su则是使用root账号登录了linux系统。* _7 X3 z( f4 t4 n3 U
所以,我们再来总结一下: Y9 @# X+ H) U" G' K- o
+ C: @' [3 O8 S9 D0 D; K
sudo su - 约等于 sudo -i0 x4 R( l. K& k, H! g; W' s
# D7 k0 I/ H* Z" ?# Lsudo -s 完全等于 sudo /bin/bash 约等于 sudo su9 \( ~4 O" A' P F
sudo 终究被一个"临时权限的帽子"扣住,不能等价于纯粹的登录到系统里。
8 G7 h e. p# ]6 c1 X% c+ k: I) {) `3 T8 v/ |2 \- V0 w
sudo配置文件样例3 |! m% b l, V2 P I- [
9 Z/ Q( l- D& _) I+ D! `; z
#
# V+ ~( N9 T ~% H( S# Sample /etc/sudoers file.
( L( q" J# W A# k; C& T#" h. K* V" \, U; M K5 c5 P
# This file MUST be edited with the 'visudo' command as root.
6 A1 R9 p$ y% |& S9 i3 a1 c#& H/ p, b, N; A, S1 Q$ {/ l# b( X* B
# See the sudoers man page for the details on how to write a sudoers file.) C0 H) x/ i5 Z0 k4 p/ ?" c
#* T0 O, t1 \( D% h9 X" }
) C. e& ^! m/ K$ \##! v$ A( c4 d) f
# User alias specification2 }9 s* N* e) U" ?5 v5 ]' Q
##
, ?8 G7 q5 d& o' }& S5 l( \User_Alias FULLTIMERS = millert, mikef, dowdy
! \, x- L2 R7 s$ ^* W" nUser_Alias PARTTIMERS = bostley, jwfox, crawl
! R# g9 x7 f* s ?User_Alias WEBMASTERS = will, wendy, wim
+ C- {. ~; T- k1 n' n) X% U
k1 c5 H M6 o5 ~9 ~2 I, ?" a2 |) q##
0 w7 P+ Z9 ?* y& n8 H+ T3 z: a' m# J4 N# Runas alias specification
6 @9 y% [# I9 m/ k! {5 @##- _4 A! |0 r G
Runas_Alias OP = root, operator
* ~$ l, e6 k# J* m% D; \Runas_Alias DB = oracle, sybase
: z2 j) I+ P w7 S- [
3 D+ s( u6 v0 ~8 s##
7 }* b% t" _& M6 j) K' b: M# Host alias specification
. a7 z; i3 k# S) ~- q7 |6 g7 G( b" s##
7 I1 Z! ~6 G" v" u$ NHost_Alias SPARC = bigtime, eclipse, moet, anchor:\ e8 z3 d7 g6 ~+ u
SGI = grolsch, dandelion, black:\
0 f/ |. {# J, }' Y ALPHA = widget, thalamus, foobar:\
( a4 @: O* m; c. A HPPA = boa, nag, python
' W7 P& ^- ?5 _2 j: c7 SHost_Alias CUNETS = 128.138.0.0/255.255.0.0$ }1 A7 Q' v1 l+ v
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
: Y6 D/ w. `: m1 C! Y8 l5 _Host_Alias SERVERS = master, mail, www, ns
0 L4 t) Y$ g7 b9 C1 rHost_Alias CDROM = orion, perseus, hercules; |7 @- i* s9 n! E: s( S
6 _7 ^- G/ Y; `4 J$ C, w
##
: g7 I% R- n: ^7 d# Cmnd alias specification _6 F$ v2 G! T# b4 I
##; ]( u9 i- p9 L4 L! t6 L& K
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
: X9 v$ U5 c' |( }/ l /usr/sbin/rrestore, /usr/bin/mt
! B/ ^$ F! U; N4 }Cmnd_Alias KILL = /usr/bin/kill
$ o9 {' `: C/ c! C- ^( [8 aCmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3 ]4 B2 u( a2 |& ?Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
6 Y2 Z+ q6 N" n: A9 w3 wCmnd_Alias HALT = /usr/sbin/halt
/ n5 o! c" a6 ?- H7 ]8 z7 ^0 v0 ZCmnd_Alias REBOOT = /usr/sbin/reboot
) v: n* a! M" [' zCmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
" T9 Z1 N- @$ X g /usr/local/bin/tcsh, /usr/bin/rsh, \% r% C; H( F4 U) j
/usr/local/bin/zsh! t$ u1 X; l# _8 ]
Cmnd_Alias SU = /usr/bin/su
& n* \5 @7 ^% @3 V4 W0 ^Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
# Q" G: V4 C' q /usr/bin/chfn
1 T; z H+ t0 E; S$ P% i
* s ?3 n3 i$ e+ C; }5 d/ F##$ k+ I$ U" t: e$ M6 Z
# Override built-in defaults) j& `6 W! { N9 S5 q c( C* Z
##; e# w$ t. {) S( g6 o& v/ X% y, A% n
Defaults syslog=auth i5 l2 _2 ^" P3 j+ F
Defaults>root !set_logname d8 I7 e5 v( W$ O3 z& @" c+ x
Defaults:FULLTIMERS !lecture5 b4 G# o, L* ?2 }1 S2 I- p
Defaults:millert !authenticate
3 G" j1 i! l+ C+ J& S( f4 d6 a4 xDefaults@SERVERS log_year, logfile=/var/log/sudo.log5 S, @; a: U H% [( |8 A
1 r$ @! J6 L! M1 e1 L
##" ?6 G- r+ ]/ R0 {2 ^
# User specification) W2 y. X& ^: Z5 i
##
x) D/ J$ c8 I" o" I2 v
: p- V2 C, v% t# root and users in group wheel can run anything on any machine as any user4 I% W$ T; o8 X: e
root ALL = (ALL) ALL
8 V( I8 _9 d3 d' L0 F/ D. P M' G%wheel ALL = (ALL) ALL( g( o2 ?& H$ [- U; F3 R# C
' G) M$ L7 M7 Y; t. R7 `8 S
# full time sysadmins can run anything on any machine without a password
3 U q8 R" Z/ D; ^. [2 tFULLTIMERS ALL = NOPASSWD: ALL/ X& a( l! ~0 s
& Y% s4 D7 Z+ j- [# part time sysadmins may run anything but need a password
5 T" l$ Q9 ^- R* _& APARTTIMERS ALL = ALL
u& ]/ g0 z5 F# e# A) c' Q
1 v" B8 [0 R# t/ x& q% Z7 q7 [# jack may run anything on machines in CSNETS0 S# }7 u m4 W/ G. ^
jack CSNETS = ALL
' |, ^- G1 F! ~( ?' u
( a( @0 k: Z1 i% n# lisa may run any command on any host in CUNETS (a class B network)/ C4 E. p# u2 a2 j, Y
lisa CUNETS = ALL: }* i$ s- O2 n/ j S& O+ m: t
1 ?6 {4 `9 G8 e# operator may run maintenance commands and anything in /usr/oper/bin/
: k5 w. d* m* goperator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\3 z7 w! k4 o6 ^4 z! o9 V
sudoedit /etc/printcap, /usr/oper/bin/
- X& |8 y" |% B+ y+ u
, p9 z' P& e' ^& d# joe may su only to operator
- ^2 H6 ?8 E+ d( q( S8 Tjoe ALL = /usr/bin/su operator0 `$ u& f( p/ j3 J# m
' N3 H) O$ g* ~9 v9 W0 u# pete may change passwords for anyone but root on the hp snakes
+ N$ |) J, f. P9 x1 Npete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
3 L0 }; w7 M4 w% j+ b
3 X: F, M! s, r# X: m" l# bob may run anything on the sparc and sgi machines as any user
! R4 a; m) z# e; j* U1 H3 F. _# listed in the Runas_Alias "OP" (ie: root and operator)) z) l( N( `7 @' ^; f/ ?3 v# a" ^6 d
bob SPARC = (OP) ALL : SGI = (OP) ALL
) s/ K6 ]: w5 A9 d6 {, |6 X5 t$ g8 E5 }. b2 k% c# [6 K# d
# jim may run anything on machines in the biglab netgroup
1 p2 v# X) K/ a) M2 v, `9 R; mjim +biglab = ALL
: @% m( `! c3 q: i) p* g9 d
1 M" `! F' Q: ~5 u' o/ Q) |8 u( b" g# users in the secretaries netgroup need to help manage the printers
3 R- k: m' z0 d; s$ Y* k, `# as well as add and remove users
: y; ?3 G' w0 K+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
7 u. E+ p4 O: A# Q+ s4 {9 W
# D* d* O& I Z. P @+ t. o# fred can run commands as oracle or sybase without a password
: K+ F& q$ P7 p) ]' zfred ALL = (DB) NOPASSWD: ALL
& E% T8 z* c/ [) a, C( ~, _: m+ E3 W3 J( E8 H
# on the alphas, john may su to anyone but root and flags are not allowed
# k; X8 `6 X7 ?# {" B& h5 zjohn ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
5 c0 T# J2 d5 p, r8 I q% N( |% E
# jen can run anything on all machines except the ones5 o3 P/ N; y- t V5 }
# in the "SERVERS" Host_Alias
, i! k6 U/ |; hjen ALL, !SERVERS = ALL/ {9 l& G& u' K; ~/ d4 Y1 Z; m
' v( G' D: r3 y+ M# jill can run any commands in the directory /usr/bin/, except for
- i! t5 c# t( D; `" ^! o8 B) g) W# those in the SU and SHELLS aliases.
1 \% @* h7 o4 g& T/ @4 ajill SERVERS = /usr/bin/, !SU, !SHELLS
$ L0 t- G% E$ K- `
$ Z% ]: F g9 w3 J) h# steve can run any command in the directory /usr/local/op_commands/ R7 Q8 s- C( }* H3 S
# as user operator.8 K( O: C: O4 @
steve CSNETS = (operator) /usr/local/op_commands/; j# p* |" Y" r+ T& c/ A% s' h
x; J( @7 ~0 l! _# matt needs to be able to kill things on his workstation when3 Q! N. D+ S) q" M
# they get hung./ m% m* e) |/ \3 w* [* P* c+ E
matt valkyrie = KILL
' w& Z9 n, o- _6 Y r/ T' [* } o# i
# users in the WEBMASTERS User_Alias (will, wendy, and wim)' R( @3 h0 d _& j" T) [5 o5 R5 J
# may run any command as user www (which owns the web pages)$ n, p& x8 x% S7 S, f
# or simply su to www.
8 \4 x/ J# @; a6 F7 N+ \! EWEBMASTERS www = (www) ALL, (root) /usr/bin/su www
% I3 ^0 d& Q8 T- U% G/ `6 t i3 x# {- |) G! v( v6 O+ Y
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias# `: G: U% ~# W
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\3 q3 B7 l: `9 g8 ?
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM/ R: L3 `; N2 I( y
文件编辑状态下可以用“/”进行关键词查找,输入“:set nu(=number)”显示行号。 |
|
发表于 2018-12-27 10:19:51
发表于 2018-12-27 10:51:09