|
|
sudu命令
2 U$ L$ W" e I1 M: T
7 e1 b7 M) d; u6 y B用来以其他身份来执行命令,预设的身份为root。在/etc/sudoers中设置了可执行sudo指令的用户。若其未经授权的用户企图使用sudo,则会发出警告的邮件给管理员。用户使用sudo时,必须先输入密码,之后有5分钟的有效期限,超过期限则必须重新输入密码。
' {, ^; b4 x% _. e' h: d
& K4 X f% ?$ Q$ L4 f语法: sudo (选项) (参数)& v( M) |) j @3 `
选项: (该部分只做了解)2 a# J- g& f4 X
-b:在后台执行指令;
' ^4 y# @1 s, O' f6 R-h:显示帮助;7 h* y5 E1 W7 {+ |0 S6 U
-H:将HOME环境变量设为新身份的HOME环境变量;4 ~: C" ^5 z* @$ N3 s8 `) d
-k:结束密码的有效期限,也就是下次再执行sudo时便需要输入密码;
9 _. G% v! B) |: w-l:列出目前用户可执行与无法执行的指令;
( `" p; g" Q4 |3 J! X-p:改变询问密码的提示符号;! {# I) H% x" O( b4 f
-s:执行指定的shell;
; @ O! e A8 d, V H, ?7 j; h( v-u<用户>:以指定的用户作为新的身份。若不加上此参数,则预设以root作为新的身份;
# V3 G# w; \: g+ U2 w-v:延长密码有效期限5分钟;! e7 y; A5 h% u x: l1 \5 O) y
-V :显示版本信息。
! ]- W: @7 _/ Z& P: z- Q/ p5 r
6 i9 C" L- Q( ~8 Hsudo文件配置# [! g% _) K0 v
. f- l0 E; i. L3 y$ M: G
配置sudo必须通过编辑/etc/sudoers文件,而且只有超级用户才可以修改它。使用visudo命令编辑/etc/sudoers配置文件,操作方法同vi命令。当对多个命令设置速sudo权限时,需要用逗号加空格隔开。使用visudo有两个原因,一是它能够防止两个用户同时修改它;二是它也能进行有限的语法检查。所以,即使只有你一个超级用户,你也最好用visudo来检查一下语法。 ' K' a6 D5 Q) `: x. C$ O/ u! p B
3 s# a1 y: u2 b* h6 S) P! q[root@3 ~]# visudo 更改sudo配置文件 H* |- u" L: A2 l2 C2 F: ~
/ i& y# U. s/ P/ T# This file MUST be edited with the 'visudo' command as root.
* L, \& b! Z3 n1 @8 p必须在root用户使用visudo命令!
: a( k) D" Y% S8 |+ [$ B( U; h' Z M) W& Y
## Allow root to run any commands anywhere! G. k: U8 Q/ K1 E6 v
root ALL=(ALL) ALL: R9 h8 `% g& {: B4 D: O' x" ~
2 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
* J" m& B7 b6 g: ?$ q! {: z对2用户进行授权(授权完毕后保存退出)$ i! `6 M- ]- l" b. [
6 E# T7 c( s+ q: G8 k[root@3 ~]# su - 2 切换到普通用户
) R( \! R# O; s" Y/ h* O. T上一次登录:三 6月 14 10:23:01 CST 2017pts/1 上, q, g5 ~: I Q f
[2@3 ~]$ ls /root/, t9 Y/ ?" i6 x" C
ls: 无法打开目录/root/: 权限不够 & J) S: V- c6 Z2 Z( N+ e! H
(!!!即,普通用户没有访问root用户的权限)
) U( r5 M: V: [, Q) |3 j[2@3 ~]$ sudo /usr/bin/ls /root/ + s8 c( j# X \+ P
使用sudo命下访问root用户, f4 d8 {8 Y) m; ~# e6 v5 x$ ~
[sudo] password for adai001:
# G$ B- R* b. y. R: J' }' u8 Danaconda-ks.cfg 访问成功!!!
) j' e0 B, L: f2 l- G) ~, G! m O0 ?[2@3 ~]$ sudo /usr/bin/ls /root/
4 B7 r1 L: U0 M9 @anaconda-ks.cfg 再次使用sudo命令时无需输入密码 A# W! d/ \, b" ^& \$ ]# I
[2@3 ~]$ cat /root/
0 @, \' f# ~$ E5 @8 w, Vcat: /root/: 权限不够" s! B/ H: s- ~) \ \ w
[2@3 ~]$ sudo /usr/bin/cat /root/0 o+ x" z# x5 Z: H8 x* f/ I0 {
/usr/bin/cat: /root/: 是一个目录 v' x" R. k0 [; P
注:
- P6 B5 [- r) V9 B- V0 ?" |, j" P1)在增添用户的同时需要对用户设置密码(此处设置的是12345678),用户和登录密码要同时成对存在!
$ v# ~0 t- h. j" X5 b2)在编辑sudo配置文件时可以使用"NOPASSWD"前缀设置无密码使用权限,即在使用sudo命令时不用再输入用户密码!
! Y m, j$ a0 R
1 x: h4 }8 r) E9 B8 ^0 q( L0 gsudo -i 详解8 U6 z1 F ?4 G Z3 J( b
3 v5 B& E5 Y1 U3 ~, g# r, Fsudo : 暂时切换到超级用户模式以执行超级用户权限,提示输入密码时该密码为当前用户的密码,而不是超级账户的密码。不过有时间限制,Ubuntu默认为一次时长15分钟。/ w3 d: K. P3 F4 ?6 P
' f- o% Y7 I2 T) Q3 m* {4 y q
su : 切换到某某用户模式,提示输入密码时该密码为切换后账户的密码,用法为“su账户名称”。如果后面不加账户时系统默认为root账户,密码也为超级账户的密码。没有时间限制。
, k1 M- K' x5 \# a
% J0 D0 S& i: `+ F) Xsudo -i: 为了频繁的执行某些只有超级用户才能执行的权限,而不用每次输入密码,可以使用该命令。提示输入密码时该密码为当前账户的密码。没有时间限制。执行该命令后提示符变为“#”而不是“$”。想退回普通账户时可以执行“exit”或“logout” 。' P3 y$ _- p3 R9 X& _; O8 W; Q( l
8 s# E O: E/ c+ N O其实,还有几个类似的用法:
* W7 J! C6 A" g7 v6 f! G8 Rsudo /bin/bash:
, j: I8 } {- G- L$ E这个命令也会切换到root的bash下,但不能完全拥有root的所有环境变量,比如PATH,可以拥有root用户的权限。这个命令和 sudo -s 是等同的。
; d. B: W, K' \7 L9 @* V% H) C. b1 k2 H
sudo -s : 如上" Z) `4 i( w. c' |
; E/ H8 j$ ]) O) o! E
sudo su : 这个命令,也是登录到了root,但是并没有切换root的环境变量,比如PATH。# Y7 A' h8 ]5 ^* e$ R+ f
W7 C9 a( |/ r
sudo su - : 这个命令,纯粹的切换到root环境下,可以这样理解,先是切换到了root身份,然后又以root身份执行了 su -,此时跟使用root登录没有什么区别。此结果貌似跟sudo -i的效果是一样的,但是也有不同,sudo只是临时拥有了root的权限,而su则是使用root账号登录了linux系统。( A0 v) z, I0 s* |0 { Q" a/ b2 r1 g
所以,我们再来总结一下:
5 n3 A5 F1 h* R7 v
! _2 S6 Y/ ~% Gsudo su - 约等于 sudo -i1 ]1 N; |: u; {! @- D, z5 Q
. T! F( g3 d) W/ J u3 F
sudo -s 完全等于 sudo /bin/bash 约等于 sudo su
% g# E/ a$ R8 C! W: o qsudo 终究被一个"临时权限的帽子"扣住,不能等价于纯粹的登录到系统里。- o0 ^- Z2 u, l' Q+ {0 P
, a2 t9 r& ]# J# g9 _# V
sudo配置文件样例& k! U. l* n2 e& e
2 g& E5 x- D2 L
#* c- b3 e! N0 I4 S. o
# Sample /etc/sudoers file.: B4 f m q6 ~
#" w! T: i% T7 q2 W/ \: A" Q+ e
# This file MUST be edited with the 'visudo' command as root.
/ G5 n9 D' h) w2 S: s#6 b4 r0 D2 x, P+ p, {
# See the sudoers man page for the details on how to write a sudoers file.
5 `9 P0 T2 M; d7 g6 H' U, t7 ]" N## |! ]2 m/ n/ w( v+ D6 T
( a6 K* {- M' [: }4 G/ E. a##( r W2 p# n7 w7 B/ \ H3 R3 Z+ \+ {
# User alias specification
Q! ? m& s( L H. p$ w##( S/ j+ u, z3 m+ |9 o( u! c( i1 `
User_Alias FULLTIMERS = millert, mikef, dowdy
4 ^ ~" ^ {) N, V2 b3 ^. r9 ?- \1 rUser_Alias PARTTIMERS = bostley, jwfox, crawl( z4 o3 G, s& m; I8 {
User_Alias WEBMASTERS = will, wendy, wim
' }( @2 _) u$ c/ G8 c' n; ]7 d
$ {+ y+ a# i9 I$ |0 K( s##2 \( m& z+ G. h& b$ `$ O- p( B& f0 ?
# Runas alias specification
, ^6 u x( y2 G \$ i##
' J9 F9 [3 s s7 eRunas_Alias OP = root, operator
; H( s* R6 O' Q: t* KRunas_Alias DB = oracle, sybase; ~. E" E9 a: s1 L* V' m
; t/ V4 T' W% j' h* w" m
##
; O7 k+ D3 w# D# Host alias specification% ^$ N' g5 _5 @' R- |
##
: v2 ]$ W' z, O X7 a) RHost_Alias SPARC = bigtime, eclipse, moet, anchor:\" m9 M) c ^ M, j& G
SGI = grolsch, dandelion, black:\' W& N7 K& i( @$ \% T, w# k7 ]( I2 T
ALPHA = widget, thalamus, foobar:\
0 s( X# i1 H- r' K6 d* n* P HPPA = boa, nag, python
" |3 u) Y W2 Q8 l3 b4 WHost_Alias CUNETS = 128.138.0.0/255.255.0.0
Z' F! G0 n9 _1 d! o, [Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.01 h: c5 ~7 \3 _7 [; B/ \
Host_Alias SERVERS = master, mail, www, ns, S6 y$ j1 @/ s* S' u7 i* T5 n
Host_Alias CDROM = orion, perseus, hercules" q. |3 o8 L/ f9 s6 ~6 S$ G% S
, t4 M9 @# j4 p( ~6 z( {* x##
% z- U1 |2 H2 ~1 ^5 N# Cmnd alias specification9 Q- S$ y! [# c7 D3 J
##3 {3 f" f" m6 `7 H2 x3 B/ R4 q
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \0 N, Q+ O" S* n+ C
/usr/sbin/rrestore, /usr/bin/mt
! r: O+ \. R' Y# s1 V+ r3 ^3 @Cmnd_Alias KILL = /usr/bin/kill+ A9 ~# z1 `4 {- [+ M# H0 A
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1 w; ]$ X8 P8 U+ s8 u8 s7 d% {Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown& F) e( k: b: n k+ a; m
Cmnd_Alias HALT = /usr/sbin/halt
- q* l' ]( E: K/ @0 j6 `Cmnd_Alias REBOOT = /usr/sbin/reboot
- O8 |) K9 M9 q% [8 oCmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
5 B0 p, A) P# s8 C4 W( f /usr/local/bin/tcsh, /usr/bin/rsh, \* m/ x0 x% _! b' e
/usr/local/bin/zsh
. O3 @. f' e! j5 @% SCmnd_Alias SU = /usr/bin/su
8 w7 m: D3 E7 h/ p* VCmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
- ]( W6 D* j9 e" o; P /usr/bin/chfn5 p& @' E* b: D1 f; l1 B
. L/ q3 N4 I- z* r. ]' ]
##
+ |' C* c$ E* Y" u1 p# Override built-in defaults1 m2 M5 A/ i' `% p; N0 v
##
3 X7 F4 ~5 Y0 s) c" I( K; t# [Defaults syslog=auth+ b4 F3 M3 U$ m9 E: _6 {- y D
Defaults>root !set_logname
) E; B' \6 B# D- Y4 aDefaults:FULLTIMERS !lecture0 V2 p8 t C% ^& \) V' _
Defaults:millert !authenticate) l2 L G, \% v( b3 L' p9 }5 ?
Defaults@SERVERS log_year, logfile=/var/log/sudo.log' T- w( T; e5 X I# L3 d
& J" Z' w1 O" ]" a1 h$ |##
. s8 T( Z: Y, O8 f1 F; T3 U# User specification
. P: g6 w x# J9 t' n##8 I9 T* C) ^; [3 f; I
* x1 m& W# N' `: b4 i# root and users in group wheel can run anything on any machine as any user
" P6 n% b+ U! W7 iroot ALL = (ALL) ALL
# _" a6 t5 M- g* k%wheel ALL = (ALL) ALL
# o$ O* j( B8 j7 w ?9 k! w
: {) D: h! p4 U7 o1 A9 @/ r# full time sysadmins can run anything on any machine without a password
9 N$ F6 o4 U: }; H$ \FULLTIMERS ALL = NOPASSWD: ALL
4 j/ ^" e0 c, ?8 n& f: U8 b* s8 c
8 ]" e5 O3 _9 J2 Q, c; `# part time sysadmins may run anything but need a password
$ g1 B, E) ~, |& O3 D, A- [PARTTIMERS ALL = ALL
$ O* Q, Y2 R$ D" ?: |3 M- e. a6 d2 r4 s8 x
# jack may run anything on machines in CSNETS
6 W( [/ }4 O/ Z) p8 Ojack CSNETS = ALL
; B& q1 g/ ]' t" I5 {+ i# e+ s2 W5 |2 B( u% T% `2 R' a
# lisa may run any command on any host in CUNETS (a class B network)( H- ~9 E9 v! w) M# C) B" P0 i( ]
lisa CUNETS = ALL% s x& A. H% J9 j1 A' O9 I
/ T4 ~" z/ p6 n( Q) O0 q: l
# operator may run maintenance commands and anything in /usr/oper/bin/
5 a( D2 @& @( h: s; a/ y. roperator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ ]( U1 z; \; X; T! x
sudoedit /etc/printcap, /usr/oper/bin/; X3 _* p+ H% h1 f# k5 q7 `% }
: m/ k) V6 e4 g& T5 m9 O; b# joe may su only to operator
, K6 |9 f/ |/ ]" @: l' f5 tjoe ALL = /usr/bin/su operator
( I* p Z8 j& T
1 ^9 l7 e i) O n F# pete may change passwords for anyone but root on the hp snakes
`& u) ]4 L4 P- _; tpete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root! R6 |* @) p! Y
# L" d1 ^! |; F$ A# O; h
# bob may run anything on the sparc and sgi machines as any user
3 U- O* Q, B7 c# listed in the Runas_Alias "OP" (ie: root and operator)* ^& F, T6 w* @% h0 r. T
bob SPARC = (OP) ALL : SGI = (OP) ALL
; e* p$ r' g/ T! |# ?6 f7 w, S- W) R" `3 _
# jim may run anything on machines in the biglab netgroup6 V5 ~6 ^- n; K' j" l6 J
jim +biglab = ALL1 W z! `. {# v5 ]4 y; `0 |
5 l* q; y9 Q% C1 C
# users in the secretaries netgroup need to help manage the printers, s0 i1 z0 `+ n- R$ x* G4 u
# as well as add and remove users
3 }; `3 C' e% {4 r! s, y( h+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser6 W) z+ u$ r D
+ l0 D8 c; d$ K( M# fred can run commands as oracle or sybase without a password
6 b5 U! {8 b" J% ]7 Ffred ALL = (DB) NOPASSWD: ALL$ S. f1 I& E; \( A
2 x# p) ^& U; P6 J; i# on the alphas, john may su to anyone but root and flags are not allowed2 o+ i/ B+ R! k0 z
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*3 e7 ? g$ a- ?& T3 A. [
W5 _! y$ L, K# jen can run anything on all machines except the ones8 b& M% {/ Y4 A% Q9 \1 p
# in the "SERVERS" Host_Alias
: m, b) I& }0 a8 [jen ALL, !SERVERS = ALL
0 }. y0 w9 F$ V2 r
9 e( J# n$ ^3 F# \# jill can run any commands in the directory /usr/bin/, except for
5 I( ]( N! C( _; l4 O% c: f# those in the SU and SHELLS aliases.
1 @$ `6 x) _0 @1 x5 Jjill SERVERS = /usr/bin/, !SU, !SHELLS# i% n: j+ A. _% b$ Q6 D- M
6 E8 E& \" p7 x/ {' a0 H6 u k5 S# steve can run any command in the directory /usr/local/op_commands/
8 E- `4 ] `! `# P0 [+ ?) Z$ [# as user operator.
- ~8 g d' d9 u p* Y: nsteve CSNETS = (operator) /usr/local/op_commands/9 B7 H1 Q1 T+ J7 k3 H: E4 b8 I
. O$ k1 b6 j: c9 _# matt needs to be able to kill things on his workstation when3 r) U& C/ i0 E# o& W" O! O
# they get hung.% s( R/ O0 C" j6 k1 |1 o9 j( C1 B
matt valkyrie = KILL
7 |/ I) Q" d8 R+ O9 X. o0 }7 X; F' k7 q/ r# q
# users in the WEBMASTERS User_Alias (will, wendy, and wim)% q' r; [0 k) `* H
# may run any command as user www (which owns the web pages)
; h7 L8 T$ U7 V f8 F* o* ^# or simply su to www./ S+ O1 v6 v5 }1 [2 f: }
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www+ {8 K# S) n, f& @
- R- r! [+ A9 k! x- N2 {1 I# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
- Y3 J3 z4 a6 ?4 a& AALL CDROM = NOPASSWD: /sbin/umount /CDROM,\. u6 d0 M6 G* g# M9 O `( x
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
" @" f. B- X$ w5 Q文件编辑状态下可以用“/”进行关键词查找,输入“:set nu(=number)”显示行号。 |
|
发表于 2018-12-27 10:19:51
发表于 2018-12-27 10:51:09