|
|
sudu命令; H* x8 x+ Z2 ~' q/ A5 Y1 s4 Z
3 f* T3 _) ?- z% U4 M; Y& }用来以其他身份来执行命令,预设的身份为root。在/etc/sudoers中设置了可执行sudo指令的用户。若其未经授权的用户企图使用sudo,则会发出警告的邮件给管理员。用户使用sudo时,必须先输入密码,之后有5分钟的有效期限,超过期限则必须重新输入密码。 ( B7 G9 T4 w+ l) p: ^! [
- a' _" x( P! D) C! H) Q- Y
语法: sudo (选项) (参数)
5 Z& b" @2 X$ n# }! P3 P选项: (该部分只做了解)0 A; `! D% Z2 ]5 z" D3 X( f
-b:在后台执行指令;
& r' C: B1 v; l" m5 R+ K-h:显示帮助;- k; u7 B) e3 |
-H:将HOME环境变量设为新身份的HOME环境变量;( J7 }; R3 k. K* n
-k:结束密码的有效期限,也就是下次再执行sudo时便需要输入密码;
1 U- d6 s: t1 w-l:列出目前用户可执行与无法执行的指令;& p1 y/ t* x" U& ^/ a7 |2 g
-p:改变询问密码的提示符号;2 I. ?9 R9 G' I+ b) X+ z
-s:执行指定的shell;
) l8 I, ~$ s6 }6 H6 G# w3 a# e-u<用户>:以指定的用户作为新的身份。若不加上此参数,则预设以root作为新的身份;
2 \3 Q* c: w- U# ^-v:延长密码有效期限5分钟;$ q! q5 U2 M5 e: B4 f0 m
-V :显示版本信息。* ?/ l' J0 K2 C) n6 |, @
7 `! {( j% s. n( E3 }8 e
sudo文件配置. K; S( `. t ~, A0 ^4 s$ A
9 @. U: c5 V0 b* p' @8 f
配置sudo必须通过编辑/etc/sudoers文件,而且只有超级用户才可以修改它。使用visudo命令编辑/etc/sudoers配置文件,操作方法同vi命令。当对多个命令设置速sudo权限时,需要用逗号加空格隔开。使用visudo有两个原因,一是它能够防止两个用户同时修改它;二是它也能进行有限的语法检查。所以,即使只有你一个超级用户,你也最好用visudo来检查一下语法。
2 l: [0 O0 h; x: B: C* R
& C9 l2 L' a& L/ g2 k4 e/ @" }[root@3 ~]# visudo 更改sudo配置文件
# F# \9 S! `/ F2 Z& g5 g) n) t* r, q5 h5 j7 n5 ^. Q) X
# This file MUST be edited with the 'visudo' command as root.
& ^% f2 ^2 f) J% s5 E1 b; q% X必须在root用户使用visudo命令!8 z3 N& S+ U$ S
& g3 I9 W5 u- T2 x
## Allow root to run any commands anywhere
; k) t$ X0 H3 proot ALL=(ALL) ALL
/ I2 a. T" B; J5 ]2 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat' R4 G9 D4 ~# `4 ]1 V$ {1 O
对2用户进行授权(授权完毕后保存退出)
1 Z; V2 [) P1 p3 k* Z' T 2 B: ?1 Y" t. D+ ]- V; c6 a, h
[root@3 ~]# su - 2 切换到普通用户) G4 C7 V9 _' @
上一次登录:三 6月 14 10:23:01 CST 2017pts/1 上
9 H% T5 Z2 w7 R9 v6 [, m[2@3 ~]$ ls /root/+ }1 G+ `- a1 e
ls: 无法打开目录/root/: 权限不够
9 k' b% n6 u6 V( e(!!!即,普通用户没有访问root用户的权限)9 ^% \% U) Y1 d/ ~( q$ \0 g3 K' @ s! n
[2@3 ~]$ sudo /usr/bin/ls /root/ ; @8 T5 n' [9 c% L# L0 k- D Y& U
使用sudo命下访问root用户9 K- P* o1 r( F! o7 Q/ p
[sudo] password for adai001:
9 v8 K/ H& L$ @4 h1 Danaconda-ks.cfg 访问成功!!!4 Z) x* g2 p1 I, F( s" O
[2@3 ~]$ sudo /usr/bin/ls /root/
( \5 w, C* u3 v8 L; nanaconda-ks.cfg 再次使用sudo命令时无需输入密码
7 d' G% I1 {3 F/ o[2@3 ~]$ cat /root/ , C8 |* C: j! X2 o- N$ _
cat: /root/: 权限不够 c- [0 V$ J4 @! ?
[2@3 ~]$ sudo /usr/bin/cat /root/
0 J2 r. @0 U" i8 P+ Y/usr/bin/cat: /root/: 是一个目录
/ R- n" D% F+ N) u: o3 n8 t# V6 G注:% a; r" y" Y5 a& ]
1)在增添用户的同时需要对用户设置密码(此处设置的是12345678),用户和登录密码要同时成对存在!
1 a0 H9 v$ ]- p9 c3 m2)在编辑sudo配置文件时可以使用"NOPASSWD"前缀设置无密码使用权限,即在使用sudo命令时不用再输入用户密码!+ E$ h, N% f& y2 y$ V
6 K( H, E3 D. u( Z
sudo -i 详解
1 L2 v6 X( x0 l+ W4 `
5 S! X- v7 n( V. Dsudo : 暂时切换到超级用户模式以执行超级用户权限,提示输入密码时该密码为当前用户的密码,而不是超级账户的密码。不过有时间限制,Ubuntu默认为一次时长15分钟。 E& @, U0 o4 S% Y- q
6 N! S# y1 d1 h: [
su : 切换到某某用户模式,提示输入密码时该密码为切换后账户的密码,用法为“su账户名称”。如果后面不加账户时系统默认为root账户,密码也为超级账户的密码。没有时间限制。
`" o4 e0 S% k: G# q0 U; o0 ~' F4 c& S# O( H
sudo -i: 为了频繁的执行某些只有超级用户才能执行的权限,而不用每次输入密码,可以使用该命令。提示输入密码时该密码为当前账户的密码。没有时间限制。执行该命令后提示符变为“#”而不是“$”。想退回普通账户时可以执行“exit”或“logout” 。8 V% U' F, P$ C1 @7 ?( L; s
# C: E" [6 p; A5 F1 T5 v其实,还有几个类似的用法:; g( _. a9 _* N9 c( x
sudo /bin/bash:
- l/ J+ R2 u6 E这个命令也会切换到root的bash下,但不能完全拥有root的所有环境变量,比如PATH,可以拥有root用户的权限。这个命令和 sudo -s 是等同的。
6 F- X6 p0 T/ r( O$ |* l. `6 I' ]- p$ Y; O
sudo -s : 如上8 [$ ~& j2 l% e, F! K
9 Q" V* I) L0 B4 U$ M
sudo su : 这个命令,也是登录到了root,但是并没有切换root的环境变量,比如PATH。5 X: c6 G: `$ b8 O! B
2 B( r. W* Z0 M; Qsudo su - : 这个命令,纯粹的切换到root环境下,可以这样理解,先是切换到了root身份,然后又以root身份执行了 su -,此时跟使用root登录没有什么区别。此结果貌似跟sudo -i的效果是一样的,但是也有不同,sudo只是临时拥有了root的权限,而su则是使用root账号登录了linux系统。
8 Y! R8 o9 U- J7 [2 \6 {9 ]& j% {所以,我们再来总结一下:
" z. i& b2 U! F: R3 ~6 A( O8 [ b0 j- d& \$ ?. h/ y
sudo su - 约等于 sudo -i* t" M; e$ r2 x* }, z
! j( o0 c$ u3 M( t7 |: y: W2 C* i; e
sudo -s 完全等于 sudo /bin/bash 约等于 sudo su& C& f- q, _- ~0 S# ^
sudo 终究被一个"临时权限的帽子"扣住,不能等价于纯粹的登录到系统里。2 w: P+ ^+ a0 s, U4 A4 M
. L7 [2 ]' p! Z r6 }
sudo配置文件样例4 s+ z0 P K1 R
7 b6 L. X/ E+ G: z4 F) Q# ?/ F% a
#
& X+ ?, X/ m; y- P: ^# Sample /etc/sudoers file.3 @" h6 F8 F% Y7 u) D9 ^( L4 @* d& O
#
( ]/ {7 X. C6 x9 M# This file MUST be edited with the 'visudo' command as root.
; M( f+ z7 g) t7 Q; E, P#) s- e) f$ a5 n( S
# See the sudoers man page for the details on how to write a sudoers file./ z3 c# s* m+ B2 U) F" Y
#
: ^! J, z% f% i! l
2 F* q, U: L% O##9 C" Y& _1 K2 [; p0 B
# User alias specification
0 e+ q* S0 W8 v$ T! {) M& B0 ]##( K9 l! Y+ E8 a# T) T5 C$ h' y& n
User_Alias FULLTIMERS = millert, mikef, dowdy
0 L# w: ?2 q7 R6 N7 sUser_Alias PARTTIMERS = bostley, jwfox, crawl# a/ k" h# F; L' L
User_Alias WEBMASTERS = will, wendy, wim m' l8 j, m3 X. k, b
0 `/ n7 J! P6 q" M e
##" O# k7 m9 g7 f) {' Q
# Runas alias specification
" M; e' u$ j' `9 J: j##
/ w; S8 t a- D) d1 hRunas_Alias OP = root, operator
5 W& |8 q! p: iRunas_Alias DB = oracle, sybase
* F& d1 [$ P7 u0 X7 s1 v, E" d& L4 g. D
##
! F* L" _6 n0 N& |7 a1 o# Host alias specification0 x; h& }3 u# V1 m9 U0 g
##0 N1 j2 d8 V; S6 Q" H$ D4 o9 o* ~ n
Host_Alias SPARC = bigtime, eclipse, moet, anchor:\. _2 m4 y$ F" A x
SGI = grolsch, dandelion, black:\4 K2 h9 g' s8 w( B
ALPHA = widget, thalamus, foobar:\7 j% O- a9 Q- `5 a
HPPA = boa, nag, python
, R+ L. _% a2 ?8 _7 o4 \$ LHost_Alias CUNETS = 128.138.0.0/255.255.0.0( W% n0 k! X5 o O, T/ H
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.05 L' J. `$ k# S" J) q
Host_Alias SERVERS = master, mail, www, ns
1 o9 r; I4 {+ a/ o/ a' ]Host_Alias CDROM = orion, perseus, hercules8 [6 V4 E. ?) }1 @
# g9 B. P4 p: C##( d6 r+ j4 Z3 T1 i; ?# J, R6 I
# Cmnd alias specification
# y0 d0 I" w: |) M; ^5 w##
& t; i( h+ P$ ^8 p- k0 t. ?) u9 U# BCmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
! k+ Y7 w1 N4 X, K. b /usr/sbin/rrestore, /usr/bin/mt
- k2 @, g! c y9 ~Cmnd_Alias KILL = /usr/bin/kill5 b3 X8 a4 Q9 u# \2 X
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
% [ E1 M) f! M# b+ E4 O; {Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown8 X8 ^: v! \& ~( P# T2 t
Cmnd_Alias HALT = /usr/sbin/halt' j4 x# K: Y) k6 A9 l4 r7 x; b, @4 g9 y
Cmnd_Alias REBOOT = /usr/sbin/reboot
& C" c5 S5 V9 d, K# z# \Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \' V. V* F2 T5 m
/usr/local/bin/tcsh, /usr/bin/rsh, \0 v" u; q. N c5 T
/usr/local/bin/zsh
: I# Y) Q8 ]' U" O" t3 D/ SCmnd_Alias SU = /usr/bin/su
0 L: X/ F# u+ v& c' LCmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
) L' O, `0 I+ A; A( H5 J0 d" ]0 f /usr/bin/chfn) A; J# v f, ?& T) ~( J3 T) _4 y; G
. K& N2 o1 J# c) ~& f0 P2 W##
' C4 O9 _ b0 f) d$ G" ~2 Z: @% q# Override built-in defaults
* e2 K& l" A8 W3 H/ b* [* ~) B##8 e7 `& ^0 S. I. k5 S* k7 m0 K
Defaults syslog=auth
8 d* f/ H/ ], C& u: d/ V! r2 I mDefaults>root !set_logname" g8 V D/ D* }+ e e$ l9 f, E
Defaults:FULLTIMERS !lecture6 m! u8 x7 g, p9 p" L1 k$ h" W
Defaults:millert !authenticate& x) C% @# O& W; t( L# n9 H
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
9 v- m& n3 k# A }, H3 V- r- _
+ G6 Y5 Y+ k: A( V4 V8 o9 i##$ h* q2 S1 s% e9 r( k) p9 j0 V& |
# User specification
1 y; Y0 q# B4 P; W5 T##! E! _1 }' z5 ?% e( B: Z0 z3 m% g
5 e5 P* S% D. m; P8 j' h
# root and users in group wheel can run anything on any machine as any user3 j! ^/ y5 R- z; v2 Y- k
root ALL = (ALL) ALL# U! i, H7 v, K' Z8 L
%wheel ALL = (ALL) ALL
& U4 r* W8 m1 h4 \ Q i; E; k0 @
( |- X4 q5 ]* h- u6 S+ a# full time sysadmins can run anything on any machine without a password; E h; q) z) Y4 R4 H( H* l6 Y/ y
FULLTIMERS ALL = NOPASSWD: ALL
3 j/ P& Y1 V+ ]. c9 H4 g6 N1 w0 a
2 |" [) x% ^" d( N& v; I$ i# part time sysadmins may run anything but need a password
$ D& `# |$ W# z. h) ?3 TPARTTIMERS ALL = ALL
- Y; O# H; w4 _3 n& Q0 |9 O- D2 q! S
# jack may run anything on machines in CSNETS, ]! U! c% s0 h& {
jack CSNETS = ALL
! n p; Z" h1 [0 B$ c9 |' C* U% v b0 s7 v& b$ k; V
# lisa may run any command on any host in CUNETS (a class B network)
# U& f+ S6 k/ ]: q* ?lisa CUNETS = ALL
+ K5 I) b6 ^' v* x6 p( E$ B% ]
2 l# T5 l7 V3 y) O F" Z# operator may run maintenance commands and anything in /usr/oper/bin/
( y' f# N6 @" d7 P6 A; yoperator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
. a. o1 R( r9 L3 s" n! y7 {# V2 d sudoedit /etc/printcap, /usr/oper/bin/
( ~" P" ?5 a# {+ o5 p& f$ |
, X2 n" l7 i8 R& z( n. d- |4 @# joe may su only to operator
1 h6 z, K1 ^; q& [) mjoe ALL = /usr/bin/su operator3 e1 S4 S! D! i) w
, |# M% m" E# U+ f9 \# pete may change passwords for anyone but root on the hp snakes
( V6 n* `) I5 t8 {/ \! ^7 R! Mpete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root3 Z9 ~/ T6 |1 ^8 I4 X
: s1 S. N) E% T% w2 G B. `# bob may run anything on the sparc and sgi machines as any user7 i, h* H( c+ N# l# } {1 e7 h6 Y$ d
# listed in the Runas_Alias "OP" (ie: root and operator)
. @4 r" n; V" [5 G, _6 z' ~bob SPARC = (OP) ALL : SGI = (OP) ALL
6 m3 |+ Q3 `+ D7 V# l3 `3 _
/ d0 n; D. H3 l6 H# c# jim may run anything on machines in the biglab netgroup
3 l8 S% R) h/ R# J# s7 Fjim +biglab = ALL
' H( S) h8 @! b, G
6 n/ F7 R" G5 a/ V5 C& M( K# users in the secretaries netgroup need to help manage the printers
+ `3 [4 P8 z$ |+ j# as well as add and remove users# s( B( Z5 T. x1 L E5 F+ \
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- E$ H$ a9 d: c# `
I; l3 ?& V, Z- j# fred can run commands as oracle or sybase without a password
+ C5 W0 _! S6 i( Qfred ALL = (DB) NOPASSWD: ALL
; _! p: o0 S& j4 {
0 F9 s6 l# V5 Q6 w$ _0 ]3 I# on the alphas, john may su to anyone but root and flags are not allowed
B5 R8 s3 ]/ k2 M& `0 F' G: tjohn ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*+ ?' x' F; c x q+ M) V2 Q9 o
: L9 N4 P7 n2 ^/ B5 B2 y3 g
# jen can run anything on all machines except the ones
' K0 w+ u4 I8 H6 H1 k# in the "SERVERS" Host_Alias: y% C2 k t+ z( N. \' l
jen ALL, !SERVERS = ALL
" o: i0 s8 S. V$ |: d7 E* B. q# `2 P
# jill can run any commands in the directory /usr/bin/, except for2 }0 k+ Z; ` h
# those in the SU and SHELLS aliases.
, X" n3 P* W: ujill SERVERS = /usr/bin/, !SU, !SHELLS; s9 K9 f* R, i9 [/ j
' H9 m2 U' I9 m3 T: C
# steve can run any command in the directory /usr/local/op_commands/
' y/ ?' h y* T* F0 B$ P! [' {# as user operator.
3 F+ ^& i* E1 l; I% m) I; b8 Jsteve CSNETS = (operator) /usr/local/op_commands/+ c" A1 i) d2 w/ f
. t% N9 Z- W% {. v- L1 V7 V) l
# matt needs to be able to kill things on his workstation when
. A. r* @7 x5 d2 t( M# they get hung.: h: ^9 I' t# v: Z, ? h! s6 Q
matt valkyrie = KILL
+ j* o8 h q2 w2 f0 j
& B! b& e) l4 |# users in the WEBMASTERS User_Alias (will, wendy, and wim)) N- N+ K4 G6 e8 s; G3 v6 l/ e
# may run any command as user www (which owns the web pages)
6 D# Q+ F9 i1 y1 x6 s# or simply su to www.
7 x9 T# m( r. B2 m3 dWEBMASTERS www = (www) ALL, (root) /usr/bin/su www- J% z& I5 @- Z/ x' j) d
. H+ _. N. l' `+ Q/ \
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
4 F. `0 o2 S" s! [3 pALL CDROM = NOPASSWD: /sbin/umount /CDROM,\2 O; f, ^" Y3 N- N' f
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
8 B/ ` J/ \- ]- ~; N M0 E$ N文件编辑状态下可以用“/”进行关键词查找,输入“:set nu(=number)”显示行号。 |
|
发表于 2018-12-27 10:19:51
发表于 2018-12-27 10:51:09