Detailed explanation of sudo under Linux and the detailed configuration of its configuration file /etc/sudoers

This article mainly introduces the relevant information on the detailed configuration of sudo under Linux and its configuration file /etc/sudoers. Friends in need can refer to the following

Detailed explanation of sudo under Linux and the detailed configuration of its configuration file /etc/sudoers

1.Sudo introduction

sudo is a tool commonly used in Linux that allows ordinary users to use superuser privileges. It allows system administrators to let ordinary users execute some or all root commands, such as halt, reboot, su, etc. This not only reduces the root user's login and management time, but also improves security. Sudo is not a replacement for the shell, it is for each command.

Its main features include the following:

§ sudo can restrict users to run certain commands only on a certain host.

　§ sudo provides rich logs, recording in detail what each user has done. It can transmit logs to a central host or log server.

§ sudo uses timestamp files to perform a similar "ticket check" system. When the user calls sudo and enters their password, the user is issued a ticket with a lifespan of 5 minutes (this value can be changed at compile time).

　§ The sudo configuration file is the sudoers file, which allows system administrators to centrally manage user permissions and the hosts used. The default location where it is stored is /etc/sudoers, and the attribute must be 0411.

2. Configuration file/etc/sudoers

Its main configuration file is sudoers, which is usually in the /etc directory under Linux. If it is solaris, Sudo is not installed by default. After compiling installation it is usually in the etc directory of the installation directory. However, no matter where the sudoers file is, sudo provides a command to edit the file: visudo to modify the file. It is strongly recommended to use this command to modify sudoers, because it will help you verify whether the file configuration is correct. If it is incorrect, you will be prompted which configuration is wrong when saving exiting.

Getting back to the subject, here’s how to configure sudoers

First write the default configuration of sudoers:

############################################################# 
# sudoers file. 
# 
# This file MUST be edited with the 'visudo' command as root. 
# 
# See the sudoers man page for the details on how to write a sudoers file. 
# 

# Host alias specification 

# User alias specification 

# Cmnd alias specification 

# Defaults specification 

# User privilege specification 
root  ALL=(ALL) ALL 

# Uncomment to allow people in group wheel to run all commands 
# %wheel    ALL=(ALL)    ALL 

# Same thing without a password 
# %wheel    ALL=(ALL)    NOPASSWD: ALL 

# Samples 
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom 
# %users localhost=/sbin/shutdown -h now 
##################################################################

1. The simplest configuration allows the ordinary user support to have all the permissions of root

After executing visudo, you can see that there is only one default configuration:

root ALL=(ALL) ALL

Then you add a configuration below:

support ALL=(ALL) ALL

In this way, ordinary user support can execute root permissions All commands

After logging in as support user, execute:

sudo su -

Then enter the support user's own password to switch to the root user

2. Allow the ordinary user support to only execute certain commands that root can execute on certain servers

First of all, you need to configure some Alias, so that it will be more convenient when configuring permissions below, without having to write large sections of configuration. Alias ​​are mainly divided into 4 types

Host_Alias 
Cmnd_Alias 
User_Alias 
Runas_Alias

1) Configure Host_Alias: It is the list of hosts

Host_Alias ​​HOST_FLAG = hostname1, hostname2, hostname3

2) Configure Cmnd_Alias: It is the list of commands allowed to be executed

Cmnd_Alias ​​COMMAND_FLAG = command1, command2, command3

3) Configuration User_Alias: is the list of users with sudo permissions

User_Alias ​​USER_FLAG = user1, user2, user3

4) Configure Runas_Alias: It is a list of the user's identity (such as root, or oracle)

Runas_Alias ​​RUNAS_FLAG = operator1, operator2, operator3

5) Configure permissions

The format of configuration permissions is as follows:

##USER_FLAG HOST_FLAG=(RUNAS_FLAG) COMMAND_FLAG

If password verification is not required, configure it in this format

USER_FLAG HOST_FLAG=(RUNAS_FLAG) NOPASSWD: COMMAND_FLAG

Configuration example:

############################################################################
# sudoers file. 
# 
# This file MUST be edited with the 'visudo' command as root. 
# 
# See the sudoers man page for the details on how to write a sudoers file. 
# 

# Host alias specification 
Host_Alias   EPG = 192.168.1.1, 192.168.1.2 

# User alias specification 

# Cmnd alias specification 
Cmnd_Alias   SQUID = /opt/vtbin/squid_refresh, /sbin/service, /bin/rm 

# Defaults specification 

# User privilege specification 
root  ALL=(ALL) ALL 
support EPG=(ALL) NOPASSWD: SQUID 

# Uncomment to allow people in group wheel to run all commands 
# %wheel    ALL=(ALL)    ALL 

# Same thing without a password 
# %wheel    ALL=(ALL)    NOPASSWD: ALL 

# Samples 
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom 
# %users localhost=/sbin/shutdown -h now 
##################################################

The above is the detailed content of Detailed explanation of sudo under Linux and the detailed configuration of its configuration file /etc/sudoers. For more information, please follow other related articles on the PHP Chinese website!