What are the knowledge points about linux sudo command?

"Sudo" is a very useful tool on the Unix/Linux platform. It allows system administrators to assign some reasonable "rights" to ordinary users, allowing them to perform some tasks that only super users or other privileged users can complete. , for example: run some commands like mount, halt, su, or edit some system configuration files, like /etc/mtab, /etc /samba/smb.conf, etc. In this way, it not only reduces the number of root user logins and management time, but also improves system security.

1. Characteristics of sudo

The role played by sudo dictates that it must be extra cautious in terms of security, otherwise illegal users will seize root privileges. At the same time, it must also take into account ease of use so that system administrators can use it more efficiently and conveniently. The goal of sudo's designers was to give users as few permissions as possible while still allowing them to complete their work. Therefore, sudo
has the following characteristics:

# 1. sudo can restrict specified users from running certain commands on specified hosts.
# 2. sudo can provide logs, faithfully record what each user has done using sudo, and can transmit the logs to the central host or log server.
# 3. sudo provides configuration files for system administrators, allowing system administrators to centrally manage user permissions and hosts. Its default storage location is /etc/sudoers.
# 4.sudo uses timestamp files to complete a system similar to "ticket checking". When the user executes sudo and enters the password, the user obtains a "ticket" with a default survival period of 5 minutes (the default value can be changed during compilation). After the timeout, the user must re-enter the password.

2. sudo command

The sudo program itself is a binary file with the SUID bit set. We can check its permissions:

$ls -l /usr/bin/sudo
   
 ---s--x--x 2 root root 106832 02-12 17:41 /usr/bin/sudo

sudo configurations are recorded in the /etc/sudoers file, which we will explain in detail below. Configuration files specify which users can execute which commands. To use sudo, the user must provide a specific username and password. Note: sudo requires not the password of the target user, but the password of the user executing sudo. If a user who is not in sudoers executes a command through sudo, sudo will report this event to the administrator. Users can use sudo -v to check whether they are among sudoers. If so, it can also update the time on your "ticket"; if not, it will prompt you but not notify the administrator.

The sudo command format is as follows:

sudo -K -L -V -h -k -l -vsudo [-HPSb] [-a auth_type] [-c class-] [-p prompt] [-u username#uid] {-e file [...] -i -s command}
 
 

   下面我们再来看一下sudo其它常用的一些参数：
   
选项     含义     作用
   
sudo -h     Help     列出使用方法，退出。
   
sudo -V     Version     显示版本信息，并退出。
   
sudo -l     List     列出当前用户可以执行的命令。只有在sudoers里的用户才能使用该选项。
   
sudo -u username#uid     User     以指定用户的身份执行命令。后面的用户是除root以外的，可以是用户名，也可以是#uid。
   
sudo -k     Kill     清除“入场卷”上的时间，下次再使用sudo时要再输入密码。
   
sudo -K     Sure kill     与-k类似，但是它还要撕毁“入场卷”，也就是删除时间戳文件。
   
sudo -b command     Background     在后台执行指定的命令。
   
sudo -p prompt command     Prompt     可以更改询问密码的提示语，其中%u会代换为使用者帐号名称，%h会显示主机名称。非常人性化的设计。
   
 sudo -e file     Edit     不是执行命令，而是修改文件，相当于命令sudoedit。

There are also some uncommon parameters, which can be found in the man page sudo(8).

3. Configuring sudo

Configuring sudo must be by editing the /etc/sudoers file, and only super users can modify it, and must also be edited using visudo. There are two reasons why visudo is used. One is that it can prevent
two users from modifying it at the same time; the other is that it can also perform limited syntax checking. So, even if you are the only super user, you'd better use visudo to check the syntax.

Visudo defaults to opening the configuration file in vi and using vi to modify the file. We can modify this default item at compile time. visudo will not save configuration files with syntax errors without authorization. It will prompt you with problems and ask how to deal with them, like:

>>> sudoers file: syntax error, line 22 <<

At this time we have three options: Type "e" to re- To edit, type "x" to exit without saving, and type "Q" to exit and save. If Q is selected, sudo will not run again until the error is corrected.

Now, let’s take a look at the mysterious configuration file and learn how to write it. Let's start with a simple example: let user Foobar execute all root-executable commands through sudo. Open the configuration file with visudo as root, and you can see a few lines similar to the following:

# Runas alias specification
   
# User privilege specificationroot    ALL=(ALL)ALL

We can understand it at a glance. Root has all permissions. Just follow the existing root example. We will do it below. Add a line (it’s best to use tab as a blank):

foobar ALL=(ALL)    ALL

After saving and exiting, switch to the foobar user. We use its identity to execute the command:

[foobar@localhost ~]$ ls /root
   
ls: /root: 权限不够
   
[foobar@localhost ~]$ sudo ls /root
   
PassWord:
   
anaconda-ks.cfg Desktop install.log install.log.syslog

Okay, let’s restrict foobar’s Rights, don't let him do whatever he wants. For example, we just want him to use ls and ifconfig like root, change that line to:

foobar localhost=    /sbin/ifconfig,   /bin/ls

and then execute the command:

[foobar@localhost ~]$ sudo head -5 /etc/shadow
   
Password:
   
Sorry, user foobar is not allowed to execute '/usr/bin/head -5 /etc/shadow' as root on localhost.localdomain.
   
[foobar@localhost ~]$ sudo /sbin/ifconfigeth0      Linkencap:Ethernet HWaddr 00:14:85:EC:E9:9B...

现在让我们来看一下那三个ALL到底是什么意思。第一个ALL是指网络中的主机，我们后面把它改成了主机名，它指明
foobar可以在此主机上执行后面的命令。第二个括号里的ALL是指目标用户，也就是以谁的身份去执行命令。最后一个
ALL当然就是指命令名了。例如，我们想让foobar用户在linux主机上以jimmy或rene的身份执行kill命令，这样编写配置文件：

foobar    linux=(jimmy,rene)    /bin/kill

但这还有个问题，foobar到底以jimmy还是rene的身份执行？这时我们应该想到了sudo -u了，它正是用在这种时候。 foobar可以使用sudo -u jimmy kill PID或者sudo -u rene kill PID，但这样挺麻烦，其实我们可以不必每次加-u，把rene或jimmy设为默认的目标用户即可。再在上面加一行：

Defaults:foobar runas_default=rene

Defaults后面如果有冒号，是对后面用户的默认，如果没有，则是对所有用户的默认。就像配置文件中自带的一行：

Defaults    env_reset

另一个问题是，很多时候，我们本来就登录了，每次使用sudo还要输入密码就显得烦琐了。我们可不可以不再输入密码呢？当然可以，我们这样修改配置文件：

foobar localhost=NOPASSWD:     /bin/cat, /bin/ls

再来sudo一下：

[foobar@localhost ~]$ sudo ls /rootanaconda-ks.cfg Desktop install.log
   
install.log.syslog

当然，你也可以说“某些命令用户foobar不可以运行”，通过使用!操作符，但这不是一个好主意。因为，用!操作符来从ALL中“剔出”一些命令一般是没什么效果的，一个用户完全可以把那个命令拷贝到别的地方，换一个名字后再来运行。

四. 日志与安全

sudo为安全考虑得很周到，不仅可以记录日志，还能在有必要时向系统管理员报告。但是，sudo的日志功能不是自动的，必须由管理员开启。这样来做：

# toUCh /var/log/sudo
   
# vi /etc/syslog.conf

在syslog.conf最后面加一行（必须用tab分割开）并保存：

local2.debug                    /var/log/sudo

重启日志守候进程，

ps aux grep syslogd

把得到的syslogd进程的PID（输出的第二列是PID）填入下面：

kill –HUP PID

这样，sudo就可以写日志了：

[foobar@localhost ~]$ sudo ls /rootanaconda-ks.cfg
   
Desktop install.log
   
install.log.syslog
   
$cat /var/log/sudoJul 28 22:52:54 localhost sudo:   foobar :
   
TTY=pts/1 ; PWD=/home/foobar ; USER=root ; COMMAND=/bin/ls /root

不过，有一个小小的“缺陷”，sudo记录日志并不是很忠实：

[foobar@localhost ~]$ sudo cat /etc/shadow > /dev/null
   
[foobar@localhost ~]$
   
cat /var/log/sudo...Jul 28 23:10:24 localhost sudo:   foobar : TTY=pts/1 ;
   
PWD=/home/foobar ; USER=root ; COMMAND=/bin/cat /etc/shadow

重定向没有被记录在案！为什么？因为在命令运行之前，shell把重定向的工作做完了，sudo根本就没看到重定向。这也有个好处，下面的手段不会得逞：

[foobar@localhost ~]$ sudo ls /root > /etc/shadowbash: /etc/shadow: 权限不够

sudo 有自己的方式来保护安全。以root的身份执行sudo
-V，查看一下sudo的设置。因为考虑到安全问题，一部分环境变量并没有传递给sudo后面的命令，或者被检查后再传递的，比如：PATH，HOME，
SHELL等。当然，你也可以通过sudoers来配置这些环境变量。

The above is the detailed content of What are the knowledge points about linux sudo command?. For more information, please follow other related articles on the PHP Chinese website!