sudo [-b] [-u 新用户名] 单条命令
sudo [-b] [-u 新用户名]sh -c “com1;com2;…”
例子:
|
1
2
3
|
[root@localhost ~]
# sudo -u xx touch/tmp/testfile
[root@localhost ~]
# ll /tmp/testfile
-rw-r--r--. 1 xx xx 0 Oct 11 20:39
/tmp/testfile
|
|
1
2
3
|
[root@localhost ~]
# sudo -u xx sh -c"cd /tmp;mkdir xx;cd xx;echo 'just test'>testfile"
[root@localhost ~]
# cat /tmp/xx/testfile
just
test
|
使用visudo命令,在/etc/sudoers中添加账号,使其能执行全部或者部分的root命令。
root ALL=(ALL) ALL
xx ALL=(ALL) ALL – 添加xx用户使其能够执行全部的root命令
例子:
|
1
2
3
4
5
6
|
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
xx ALL=(ALL) ALL
[xx@localhost whx]$
sudo
tail
-n 1
/etc/shadow
xxx:$1$iPKqo9sC$JWaNXYN7OWVefJ.HqaReA0:17448:0:99999:7:::
|
这一行四个参数的意义:
用户账号:可以使用sudo的账号,默认为root用户。
登陆者的来源主机名:这个账号由哪台主机连接到本机,默认值root可以来自于任何一台网络主机。
可以切换的身份:切换为什么身份来执行命令,默认root可以切换为任何用户。
可执行的命令:命令必须使用绝对路径编写,默认root可以执行任何命令。
ALL代表任何身份,任何命令,任何主机。
Visudo添加用户
添加xx用户使其可以使用sudo命令,xx用户可以来自于任何主机,但是只能切换为root用户,只能执行passwd命令。
xx ALL=(root) /usr/bin/passwd
添加xx用户使其可以使用sudo命令,xx用户可以来自于任何主机,但是只能切换为root用户,能够使用passwd修改除了root用户以外其他用户的密码。
xx ALL=(root) !/usr/bin/passwd, !/usr/bin/passwdroot,/usr/bin/passwd [A-Za-z]*
例子:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
xx ALL=(root) !
/usr/bin/passwd
,!
/usr/bin/passwd
root,
/usr/bin/passwd
[A-Za-z]*
[xx@localhost ~]$
sudo
passwd
whx
[
sudo
] password
for
xx:
Changing password
for
user whx.
New password:
BAD PASSWORD: it does not contain enoughDIFFERENT characters
BAD PASSWORD: is too simple
Retype new password:
passwd
: all authentication tokens updatedsuccessfully.
[xx@localhost ~]$
sudo
passwd
[
sudo
] password
for
xx:
Sorry, user xx is not allowed to execute
'/usr/bin/passwd'
as root on localhost.localdomain.
[xx@localhost ~]$
sudo
cat
/etc/shadow
Sorry, user xx is not allowed to execute
'/bin/cat /etc/shadow'
as root on localhost.localdomain.
|
添加用户组,使这个用户组的用户可以执行sudo命令
使用visudo进入/etc/sudoers
找到#%wheel ALL=(ALL) ALL 这一行,在下一行添加
%group_name ALL=(ALL) ALL
保存退出编辑,
然后使用usermod -a -G group_name user_name 将想要授权sudo的用户添加到该用户组。
例子:
|
1
2
3
4
5
6
7
8
9
|
## Allows people in group wheel to run allcommands
# %wheel ALL=(ALL) ALL
%xx ALL=(ALL) ALL
[root@localhost whx]
# usermod -a -G xx whx
[root@localhost whx]
# su whx
[whx@localhost ~]$
sudo
tail
-n 1
/etc/shadow
[
sudo
] password
for
whx:
xxx:$1$iPKqo9sC$JWaNXYN7OWVefJ.HqaReA0:17448:0:99999:7:::
|
visudo设置无密码
%group_name ALL=(ALL) NOPASSWD: ALL
例子:
|
1
2
3
4
5
6
7
|
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
%xx ALL=(ALL) NOPASSWD: ALL
[root@localhost whx]
# su whx
[whx@localhost ~]$
sudo
tail
-n 1
/etc/shadow
xxx:$1$iPKqo9sC$JWaNXYN7OWVefJ.HqaReA0:17448:0:99999:7:::
|
visudo通过别名添加用户
User_Alias 建立用户别名,别名必须是大写,
Cmnd_Alias 建立新的命令别名,别名必须是大写,
Host_Alias 建立来源主机别名,别名必须是大写。
User_Alias ADMPW = user_name1,user_name2,user_name3,…
Cmnd_Alias ADMPWCOM = /usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd,!/usr/bin/passwdroot
ADMPW ALL=(root) ADMPWCOM
例子:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
# User_Alias ADMINS =jsmith, mikem
User_AliasTEST = xx,xxx
# Cmnd_Alias DRIVERS = /sbin/modprobe
Cmnd_Alias TEST =!
/usr/bin/passwd
,!
/usr/bin/passwd
root,
/usr/bin/passwd
[A-Za-z]*
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
TEST ALL=(ALL) TEST
[root@localhost whx]
# su xx
[xx@localhost whx]$
cd
~
[xx@localhost ~]$
passwd
whx
passwd
: Only root can specify a user name.
[xx@localhost ~]$
sudo
passwd
whx
[
sudo
] password
for
xx:
Changing password
for
user whx.
New password:
BAD PASSWORD: it does not contain enoughDIFFERENT characters
BAD PASSWORD: is too simple
Retype new password:
passwd
: all authentication tokens updatedsuccessfully.
[xx@localhost whx]$
su
xxx
Password:
[xxx@localhost whx]$
sudo
passwd
xx
[
sudo
] password
for
xxx:
Changing password
for
user xx.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is a palindrome
Retype new password:
passwd
: all authentication tokens updatedsuccessfully.
|
sudo 与su 配合使用,切换为root用户不只需要输入自己的密码,而不需要输入root密码。
visudo
User_Alias ADMINS = user_name1,user_name2…
ADMINS ALL=(root) /bin/su –
ADMINS中的用户可以使用sudo su– 切换为root用户时,只需要输入自己的密码。
例子:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# User_Alias ADMINS = jsmith, mikem
User_Alias TEST = xx,xxx
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
TEST ALL=(root)
/bin/su
–
[xx@localhost whx]$
sudo
su
-
[
sudo
] password
for
xx:
[root@localhost ~]
#
[xxx@localhost root]$
sudo
su
-
[
sudo
] password
for
xxx:
[root@localhost ~]
#
[root@localhost ~]
# su whx
[whx@localhost root]$
sudo
su
–
[
sudo
] password
for
whx:
whx is not
in
the sudoers
file
. This incident will be reported.
|
