Linux sudo 命令使用简介

基本语法：

$ sudo [-u username] [command]

-u：将身份变成username的身份

#编辑/etc/sudoers (注意，这里使用 visudo 而不是 vi 来设置。）

# visudo

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

##

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhaps using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias FILESERVERS = fs1, fs2

# Host_Alias MAILSERVERS = smtp, smtp2

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

## Command Aliases

## These are groups of related commands...

## Networking

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

##

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhaps using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias FILESERVERS = fs1, fs2

# Host_Alias MAILSERVERS = smtp, smtp2

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

## Command Aliases

## These are groups of related commands...

## Networking

## Installation and management of software

# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database

# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage

## Delegating permissions

# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes

# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers

# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#

# Disable "ssh hostname sudo ", because it will show the password in clear.

# You have to run "ssh -t hostname sudo ".

#

Defaults requiretty

#

# Refuse to run if unable to disable echo on the tty. This setting should also be

# changed in order to be able to use sudo without a tty. See requiretty above.

#

Defaults !visiblepw

#

# Preserving HOME has security implications since many programs

# use it when searching for configuration files. Note that HOME

# is already set when the the env_reset option is enabled, so

# this option is only effective for configurations where either

# env_reset is disabled or HOME is present in the env_keep list.

#

Defaults always_set_home

Defaults env_reset

Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"

Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#

# Adding HOME to env_keep may enable a user to run unrestricted

# Refuse to run if unable to disable echo on the tty. This setting should also be

# changed in order to be able to use sudo without a tty. See requiretty above.

#

Defaults !visiblepw

#

# Preserving HOME has security implications since many programs

# use it when searching for configuration files. Note that HOME

# is already set when the the env_reset option is enabled, so

# this option is only effective for configurations where either

# env_reset is disabled or HOME is present in the env_keep list.

#

Defaults always_set_home

Defaults env_reset

Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"

Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#

# Adding HOME to env_keep may enable a user to run unrestricted

# commands via sudo.

#

# Defaults env_keep += "HOME"

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on

## which machines (the sudoers file can be shared between multiple

## systems).

## Syntax:

##

## user MACHINE=COMMANDS

##

## The COMMANDS section may have other options added to it.

##

## Allow root to run any commands anywhere

root ALL=(ALL) ALL

laiyu ALL=(ALL) ALL #根据上述提示，模仿root用户添加自定义用户laiyu，使其可执行sudo命令

test ALL=(ALL) ALL

## Allows members of the 'sys' group to run networking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

# %wheel ALL=(ALL) ALL ##这行默认是注释掉的。如果取消注释，则群组为 wheel 的人就可以进行root 的身份工作！这个 wheel 是系统预设的 group！因此，如果想要让这部主机里头的一般身份使用者具有sudo 的使用权限，那么就必需将该 user 放入支持 wheel 这个群组里头！

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL #默认是注释掉的，运行所有wheel组群的用户不实用密码

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system

# %users localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

#includedir /etc/sudoers.d

实验检验真理：

[root@localhost ~]# su laiyu

[laiyu@localhost root]$ pwd

/root

[laiyu@localhost root]$ mkdir test

mkdir: cannot create directory `test': Permission denied

[laiyu@localhost root]$ sudo mkdir test ##在以laiyu身份在/root目录下创建test文件

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for laiyu:

Sorry, try again.

[sudo] password for laiyu: ##注意这里输入的是用户laiyu自己的密码，而不是root的密码

[laiyu@localhost root]$ ls

ls: cannot open directory .: Permission denied

[laiyu@localhost root]$ sudo ls

anaconda-ks.cfg file install.log install.log.syslog myfile test

[laiyu@localhost root]$

[laiyu@localhost root]$ su root

Password:

[root@localhost ~]# sudo -u laiyu rm test #说明不能以root身份 sudo –u 普通身份

rm: cannot remove `test': Permission denied

[root@localhost ~]# sudo

usage: sudo -h | -K | -k | -L | -V

usage: sudo -v [-AknS] [-g groupname|#gid] [-p prompt] [-u user name|#uid]

usage: sudo -l[l] [-AknS] [-g groupname|#gid] [-p prompt] [-U user name] [-u user name|#uid] [-g groupname|#gid] [command]

usage: sudo [-AbEHknPS] [-r role] [-t type] [-C fd] [-g groupname|#gid] [-p prompt] [-u user name|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] []

usage: sudo -e [-AknS] [-r role] [-t type] [-C fd] [-g groupname|#gid] [-p prompt] [-u user name|#uid] file ...

[root@localhost ~]# su laiyu

[laiyu@localhost root]$ sudo -u root rmdir test #这样成功了

[laiyu@localhost ~]$ su - test

Password:

[test@localhost ~]$ pwd

/home/test

[test@localhost ~]$ sudo -u laiyu mkdir -p /home/laiyu/tes #成功从普通用户test切换到普通用户laiyu执行命令

[test@localhost ~]$ su - laiyu

Password:

[laiyu@localhost ~]$ ls /home/laiyu

tes

[laiyu@localhost ~]$