专栏首页授客的专栏Linux sudo 命令使用简介

Linux sudo 命令使用简介

基本语法:

$ sudo [-u username] [command]

-u:将身份变成username的身份

#编辑/etc/sudoers (注意,这里使用 visudo 而不是 vi 来设置。)

# visudo

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

##

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhaps using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias FILESERVERS = fs1, fs2

# Host_Alias MAILSERVERS = smtp, smtp2

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

## Command Aliases

## These are groups of related commands...

## Networking

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

##

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhaps using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias FILESERVERS = fs1, fs2

# Host_Alias MAILSERVERS = smtp, smtp2

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

## Command Aliases

## These are groups of related commands...

## Networking

## Installation and management of software

# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database

# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage

## Delegating permissions

# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes

# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers

# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#

# Disable "ssh hostname sudo ", because it will show the password in clear.

# You have to run "ssh -t hostname sudo ".

#

Defaults requiretty

#

# Refuse to run if unable to disable echo on the tty. This setting should also be

# changed in order to be able to use sudo without a tty. See requiretty above.

#

Defaults !visiblepw

#

# Preserving HOME has security implications since many programs

# use it when searching for configuration files. Note that HOME

# is already set when the the env_reset option is enabled, so

# this option is only effective for configurations where either

# env_reset is disabled or HOME is present in the env_keep list.

#

Defaults always_set_home

Defaults env_reset

Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"

Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#

# Adding HOME to env_keep may enable a user to run unrestricted

# Refuse to run if unable to disable echo on the tty. This setting should also be

# changed in order to be able to use sudo without a tty. See requiretty above.

#

Defaults !visiblepw

#

# Preserving HOME has security implications since many programs

# use it when searching for configuration files. Note that HOME

# is already set when the the env_reset option is enabled, so

# this option is only effective for configurations where either

# env_reset is disabled or HOME is present in the env_keep list.

#

Defaults always_set_home

Defaults env_reset

Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"

Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#

# Adding HOME to env_keep may enable a user to run unrestricted

# commands via sudo.

#

# Defaults env_keep += "HOME"

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on

## which machines (the sudoers file can be shared between multiple

## systems).

## Syntax:

##

## user MACHINE=COMMANDS

##

## The COMMANDS section may have other options added to it.

##

## Allow root to run any commands anywhere

root ALL=(ALL) ALL

laiyu ALL=(ALL) ALL #根据上述提示,模仿root用户添加自定义用户laiyu,使其可执行sudo命令

test ALL=(ALL) ALL

## Allows members of the 'sys' group to run networking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

# %wheel ALL=(ALL) ALL ##这行默认是注释掉的。如果取消注释,则群组为 wheel 的人就可以进行root 的身份工作!这个 wheel 是系统预设的 group!因此,如果想要让这部主机里头的一般身份使用者具有sudo 的使用权限,那么就必需将该 user 放入支持 wheel 这个群组里头!

## Same thing without a password

# %wheel ALL=(ALL) NOPASSWD: ALL #默认是注释掉的,运行所有wheel组群的用户不实用密码

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system

# %users localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

#includedir /etc/sudoers.d

实验检验真理:

[root@localhost ~]# su laiyu

[laiyu@localhost root]$ pwd

/root

[laiyu@localhost root]$ mkdir test

mkdir: cannot create directory `test': Permission denied

[laiyu@localhost root]$ sudo mkdir test ##在以laiyu身份在/root目录下创建test文件

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for laiyu:

Sorry, try again.

[sudo] password for laiyu: ##注意这里输入的是用户laiyu自己的密码,而不是root的密码

[laiyu@localhost root]$ ls

ls: cannot open directory .: Permission denied

[laiyu@localhost root]$ sudo ls

anaconda-ks.cfg file install.log install.log.syslog myfile test

[laiyu@localhost root]$

[laiyu@localhost root]$ su root

Password:

[root@localhost ~]# sudo -u laiyu rm test #说明不能以root身份 sudo –u 普通身份

rm: cannot remove `test': Permission denied

[root@localhost ~]# sudo

usage: sudo -h | -K | -k | -L | -V

usage: sudo -v [-AknS] [-g groupname|#gid] [-p prompt] [-u user name|#uid]

usage: sudo -l[l] [-AknS] [-g groupname|#gid] [-p prompt] [-U user name] [-u user name|#uid] [-g groupname|#gid] [command]

usage: sudo [-AbEHknPS] [-r role] [-t type] [-C fd] [-g groupname|#gid] [-p prompt] [-u user name|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] []

usage: sudo -e [-AknS] [-r role] [-t type] [-C fd] [-g groupname|#gid] [-p prompt] [-u user name|#uid] file ...

[root@localhost ~]# su laiyu

[laiyu@localhost root]$ sudo -u root rmdir test #这样成功了

[laiyu@localhost ~]$ su - test

Password:

[test@localhost ~]$ pwd

/home/test

[test@localhost ~]$ sudo -u laiyu mkdir -p /home/laiyu/tes #成功从普通用户test切换到普通用户laiyu执行命令

[test@localhost ~]$ su - laiyu

Password:

[laiyu@localhost ~]$ ls /home/laiyu

tes

[laiyu@localhost ~]$

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • tf.dynamic_stitch

    版权声明:本文为博主原创文章,遵循 CC 4.0 by-sa 版权协议,转载请附上原文出处链接和本声明。

    于小勇
  • ubuntu系统启用root用户远程登陆

    新创建的腾讯云ubuntu系统服务器,默认的登陆用户名为ubuntu,那很多用户都想使用超级管理员root用户来操作自己的服务器,但是root用户默认是被禁止登...

    夏日萤火
  • 推荐收藏 | 京东群体风险感知,了解风控全流程

    导读:本次分享将以群体风险感知为例,从需求挖掘、数据挖掘、建模再到最终的模型部署应用,详细介绍全流程的风控建模方案。下面将从这几个方面出发,详细的讲解具体流程中...

    Sam Gor
  • linux redis安装及多端口配置过程

    redis在linux下的安装很简单,ubuntu下apt-get就可以很方便的安装

    用户1148648
  • Flink完美的反压机制

    整体上来说的话,Flink 内部是基于 producer-consumer 模型来进行消息传递的,也正是 producer-consumer 模型的存在,Fli...

    shengjk1
  • 越疆科技dobot(magician)机械臂在ROS moveit下gazebo仿真控制和真实控制功能包 有兴趣的可以下载来玩

    Magician Robotarm ====== 本文件夹中包含了多个为Magician机械臂提供ROS支持的软件包。推荐的运行环境为 Ubuntu 16....

    zhangrelay
  • 100行Python代码控制excel表格,用代码办公不是梦

    xlrd是python中一个第三方的用于读取excle表格的模块,很多企业在没有使用计算机管理前大多使用表格来管理数据,所以导入表格还是非常常用的!

    用户6133654
  • Kubernetes 的奇技淫巧

    Kubernetes 作为云原生时代的“操作系统”,熟悉和使用它是每名用户(User)的必备技能。如果你正在 Kubernetes 上工作,你需要正确的工具和技...

    米开朗基杨
  • 黑科技抢先尝(续) - Windows terminal中WSL Linux 终端的极简美化指南

    今天这篇文章,主要介绍如何美化 Windows terminal 中 WSL 的 Linux 终端,依然是以本人最熟悉的Ubuntu为例,其他版本的 Linux...

    Enjoy233
  • Go 语言并发编程系列(六)—— 通道类型篇:单向通道及其使用

    我们介绍了管道类型的基本语法,通常,管道都是支持双向操作的:既可以往管道发送数据,也可以从管道接收数据。但在某些场景下,可能我们需要限制只能往管道发送数据,或者...

    学院君

扫码关注云+社区

领取腾讯云代金券