zoukankan      html  css  js  c++  java
  • su命令,sudo命令,visudo命令

    一、命令su

    语法 : su [-] username
    后面可以跟 ‘-‘ 也可以不跟,普通用户su不加username时就是切换到root用户,当然root用户同样可以su到普通用户。 ‘-‘ 这个字符的作用是,加上后会初始化当前用户的各种环境变量,做个简单的实验来说明加与不加 ‘-‘ 的区别:
    [test@localhost ~]$ pwd
    /home/test
    [test@localhost ~]$ su
    密码:
    [root@localhost test]# pwd
    /home/test
    [root@localhost test]# exit
    exit
    [test@localhost ~]$ su -
    密码:
    [root@localhost ~]# pwd
    /root
    如果不加 ‘-‘ 切换到root账户下时,当前目录没有变化,而加上 ‘-‘ 切换到root账户后,当前目录为root账户的家目录,这跟直接登陆root账户是一样的。当用root切换普通用户时,是不需要输入密码的。这也体现了root用户至高无上的权利。

    二、命令 : sudo

      Sudo 是一个允许系统管理员授权让普通用户执行部分或全部root命令的工具。这样可以减少root登陆提高系统安全性。
      Sudo特点:
    1.可以限制特定的用户在特定的主机上运行指定的命令
    2.有非常详细的日志纪录
    3.sudo使用时间戳文件来执行类似"检票"系统。当用户使用sudo并且输入密码后,用户默认获得了一张存活期为5分钟的票(这个数值可以在编译的时候更改),超过5分钟不用的话就需要重新输入密码才能使用

      用su是可以切换用户身份,如果每个普通用户都能切换到root身份,如果某个用户不小心泄漏了root的密码,那岂不是系统非常的不安全?没有错,为了改进这个问题,产生了sudo这个命令。使用sudo执行一个root才能执行的命令是可以办到的,但是需要输入密码,这个密码并不是root的密码而是用户自己的密码。默认只有root用户能使用sudo命令,普通用户想要使用sudo,是需要root预先设定的,即,使用 visudo 命令去编辑相关的配置文件/etc/sudoers. 如果没有visudo这个命令,请使用 yum install -y sudo 安装。
    默认root能够sudo是因为这个文件中有一行 “root ALL=(ALL) ALL” 在该行下面加入 “test ALL=(ALL) ALL就可以让test用户拥有了sudo的权利。使用 “visudo” 命令编辑/etc/sudoers配置文件,其实它的操作方法和前面的 “vi” 命令使用方法是一样的,按 ‘i’ 进入编辑模式,编辑完成后,按 “Esc” ,再输入 ”:wq” 完成保存。

    设置方法一:通过visudo命令,为test增加如下行:

    ## Allow root to run any commands anywhere
    root    ALL=(ALL)       ALL
    test    ALL=(ALL)       ALL

    此时可以验证一下test账户的权限了。

    [root@localhost ~]# su test
    [test@localhost root]$ ls
    ls: 无法打开目录.: 权限不够
    [test@localhost root]$ sudo ls
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    [sudo] password for test:
    123  456  789  anaconda-ks.cfg  dirb  install.log  install.log.syslog  test  test1  test2  test3

    由于切换到test账户后的当前目录依旧是在/root 下,test账户没有任何权限,所以 ‘ls’ 的时候提示说权限不够,然而使用 sudo ls 输入test账户自身的密码后就有权限了。初次使用sudo 时会有上面的一大段提示,而后再次使用sudo 命令则不再提示。
    如果每增加一用户就设置一行,这样太麻烦了。接着看下面的设置:

    设置方法二:通过visudo命令,为test增加如下行:

    把 “# %wheel ALL=(ALL) ALL” 前面的 ‘# ‘ 去掉,让这一行生效。它的意思是,wheel这个组的所有用户都拥有了sudo的权利。接下来就需要你把想让有sudo权利的所有用户加入到wheel这个组中即可。

    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL

    或者

    ## Allows people in group wheel to run all commands
    #%wheel  ALL=(ALL)       ALL
    test  ALL=(ALL)       ALL

    配置文件/etc/sudoers包含了诸多配置项,可以使用命令 man sudoers 来获得帮助信息。下面是一个很实用的案例,我们的需求是把Linux服务器设置成这个样子:只允许使用普通账户登陆,而普通账户登录后,可以不输入密码就能sudo切换到root账户。下面是配置文件:
    [root@localhost ~]# visudo
    然后在文件的最后面加入三行:
    User_Alias USER_SU = test, test1
    Cmnd_Alias SU = /bin/su

    USER_SU ALL=(ALL) NOPASSWD: SU

    或者下面三行:

    User_Alias USER_SU = test, test1
    #Cmnd_Alias SU = /bin/su

    USER_SU ALL=(ALL) NOPASSWD: /bin/su


    保存配置文件后,使用test, test1, 三个账户登陆Linux后,执行命令 sudo su - 切换到root账户,获取root账户的所有权利。
    [root@localhost ~]# su - test
    [test@localhost ~]$ sudo su -
    [root@localhost ~]# whoami
    root

    而不让root直接登陆,这个简单,设置一个非常复杂连自己都记不住的密码。不过这样也有一个问题,就是普通用户可以su到root,然后他再自己修改简单的密码就能直接root登陆了不是嘛?

    sudo配置说明

    sudo安装过程(略):一般系统都默认有安装
    配置文件/etc/sudoers:
    以下简略介绍该文件的配置项(root使用visudo编辑该文件)
    第一部分:# Host alias specification(主机别名定义,用于定义多台住机)
    格式:Host_Alias SERVER = 192.168.0.1/255.255.255.0
          Host_Alias SERVER1 = 172.17.1.1
    第二部分:# User alias specification(用户别名定义,用于定义多组用户)
    格式:User_Alias ADMIN = test,jack,tom
          User_Alias TEST = user1
    第三部分:# Cmnd alias specification (命令别名定义,定义用户执行命令列表)
    格式:Cmnd_Alias CAT = /bin/cat /etc/sudoers
          Cmnd_Alias Ls = /bin/ls /root
    第四部分:# Override built in defaults(增加日志纪录功能)
    Defaults@SERVER  log_host, logfile=/var/log/sudo.log
    #为host alise里的主机增加一个附加日志,如果这个日志需要保存多年,则可使用log_year,这样在日志纪录的时候将纪录详细的年份。

    下面详细解释配置实例:
    [test@redflag test]$ sudo cat /etc/sudoers
    # sudoers file.
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the sudoers man page for the details on how to write a sudoers file.
    #
    # Host alias specification
    Host_Alias SERVER = 172.17.196.10 #配置主机172.17.196.10别名SERVER;Host_Alias前不能有空格
    # User alias specification
    User_Alias ADMIN = test,jack      #配置用户组ADMIN,所属用户test,jack
    # Cmnd alias specification
    Cmnd_Alias CT = /bin/cat /etc/sudoers,/bin/cat /etc/shadow
    Cmnd_Alias CA = /bin/ls /root
    #配置命令别名CT,可以执行cat etc/sudoers,cat /etc/shadow 命令,CA可执行 la /root命令

    # Defaults specification

    # User privilege specification
    root    ALL=(ALL) ALL
    test    SERVER=CT,CA #配置test用户可以在SERVER执行cat /etc/sudoers,/cat /etc/shadow,ls

    /root 命令
    # test ALL=(ALL) NOPASSWD: ALL(配置test可以执行所有的root命令,且使用sudo时不需要输入密码)

    # Override built in defaults
    Defaults@SERVER  log_host, logfile=/var/log/sudo.log
    #配置日志纪录到主机SERVER的/var/log/sudo.log文件

    # Uncomment to allow people in group wheel to run all commands
    # %wheel        ALL=(ALL)       ALL

    # Same thing without a password
    # %wheel        ALL=(ALL)       NOPASSWD: ALL

    # Samples
    # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
    # %users  localhost=/sbin/shutdown -h now

    日志文件:

    截取/var/log/sudo.log的一段纪录如下:

    Mar  3 15:13:14 : test : HOST=redflag : command not allowed ; TTY=pts/0 ;
        PWD=/home/test ; USER=root ; COMMAND=/bin/ls /root
    Mar  3 15:13:18 : test : HOST=redflag : command not allowed ; TTY=pts/0 ;
        PWD=/home/test ; USER=root ; COMMAND=/bin/su -
    Mar  3 15:13:56 : test : HOST=redflag : TTY=pts/0 ; PWD=/home/test ; USER=root ;
        COMMAND=/bin/cat /etc/sudoers
    Mar  3 15:14:10 : test : HOST=redflag : TTY=pts/0 ; PWD=/home/test ; USER=root ;
        COMMAND=/bin/ls /root
    Mar  3 16:27:30 : test : HOST=redflag : TTY=pts/0 ; PWD=/home/test ; USER=root ;
        COMMAND=/bin/cat /etc/sudoers
    Mar  3 16:29:47 : test : HOST=redflag : command not allowed ; TTY=pts/0 ;
        PWD=/home/test ; USER=root ; COMMAND=/bin/cat /var/log/sudo.log

    配置中碰到的问题:

    1、主机名配置错误导致sudo不能执行和日志纪录。

    错误提示:Sorry, user test is not allowed to execute '/bin/cat /etc/sudoers' as root on

    localhost.localdomain.

    解决:将其中的localhost改为真实主机名字或IP即可

    test    localhost=/sbin/cat /etc/sudoers
    Defaults@localhost log_host /var/log/sudo.log

    2、命令别名列表中命令错误导致sudo不能执行
    错误提示:[jackyu@localhost jackyu]$ sudo cat /etc/sudoers
    Sorry, user jackyu is not allowed to execute '/bin/cat /etc/sudoers' as root on

    localhost.localdomain.

    解决:由于在Cmnd alias里定义的时候命令书写有误(Cmnd_Alias CAT = /bin/cat -n /etc/sudoers).
    执行:sudo cat -n /etc/sudoers
    [注]:不管在Cmnd alias里还是在# User privilege specification中指定命令,使用sudo运行时必须一

    摸一样,否则将出错。比如在Cmnd alias里指定某用户职能运行 /bin/cat /etc/sudoers,如果该用户登

    陆后运行 sudo /cat -n /etc/sudoers将会出错.


    另增加网上收集到的 FAQ and Troubleshooting Tips以供参考:


    Troubleshooting tips and FAQ for Sudo
    =====================================

    Q) When I run configure, it says "C compiler cannot create executables".
    A) This usually means you either don't have a working compiler.  This
       could be due to the lack of a license or that some component of the
       compiler suite could not be found.  Check config.log for clues as
       to why this is happening.  On many systems, compiler components live
       in /usr/ccs/bin which may not be in your PATH environment variable.

    Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
       and sudo quits.
    A) Sudo must be setuid root to do its work.  You need to do something like
       `chmod 4111 /usr/local/bin/sudo'.  Also, the file system sudo resides
       on must *not* be mounted (or exported) with the nosuid option or sudo
       will not be able to work.  Another possibility is you may have '.' in
       your $PATH before the directory containing sudo.  If you are going
       to have '.' in your path you should make sure it is at the end.

    Q) Sudo compiles but when I run it I get "seteuid(0) failed, your operating
       system may have broken POSIX saved ID support Try running configure with
       --disable-saved-ids" and sudo quits.
    A) The operating system you are running probably has broken support for
       POSIX saved IDs.  You should run configure with the "--disable-saved-ids"
       option and rebuild sudo.

    Q) Sudo never gives me a chance to enter a password using PAM, it just
       says 'Sorry, try again.' three times and exits.
    A) You didn't setup PAM to work with sudo.  On Redhat Linux or Fedora
       Core this generally means installing sample.pam as /etc/pam.d/sudo.
       See the sample.pam file for hints on what to use for other Linux
       systems.

    Q) Sudo says 'Account expired or PAM config lacks an "account"
       section for sudo, contact your system administrator' and exits
       but I know my account has not expired.
    A) Your PAM config lacks an "account" specification.  On Linux this
       usually means you are missing a line like:
            account    required    pam_unix.so
       in /etc/pam.d/sudo.

    Q) Sudo is setup to log via syslog(3) but I'm not getting any log
       messages.
    A) Make sure you have an entry in your syslog.conf file to save
       the sudo messages (see the sample.syslog.conf file).  The default
       log facility is local2 (changeable via configure).  Don't forget
       to send a SIGHUP to your syslogd so that it re-reads its conf file.
       Also, remember that syslogd does *not* create log files, you need to
       create the file before syslogd will log to it (ie: touch /var/log/sudo).
       Note:  the facility ("local2.debug") must be separated from the 
              destination ("/var/adm/sudo.log" or "@loghost") by
              tabs, *not* spaces.  This is a common error.

    Q) When sudo asks me for my password it never accepts what I enter even
       though I know I entered my password correctly.
    A) If your system uses shadow passwords, it is possible that sudo
       didn't detect this.  Take a look at the generated config.h file
       and verify that the C function used for shadow password lookups
       was detected.  For instance, for SVR4-style shadow passwords,
       HAVE_GETSPNAM should be defined (you can search for the string
       "shadow passwords" in config.h with your editor).  Note that
       there is no define for 4.4BSD-based shadow passwords since that
       just uses the standard getpw* routines.

    Q) I don't want the sudoers file in /etc, how can I specify where it
       should go?
    A) Use the --sysconfdir option to configure.  Ie:
       configure --sysconfdir=/dir/you/want/sudoers/in

    Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
       copy on each machine?
    A) There is no support for making an NIS/NIS+ map/table out of
       the sudoers file at this time.  A good way to distribute the
       sudoers file is via rdist(1).  It is also possible to NFS-mount
       the sudoers file.

    Q) I don't run sendmail on my machine.  Does this mean that I cannot
       use sudo?
    A) No, you just need to run use the --without-sendmail argument to configure
       or add "!mailerpath" to the Defaults line in /etc/sudoers.

    Q) When I run visudo it uses vi as the editor and I hate vi.  How
       can I make it use another editor?
    A) Your best bet is to run configure with the --with-env-editor switch.
       This will make visudo use the editor specified by the user's
       EDITOR environment variable.  Alternately, you can run configure
       with the --with-editor=/path/to/another/editor.

    Q) Sudo appears to be removing some variables from my environment, why?
    A) Sudo removes the following "dangerous" environment variables
       to guard against shared library spoofing, shell voodoo, and
       kerberos server spoofing.
         IFS
         LOCALDOMAIN
         RES_OPTIONS
         HOSTALIASES
         NLSPATH
         PATH_LOCALE
         TERMINFO
         TERMINFO_DIRS
         TERMPATH
         TERMCAP
         ENV
         BASH_ENV
         LC_ (if it contains a '/' or '%')
         LANG (if it contains a '/' or '%')
         LANGUAGE (if it contains a '/' or '%')
         LD_*
         _RLD_*
         SHLIB_PATH (HP-UX only)
         LIBPATH (AIX only)
         KRB_CONF (kerb4 only)
         KRBCONFDIR (kerb4 only)
         KRBTKFILE (kerb4 only)
         KRB5_CONFIG (kerb5 only)
         VAR_ACE (SecurID only)
         USR_ACE (SecurID only)
         DLC_ACE (SecurID only)

    Q) How can I keep sudo from asking for a password?
    A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
       tag right before the command list in sudoers.  See the sudoers man page
       and sample.sudoers for details.  To disable passwords completely,
       run configure with the --without-passwd option or add "!authenticate"
       to the Defaults line in /etc/sudoers.  You can also turn off authentication
       on a per-user or per-host basis using a user or host-specific Defaults
       entry in sudoers.

    Q) When I run configure, it dies with the following error:
       "no acceptable cc found in $PATH".
    A) /usr/ucb/cc was the only C compiler that configure could find.
       You need to tell configure the path to the "real" C compiler
       via the --with-CC option.  On Solaris, the path is probably
       something like "/opt/SUNWspro/SC4.0/bin/cc".  If you have gcc
       that will also work.

    Q) When I run configure, it dies with the following error:
       Fatal Error: config.cache exists from another platform!
       Please remove it and re-run configure.
    A) configure caches the results of its tests in a file called
       config.cache to make re-running configure speedy.  However,
       if you are building sudo for a different platform the results
       in config.cache will be wrong so you need to remove config.cache.
       You can do this by "rm config.cache" or "make realclean".
       Note that "make realclean" will also remove any object files
       and configure temp files that are laying around as well.

    Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
       doesn't work on Solaris <= 2.5.1.  Why?
    A) Starting with Solaris 2.6, snprintf(3) is included in the standard
       C library.  To build a version of sudo on a >= 2.6 machine that
       will run on a <= 2.5.1 machine, edit config.h and comment out the lines:
            #define HAVE_SNPRINTF 1
            #define HAVE_VSNPRINTF 1
       and run make.

    Q) When I run "visudo" it says "sudoers file busy, try again later."
       and doesn't do anything.
    A) Someone else is currently editing the sudoers file with visudo.

    Q) When I try to use "cd" with sudo it says "cd: command not found".
    A) "cd" is a shell built-in command, you can't run it as a command
       since a child process (sudo) cannot affect the current working
       directory of the parent (your shell).

    Q) When I try to use "cd" with sudo the command completes without
       errors but nothing happens.
    A) Some SVR4-derived OS's include a /usr/bin/cd command for reasons
       unfathomable.  A "cd" command is totally useless since a child process
       cannot affect the current working directory of the parent (your shell).

    Q) When I run sudo it says I am not alllowed to run the command as root
       but I don't want to run it as root, I want to run it as another user.
       My sudoers file entry looks like:
        bob        ALL=(oracle) ALL
    A) The default user sudo tries to run things as is always root, even if
       the invoking user can only run commands as a single, specific user.
       This may change in the future but at the present time you have to
       work around this using the 'runas_default' option in sudoers.
       For example:
        Defaults:bob        runas_default=oracle
       would achieve the desired result ofr the preceding sudoers fragment.

    Q) How do you pronounce `sudo'?
    A) soo-doo (for superuser do).

    二、xx is not in the sudoers file问题的解决方案

    xx is not in the sudoers file 问题解决的两种方案如下。。。。。  

    两种方法执行命令不同而已,原理其实一样
      www.2cto.com  
    方法一:
    首先利用whereis 命令查找sudoers配置文件的目录(默认会在/etc/sudoers)
    [root@localhost xiaofei]# whereis sudoers
    sudoers: /etc/sudoers /etc/sudoers.bak /usr/share/man/man5/sudoers.5.gz
    然后需要su -切换到root用户,更改/etc/sudoers的权限
    [root@localhost xiaofei]# chmod u+w /etc/sudoers
     
    然后就可以利用vi编辑器来把用户添加到sudoers之中:
    [root@localhost xiaofei]# vi /etc/sudoers
    然后找到root    ALL=(ALL)       ALL所在的位置,把所要添加的用户添加到文件之中,
    下面是添加完的结果:
    ## Allow root to run any commands anywhere
    root    ALL=(ALL)       ALL
    xiaofei ALL=(ALL)       ALL              (这一行是添加的内容,xiaofei是用户名)
     
    然后需要把sudoers 的写权限去掉:
    [root@localhost xiaofei]# chmod u-w /etc/sudoers
    如果不去掉写权限,系统不允许执行suoders文件,运行sudo命令时会出现以下错误:
    sudo: /etc/sudoers is mode 0640, should be 0440                                 www.2cto.com  
    至此,在退出root用户之后就可以利用sudo命令来执行超级用户的权限了。
     
    方法二:
    首需要切换到root身份
    $su -
    (注意有- ,这和su是不同的,在用命令"su"的时候只是切换到root,但没有把root的环境变量传过去,还是当前用户的环境变量,用"su -"命令将环境变量也一起带过去,就象和root登录一样)
     
    然后
    $visudo    //切记,此处没有vi和sudo之间没有空格
     
    1、移动光标,到最后一行
    2、按a,进入append模式
    3、输入
    your_user_name    ALL=(ALL)    ALL
    4、按Esc
    5、输入“:wq”
     
    这样就把自己加入了sudo组,可以使用sudo命令了。

    三、sudo 出现unable to resolve host 解决方法

    hostname的配置在/etc/hostname文件与/etc/hosts文件中不一致导致。

    修改成一直即可。

  • 相关阅读:
    如何写一个完整课堂管理系统(数据库增删改查)
    关于java异常处理的思考
    java03类与对象相关问题
    java02实验:方法
    java02动手动脑
    java课堂动手动脑及课后实验总结
    java测试银行系统源代码
    JAVA程序系统测试感受
    2018年第八周暑假进度报告
    2018第七周进度总结报告
  • 原文地址:https://www.cnblogs.com/duanxz/p/4379797.html
Copyright © 2011-2022 走看看