linux system sudo command details

For example, run some commands like mount, halt, su, or edit some system configuration files like /etc/mtab, /etc /samba/ smb.conf, etc. This not only reduces the login times and administrative time of root users, but also improves system security.

1. Features of sudo

sudo's role is to take extra security precautions, which could lead to illegal users snatching root privileges. At the same time, it is also easy to use, so that system administrators can use it more effectively and conveniently. sudo was designed to give users as little permission as possible but still allow them to do their work. So, sudo
It has the following characteristics:

# 1. sudo has the ability to restrict a specified user from running certain commands on a specified host.
# 2. sudo can provide logs that faithfully record what each user has done with sudo and can send the logs to a central host or log server.
# 3. sudo provides configuration files for system administrators that allow them to centrally manage users' permissions and hosts. Its default location is /etc/sudoers.
# 4.sudo USES a timestamp file to do something similar to "check in". When the user executes sudo and enters the password, the user is given an "admission ticket" with a default lifetime of 5 minutes (the default value can be changed at compile time). After the timeout, the user must reenter the password.

2. sudo command

The sudo program itself is a binary file with SUID bits set. We can check 1 for its permissions:

$ls -l /usr/bin/sudo
---s--x--x 2 root root 106832 02-12 17:41 /usr/bin/sudo
 

It is owned by root, so each user can execute the program as root does. A program with SUID set up can give the consumer the owner's EUID at run time. This is also why SUID programs must be written carefully. But setting up SUID for a command file and running it with sudo are different concepts, and they serve different purposes.

The configuration of sudo is recorded in the /etc/sudoers file, as detailed below. The configuration file indicates which users can execute which commands. To use sudo, the user must provide a specified user name and password. Note: sudo does not require the password of the target user, but the password of the user executing sudo. If a user who is not in sudoers executes a command through sudo, sudo reports the 1 event to the administrator. Users can check if they are in sudo-v by calling sudo-v. If so, it can also update the time on your "admission ticket"; If not, it will alert you, but not the administrator.

The sudo command format is as follows:

sudo -K -L -V -h -k -l -vsudo [-HPSb] [-a auth_type] [-c class-] [-p prompt] [-u username#uid] {-e file [...] -i -s command}

Now let's take a look at some of the other commonly used 1 parameters of sudo:

Option   means   action
sudo-hHelp lists the method of use, exit.
sudo-VVersion displays version information and exits.
sudo-lList lists the commands that the current user can execute. Only users in sudoers can use this option.
sudo-uusername #uidUser executes the command as the specified user. The following user is a user other than root, which can be a username or #uid.

Clear the time on the "admission pass" for sudo-kKill, and enter the password again the next time you use sudo.

sudo-KSurekill is similar to -k, but it also tears up the "admission pass," which removes the timestamp file.

sudo-bcommandBackground executes the specified command in the background.

sudo-ppromptcommandPrompt can change the prompt for asking for password, in which %u will be replaced by the user account name and %h will display the host name. Very human design.
Instead of executing a command, sudo-efileEdit modifies a file, equivalent to the command sudoedit.

There are also some unusual parameters that can be found in sudo(8) on the man page.

3. The configuration sudo

To configure sudo, you must edit the /etc/sudoers file, and only the superuser can modify it. You must also edit it using visudo. There are two reasons to use visudo. One is that it prevents

Two users modify it at the same time; 2 is that it can also do limited grammar checking. So, even if you only have 1 super user, you'd better check 1 syntax with visudo.

By default, visudo opens the configuration file in vi and USES vi to modify the file. We can change this default at compile time. visudo doesn't save configuration files with syntax errors, it alerts you to a problem and asks you what to do about it, like:

>>>sudoersfile:syntaxerror,line22<<

At this point we have three options: type "e" to reedit, type "x" to exit without saving, and type "Q" to exit and save. If Q is selected, sudo will not run again until the error is corrected.

Now, let's take a look at the mysterious configuration file and learn how to write it. Let's start with a simple example: let the user Foobar execute all root executable commands through sudo. Opening the configuration file as root with visudo, you can see something like the following:

#Runasaliasspecification
#UserprivilegespecificationrootALL=(ALL)ALL

root has all the permissions, just copy the existing root example, we add a line below (preferably tab as blank) :

foobarALL=(ALL)ALL

Save exit, switch to foobar user, we use its identity to execute the command:

[foobar@localhost~]$ls/root
ls:/root: Not enough permissions 
[foobar@localhost~]$sudols/root
PassWord:
anaconda-ks.cfgDesktopinstall.loginstall.log.syslog

All right, so let's limit foobar's rights and not let him do what he wants. Let's say we just want him to use ls and ifconfig like root, and change that line to:

foobarlocalhost=/sbin/ifconfig,/bin/ls

To execute the command:

[foobar@localhost~]$sudohead-5/etc/shadow
Password:
Sorry,userfoobarisnotallowedtoexecute'/usr/bin/head-5/etc/shadow'asrootonlocalhost.localdomain.
[foobar@localhost~]$sudo/sbin/ifconfigeth0Linkencap:EthernetHWaddr00:14:85:EC:E9:9B...

Now let's take a look at what the three ALL actually mean. The first ALL refers to the host in the network, we will change it to the host name later, it indicates
foobar can execute the following commands on this host. ALL in the second parenthesis refers to the target user, that is, the identity in which the command is executed. The last one
ALL, of course, refers to the command name. For example, we want foobar users to execute the kill command as jimmy or rene on the linux host by writing a configuration file like this:

foobarlinux=(jimmy,rene)/bin/kill
However, there is still a question. Is foobar executed as jimmy or rene? That's when we think of sudo-u, and that's when it's used. foobar can use sudo-ujimmykillPID or sudo-urenekillPID, but this is quite troublesome. In fact, we can set rene or jimmy as the default target users instead of adding -u every time. Add one more line to the top:

Defaults:foobarrunas_default=rene
If there is a colon after Defaults, it is the default for subsequent users; if not, it is the default for all users. Just like the 1 line that comes with the configuration file:

Defaultsenv_reset
Another problem is that many times we are already logged in, and it is cumbersome to enter a password every time we use sudo. Can we stop typing in the password? Of course, we can modify the configuration file by:

foobarlocalhost=NOPASSWD:/bin/cat,/bin/ls
Let's try sudo1 again:

[foobar@localhost~]$sudols/rootanaconda-ks.cfgDesktopinstall.log
install.log.syslog

Of course, you can also say "some command user foobar cannot be run" by using! Operator, but this is not a good idea. Because, use! The operator to "cull" a command from ALL is not very effective. A user can simply copy the command somewhere else and run it under a different name.
4. Logs and security

sudo is very security conscious, not only logging, but reporting to system administrators when necessary. However, the logging function of sudo is not automatic and must be turned on by the administrator. Do it this way:

#toUCh/var/log/sudo
#vi/etc/syslog.conf

Add 1 line at the end of syslog.conf (must be split with tab) and save:

local2.debug/var/log/sudo
Restart the log waiting process,

psauxgrepsyslogd
Fill the PID of the resulting syslogd process (the second column of the output is PID) into the following:

kill � HUPPID
This way, sudo can write a journal:

[foobar@localhost~]$sudols/rootanaconda-ks.cfg
Desktopinstall.log
install.log.syslog
$cat/var/log/sudoJul2822:52:54localhostsudo:foobar:
TTY=pts/1;PWD=/home/foobar;USER=root;COMMAND=/bin/ls/root

However, there is one small "flaw", the sudo log is not very faithful:

[foobar@localhost~]$sudocat/etc/shadow>/dev/null
[foobar@localhost~]$
cat/var/log/sudo...Jul2823:10:24localhostsudo:foobar:TTY=pts/1;
PWD=/home/foobar;USER=root;COMMAND=/bin/cat/etc/shadow

Redirects are not recorded! Why is that? Because shell did the redirection before the command ran, sudo didn't see the redirection at all. This has the advantage that the following measures will not succeed:

[foobar@localhost~]$sudols/root>/etc/shadowbash:/etc/shadow: Not enough permissions 

sudo has its own way of protecting security. Perform sudo as root
-V, see 1 for the Settings of sudo. Because of security concerns, part 1 of the environment variables are not passed to the command after sudo, or are passed after being checked, such as: PATH, HOME,
SHELL, etc. Of course, you can also configure these environment variables via sudoers.

As seen above, sudo is very helpful in controlling and vetting access to root, allowing system administrators to manage the system more effectively and securely. Mastering the proper use of sudo is also a good training for system administrators. This article is only a preliminary introduction to the use of sudo, please refer to the sudoers(5) and sudo(8) man pages for more information.