sudo [-b] [-u 新用户名] 单条命令
sudo [-b] [-u 新用户名]sh -c “com1;com2;…”
例子:
[root@localhost ~]# sudo -u xx touch/tmp/testfile [root@localhost ~]# ll /tmp/testfile -rw-r--r--. 1 xx xx 0 Oct 11 20:39/tmp/testfile
[root@localhost ~]# sudo -u xx sh -c"cd /tmp;mkdir xx;cd xx;echo 'just test'>testfile" [root@localhost ~]# cat /tmp/xx/testfile just test
使用visudo命令,在/etc/sudoers中添加账号,使其能执行全部或者部分的root命令。
root ALL=(ALL) ALL
xx ALL=(ALL) ALL – 添加xx用户使其能够执行全部的root命令
例子:
## Allow root to run any commands anywhere root ALL=(ALL) ALL xx ALL=(ALL) ALL [xx@localhost whx]$ sudo tail -n 1/etc/shadow xxx:$1$iPKqo9sC$JWaNXYN7OWVefJ.HqaReA0:17448:0:99999:7:::
这一行四个参数的意义:
用户账号:可以使用sudo的账号,默认为root用户。
登陆者的来源主机名:这个账号由哪台主机连接到本机,默认值root可以来自于任何一台网络主机。
可以切换的身份:切换为什么身份来执行命令,默认root可以切换为任何用户。
可执行的命令:命令必须使用绝对路径编写,默认root可以执行任何命令。
ALL代表任何身份,任何命令,任何主机。
Visudo添加用户
添加xx用户使其可以使用sudo命令,xx用户可以来自于任何主机,但是只能切换为root用户,只能执行passwd命令。
xx ALL=(root) /usr/bin/passwd
添加xx用户使其可以使用sudo命令,xx用户可以来自于任何主机,但是只能切换为root用户,能够使用passwd修改除了root用户以外其他用户的密码。
xx ALL=(root) !/usr/bin/passwd, !/usr/bin/passwdroot,/usr/bin/passwd [A-Za-z]*
例子:
## Allow root to run any commands anywhere root ALL=(ALL) ALL xx ALL=(root) !/usr/bin/passwd,!/usr/bin/passwd root,/usr/bin/passwd [A-Za-z]* [xx@localhost ~]$ sudo passwd whx [sudo] password for xx: Changing password for user whx. New password: BAD PASSWORD: it does not contain enoughDIFFERENT characters BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updatedsuccessfully. [xx@localhost ~]$ sudo passwd [sudo] password for xx: Sorry, user xx is not allowed to execute'/usr/bin/passwd' as root on localhost.localdomain. [xx@localhost ~]$ sudo cat /etc/shadow Sorry, user xx is not allowed to execute'/bin/cat /etc/shadow' as root on localhost.localdomain.
添加用户组,使这个用户组的用户可以执行sudo命令
使用visudo进入/etc/sudoers
找到#%wheel ALL=(ALL) ALL 这一行,在下一行添加
%group_name ALL=(ALL) ALL
保存退出编辑,
然后使用usermod -a -G group_name user_name 将想要授权sudo的用户添加到该用户组。
例子:
## Allows people in group wheel to run allcommands # %wheel ALL=(ALL) ALL %xx ALL=(ALL) ALL [root@localhost whx]# usermod -a -G xx whx [root@localhost whx]# su whx [whx@localhost ~]$ sudo tail -n 1/etc/shadow [sudo] password for whx: xxx:$1$iPKqo9sC$JWaNXYN7OWVefJ.HqaReA0:17448:0:99999:7:::
visudo设置无密码
%group_name ALL=(ALL) NOPASSWD: ALL
例子:
## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL %xx ALL=(ALL) NOPASSWD: ALL [root@localhost whx]# su whx [whx@localhost ~]$ sudo tail -n 1/etc/shadow xxx:$1$iPKqo9sC$JWaNXYN7OWVefJ.HqaReA0:17448:0:99999:7:::
visudo通过别名添加用户
User_Alias 建立用户别名,别名必须是大写,
Cmnd_Alias 建立新的命令别名,别名必须是大写,
Host_Alias 建立来源主机别名,别名必须是大写。
User_Alias ADMPW = user_name1,user_name2,user_name3,…
Cmnd_Alias ADMPWCOM = /usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd,!/usr/bin/passwdroot
ADMPW ALL=(root) ADMPWCOM
例子:
# User_Alias ADMINS =jsmith, mikem User_AliasTEST = xx,xxx # Cmnd_Alias DRIVERS = /sbin/modprobe Cmnd_Alias TEST =!/usr/bin/passwd,!/usr/bin/passwd root,/usr/bin/passwd [A-Za-z]* ## Allow root to run any commands anywhere root ALL=(ALL) ALL TEST ALL=(ALL) TEST [root@localhost whx]# su xx [xx@localhost whx]$ cd ~ [xx@localhost ~]$ passwd whx passwd: Only root can specify a user name. [xx@localhost ~]$ sudo passwd whx [sudo] password for xx: Changing password for user whx. New password: BAD PASSWORD: it does not contain enoughDIFFERENT characters BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updatedsuccessfully. [xx@localhost whx]$ su xxx Password: [xxx@localhost whx]$ sudo passwd xx [sudo] password for xxx: Changing password for user xx. New password: BAD PASSWORD: it is WAY too short BAD PASSWORD: is a palindrome Retype new password: passwd: all authentication tokens updatedsuccessfully.
sudo 与su 配合使用,切换为root用户不只需要输入自己的密码,而不需要输入root密码。
visudo
User_Alias ADMINS = user_name1,user_name2…
ADMINS ALL=(root) /bin/su –
ADMINS中的用户可以使用sudo su– 切换为root用户时,只需要输入自己的密码。
例子:
# User_Alias ADMINS = jsmith, mikem User_Alias TEST = xx,xxx ## Allow root to run any commands anywhere root ALL=(ALL) ALL TEST ALL=(root) /bin/su – [xx@localhost whx]$ sudo su - [sudo] password for xx: [root@localhost ~]# [xxx@localhost root]$ sudo su - [sudo] password for xxx: [root@localhost ~]# [root@localhost ~]# su whx [whx@localhost root]$ sudo su – [sudo] password for whx: whx is not in the sudoers file. This incident will be reported.