sudo权限的含义:root用户把本来只能由超级用户执行的命令赋予普通用户执行。sudo的操作对象是系统命令。
Sudo既然是root赋予普通用户执行系统命令的权限,那么root是在哪个地方给普通用户赋予sudo权限的呢?
切换到root用户,然后键入一下命令:
root@ubuntu:# visudo # 注意visudo是连在一起的vi和sudo之间没有空格
# # This file MUST be edited with the'visudo' command as root. # # Please consider adding local content in/etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how towrite a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:$ # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL # Members of the admin group may gain rootprivileges %admin ALL=(ALL) ALL # Allow members of group sudo to executeany command %sudo ALL=(ALL) ALL # See sudoers(5) for more information on"#include" directives: #includedir /etc/sudoers.d
注意到visudo实际修改的是/etc/sudoers.d文件,其中的关键部分是
root ALL=(ALL) ALL
举个例子:
test ALL=(ALL) ALL
1. test:打算给test用户赋予sudo权限;
2. 第一个ALL:sudo命令可以操作的主机地址,在本例中就是主机地址;
3. 第二个ALL:test执行sudo时可以使用的身份,ALL表示test可以使用任何身份(包括root);
4. 第三个ALL:test执行sudo时可以使用的命令;
普通用户不能执行shutdown命令,我们给test用户赋予重启系统的sudo权限:
1. 切换到root用户:
test@ubuntu:~$ sudo su [sudo] password for test: root@ubuntu:/home/test#
2. 执行visudo命令,打开/etc/sudoers.d文件:
root@ubuntu:/home/test#visudo
GNU nano 2.4.2 File: /etc/sudoers.tmp # # Thisfile MUST be edited with the 'visudo' command as root. # # Pleaseconsider adding local content in /etc/sudoers.d/ instead of #directly modifying this file. # # See theman page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:$ # Hostalias specification # Useralias specification # Cmndalias specification # Userprivilege specification root ALL=(ALL:ALL) ALL # Membersof the admin group may gain root privileges %adminALL=(ALL) ALL # Allowmembers of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # Seesudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
3. 在/etc/sudoers.d文件的末尾添加如下指令:
test ALL=(ALL) /sbin/shutdown -rnow
赋予test用户sudo权限,test可以在ALL主机(本机)上切换成ALL(任何)用户,执行/sbin/shutdown -r now命令。
退出root,回到test用户:
root@ubuntu:/home/test#exit exit
查看test的sudo权限:
test@ubuntu:~$sudo -l MatchingDefaults entries for test on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User test mayrun the following commands on ubuntu: (ALL : ALL) ALL (ALL) /sbin/shutdown -r now
(ALL)/sbin/shutdown -r now
就是我们刚才添加的sudo命令
我们就可以用test用户关机啦~
test@ubuntu:~$sudo /sbin/shutdown -r now