Ubuntu action-04 SUDO settings

Posted by sigkill-9 on Fri, 04 Mar 2022 12:58:06 +0100

Under linux system, ordinary users cannot directly execute the commands under the authority of root user. If you want ordinary users to execute the operation commands that only root user can execute, sudo is needed.

Before sudo was written around 1980, the general way of user management system was to use su to switch to super user. However, one of the disadvantages of using su is that you must first tell the super user's password, while sudo enables ordinary users to obtain permission without knowing the super user's password.

1 authorize ordinary users to execute the root command

To authorize an ordinary user to execute the root command, you need to configure it in the / etc/sudoers file (or directly use the visudo command, but it can only be executed under the root user):

[root@test-huanqiu ~]# visudo
# User privilege specification
pang ALL=(ALL) ALL

1.1 parameter interpretation

  1. The first field zhangj specifies the user: it can be a user name or an alias. Each user can set one line, and multiple users can set multiple lines. You can also set multiple users as an alias.
  2. The second field ALL specifies the host where the user is located: it can be ip or host name, indicating that the file after sudo setting, i.e. / etc/sudoers, is only effective on this host, and ALL indicates that it is effective on ALL hosts! The restrictions are generally local, that is, the host that restricts the use of this file; If it is specified as "", it means that this file is valid only on this host. If it is copied to another host, it will not work! Generally, it is specified as "ALL", which means that ALL hosts can be used no matter where the files are copied.
  3. The third field (ALL) also specifies the user in brackets: specify the user identity to execute sudo, that is, you can enjoy the permissions under ALL accounts after using sudo. If you want to exclude individual users, you can set it in parentheses, such as ALL=(ALL,!root,!ops). You can also set aliases
  4. The fourth field ALL specifies the commands to be executed: that is, ALL commands can be executed after using sudo. You can also set aliases. NOPASSWD: ALL indicates that the user who uses sudo does not need to enter a password. The instructions here use absolute paths

1.2 example

If we want the user pang to execute the commands / bin/chown and / bin/chmod in the root account of the host (the host name is localhost), it should be configured as follows:

[root@test-huanqiu ~]# visudo
# User privilege specification
pang localhost=(root) /bin/chown,/bin/chmod

If the user pang logs in and runs the sudo command, operations that do not meet one of the above three conditions will fail.

2. Secret free operation

Security is safe, but it is troublesome. You must enter a password every time you execute an instruction. To eliminate the password entry operation, modify the configuration file:

2.1 using root user visudo

#NOPASSWD here is a field configured to support secret free execution
pang       ALL=(root)      NOPASSWD:/usr/bin/vim            

What is set here is that the vim instruction can be executed without password!

2.2 manually modify the / etc/sudoers file

# Switch to root
sudo su - root
# Modify / etc/sudoers file permissions
chmod 744 /etc/sudoers
# Modify the / etc/sudoers file and add the following contents. ubuntu is the current user
# Save and restore permissions
chmod 440 /etc/sudoers
# Restart the system

A new terminal is started, and the test does not take effect.
Reason: nopasswd is set, but it doesn't work because it is overwritten by the following group settings. Add it to the last line of the file instead.

# User privilege specification

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command

3. Authorize to user group

[root@test-huanqiu ~]# visudo
# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move it further down)
%sudo ALL=(ALL) ALL

It is similar to authorizing a single user, except that the user name is replaced by the% group name here, and all users in the group are authorized according to this rule.

For this example, ALL users in the sudo group have the permission to execute any command (the third ALL) at any terminal (the first ALL). Check the / etc/group file to know which users belong to the sudo group.

4 operation skills

4.1 execute the root command and forget to add sudo:

After entering a long command and pressing Enter, unauthorized operation appears, because sudo is forgotten in front of the command.
Most people press ↑ to return to the previous command, add sudo before the command, and then execute the command.
In fact, this is not necessary. The clever way is:
Just enter sudo!! Yes, here!! Represents the last command. For example:

[pang@localhost ~]$ cat test
cat: test: Permission denied
[pang@localhost ~]$ sudo !!
sudo cat test

That is to get the content of the test file!

4.2 shell built-in commands cannot use sudo

shell is an interactive application program. When executing external commands, a sub process is created through fork, and then executed through the program loaded with external commands through exec.
However, if a command is a shell built-in command, it can only be run directly by the shell.
Sudo means to fork a process with the permission of other users (such as root), load the program and run it. Therefore, sudo cannot be followed by the built-in commands of the shell\

[pang@localhost ~]$ sudo cd /sys/kernel/debug/
sudo: cd: command not found

In this case:

[pang@localhost ~]$ sudo bash   //Or sudo su - or sudo -s, in fact, use the sudo command to switch from the current user to the root user
[root@localhost debug]# cd /sys/kernel/debug/
[root@localhost debug]#

Record sudo operation log

As an administrator of Linux system, you can not only let the specified user or user group run some commands as root user or other users, but also make detailed records of the commands and parameters entered by the specified user.
The log function of sudo can track the commands entered by users, which can not only improve the security of the system, but also be used for troubleshooting.

  • Create sudo log file
[pang@localhost ~]$ sudo touch /var/log/sudo.log
  • Modify / etc / rsyslog Conf configuration file (the file name of some versions of the system is / etc/syslog.conf), and add the following line to the file
[pang@localhost ~]$ sudo vim /etc/rsyslog.conf
local2.debug /var/log/sudo.log //White space cannot be used, but tab must be used
  • Modify / etc/sudoers configuration file
[pang@localhost ~]$ sudo vim /etc/sudoers
Defaults logfile=/var/log/sudo.log
  • Restart syslog service
[pang@localhost ~]$ sudo service rsyslog restart
  • verification
    After the above configuration, all successful and unsuccessful sudo commands of sudo are recorded in the file / var / log / sudo Log.

4.4 assign different groups to multiple users:

In the case of root user, edit the / etc/group file, which controls the group of the system and the group to which the user belongs.

groupadd sudo                 #Because no gid is specified, it is pushed back according to the gid in the file
sudo:x:504:                    #After adding, this field appears in the file.

Amend to read:

sudo:x:504:batman,test            #At this time, sudo is the affiliated group of user batman and test

Then visudo

%sudo   ALL=(root)      NOPASSWD:/usr/bin/vim
%sudo   ALL=(root)      NOPASSWD:/bin/cat

Save and exit. You can use: visudo -c to check the syntax and return OK. There is no problem.

-rw-------. 1 root root 1595 Jul 24 05:00 rsyncd.conf
-rw-------. 1 root root    8 Jul 24 05:00 rsyncd.pass
-rw-------. 1 root root   14 Jul 24 05:00 rsyncd.pwd

For these three files, only root has operation permission. Now

[pang@localhost]$ sudo vim rsyncd.conf

The discovery is ok.

5 sudo problem record

When modifying / etc/sudoers manually, if you don't pay attention to the operation, it will lead to some problems, which is hereby recorded.

5.1 error recovery after modifying the user of / etc/sudoers

When modifying the setting of sudo password free, after unintentionally changing chmod 440 /etc/sudoers to chown 440 /etc/sudoers, sudo command cannot be used after system restart.


(1) Restart the computer and enter ubuntu Recovery mode Grub(Keep pressing esc or shift)
(2) stay Grub Select from the menu root
(3) Re enter the command chown root /etc/sudoers
(4) reboot

Topics: Linux network server