May 23, 2021 That's what Linux should learn
Readers rarely encounter security issues in the lab environment, and in order to avoid the configuration service failure due to permissions factors, it is recommended to use root administrator to learn this book, but in the production environment still need to be in awe of security, do not use root administrator to do everything. B ecause once the wrong command is executed, it may lead directly to the system crash, so that not only customer criticism, leadership criticism, err on the bonus will also be chicken eggs. But turn around, although Linux systems make many system commands and services available only to root administrators for security reasons, it also leaves the average user with more permissions, resulting in a delay in completing specific tasks.
The su command solves the need to switch user identities, allowing current users to switch smoothly to other users without logging out, such as from root administrators to regular users:
root@linuxprobe jan 4 01:17:25 EST 2017 on pts/0 (root@linuxprobe linuxprobe@linuxprobe) s$100 0 (linuxprobe) gid-1000 (linuxprobe) groups=1000 (linuxprobe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Careful readers will surely find that there is a minus sign (-) between the su command above and the user name, which means a complete switch to a new user, T hat is, the environment variable information is also changed to the corresponding information of the new user, rather than retaining the original information. It is highly recommended to add this minus sign (-) when switching user identities.
In addition, password verification is not required when switching from root administrator to regular user, and password verification is required to switch from regular user to root administrator;
(linuxprobe@linuxprobe root)$ su root Password: s root@linuxprobe s s - linuxprobe Last login: Mon Aug 24 19:27:09 CST 2017 on pts/0 (linuxprobe@linuxprobe Although the average user can root@linuxprobe completely switch to root administrator status to do the job after using the su command like the one above, this will expose the root administrator's password, which increases the chance that the system password will be obtained by hackers;
Mr. Liu will next show you how to use the sudo command to give the specified user permission to execute a particular command, so that the average user can do a specific job or avoid revealing the root administrator password. A ll we have to do is configure the sudo service properly to take into account the security of the system and the convenience of the user. The configuration principle for sudo services is also simple - give as little additional permissions as possible to ensure that the average user does the right thing.
The sudo command is used to give ordinary users additional permissions to complete tasks that would otherwise have been accomplished by the root administrator, in the format "sudo (parameter) command name". The parameters available in the sudo service and their corresponding effects are shown in Table 5-7.
The parameters and effects available in the Table 5-7 sudo service
Parameter Role -h Lists help information -l Lists commands that the current user can execute -u username or UID value Execute commands as specified users - k The effective time of emptying passwords, password verification is required again the next time sudo is executed -b The specified commands are executed in the background -p Change the prompts to ask for passwords Summary, the sudo command has the following functions:
Restrict the user from executing the specified command:
Record every command executed by the user;
Profiles (/etc/sudoers) provide centralized parameters such as user management, permissions, and hosts;
There is no need for the user to verify the password again within 5 minutes of verifying it (the default).
Of course, if you are concerned about problems modifying profiles directly, you can configure user rights using the visudo command provided by the sudo command. This command prevents multiple users from modifying the sudoers profile at the same time when configuring user permissions, and also checks the parameters within the profile syntax and reports errors when they are found to be incorrect.
Only root administrators can edit the profile of the sudo service using the visudo command.
visudo: >>> /etc/sudoers: syntax error near line 111 <<< What now? O ptions are: (e) dit sudoers file again (x) it has save changes to sudoers file (Q) uit and save changes to sudoers file (DANGER!) when using the visudo command to configure the profile of the sudo command, which operates in the same way as the method used in the Vim editor, so remember to save and exit in last-line mode after writing. In the profile of the sudo command, fill in the information specified on line 99 (approximately) in the following format:
A list of executable commands that can be executed by using the allowed hosts
(root@linuxprobe) visudo 96 s.97 s. To save and then exit, and then switch to the specified normal user identity, you can now view all executable commands with the sudo-l command (in the following command, the password of the normal user is verified, not the password of the root administrator, please do not confuse the reader):
(root@linuxprobe) su - linuxprobe Login: Thu Sep 3 15:12:57 CST 2017 on pts/1 .linuxprobe@linuxprobe s$ sudo -l s.sudo. password for linuxprobe: enter the password of the Linprouxprobe user matching Defaults entries for linuxprobe on this: requiretty, !visiblepw, always_set_home, env_reset, env_keep "COLORS HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep "MAIL PS1 PS2." Q TDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User linuxprobe may run the following commands on this host: (ALL) ALL T hen there's the moment to witness a miracle! As an ordinary user, you can't certainly see the file information in root administrator's home directory (/root), but just add the sudo command before the command you want to execute:
"linuxprobe@linuxprobe s/ root ls: can open directory /root: Permission denied (linuxprobe@linuxprobe s) sudo ls /root anaconda-ks.cfg Documents initial-setup-ks.cfg Pictures Templates Desktops Music Public Videos effect is immediate! H owever, the ALL parameter is somewhat inappropriate considering that an ordinary user is not allowed to have the highest enforcement power for all commands throughout the system in a production environment (which is not in line with the previously mentioned principle of granting permissions, i.e., as little permission as possible). T herefore, only ordinary users can be given specific commands to meet the needs of the job, which is also subject to the necessary permission constraints. I f you need to have a user execute a specified command only as a root administrator, remember to give the absolute path to the command, otherwise the system will not recognize it. We can first use the whereis command to find the save path for the command, and then modify the user rights parameters on line 99 of the profile to the corresponding path:
(linuxprobe@linuxprobe.) $exit logout ([email protected]. ..gz . the root@linuxprobe s/visudo 96 s 97 s.97 s.97 s.97 s.97 s.97 s.97 s.98.98 root ALL(ALL) ALL 99 linuxprobe ALL?(ALL) /usr/bin/cat is still saved before exiting after editing. S witch again to the specified normal user, and then try to view the contents of a file normally, at which point you are prompted that there are no permissions. Then use the sudo command to smoothly view the contents of the file:
[root@linuxprobe ~]# su - linuxprobe Last login: Thu Sep 3 15:51:01 CST 2017 on pts/1 [linuxprobe@linuxprobe ~]$ cat /etc/shadow cat: /etc/shadow: Permission denied [linuxprobe@linuxprobe ~]$ sudo cat /etc/shadow root:$6$GV3UVtX4ZGg6ygA6$J9pBuPGUSgZslj83jyoI7ThJla9ZAULku3BcncAYF00Uwk6Sqc4E36MnD1hLtlG9QadCpQCNVJs/5awHd0/pi1:16626:0:99999:7::: bin: : 16141:0:99999:7::: daemon: :16141:0:99999:7::: adm: :16141:0:99999:7::: lp: :16141:0:99999:7::: sync: :16141:0:99999:7::: shutdown: :16141:0:99999:7::: halt: :16141:0:99999:7::: mail: :16141:0:99999:7::: operator: :16141:0:99999:7::: games: :16141:0:99999:7::: ftp: :16141:0:99999:7::: nobody: /b15>:16141:0:99999:7::: .................. O mit part of the file content... D on't think it's over here, Miss Liu Wei has a baby at the bottom of the box. I don't know if you'll find out that you'll ask for a password every time you execute a sudo command. Although this password is the current login user's password, but each time the sudo command to enter a password is actually very troublesome, then you can add NOPASSWD parameters, so that the user to execute the sudo command no longer need password verification:
linuxprobe@linuxprobe root@linuxprobe s/sbin/poweroff/usr/share/man/man8/poweroff.8.gz root@linuxprobe Root to run any commandsanywhere 98 root ALL-all 99 linuxprobe ALL-NOPASSWD: /usr/sbin/poweroff So that when you switch to a normal user and then execute commands, you don't have to verify passwords frequently, and we're happy in our daily work.
[root@linuxprobe ~]# su - linuxprobe Last login: Thu Sep 3 15:58:31 CST 2017 on pts/1 [linuxprobe@linuxprobe ~]$ poweroff User root is logged in on seat0. P lease retry operation after closing inhibitors and logging out other users. A lternatively, ignore inhibitors and users with 'systemctl poweroff -i'. [linuxprobe@linuxprobe ~]$ sudo poweroff
Next chapter: Https://www.linuxprobe.com/chapter-06.html