sudo Decentralized management

1、 Why sudo?

When my host is in a multiplayer environment , If everyone uses su To switch to root The identity of the , Then everyone has to know root Password , So that too many people know the password, it may flow out , Very unsafe ! What should we do ? through sudo Just deal with it !

sudo You only need your own password to execute ,sudo It allows you to execute instructions as other users ( It is usually used root To execute the command ), So not everyone can execute sudo , It's only regulated to /etc/sudoers Only the users within can execute sudo This instruction .

2、sudo Command usage

sudo It allows the user to execute the specified instruction in another capacity , The pre-set identity is root. stay /etc/sudoers The executable is set in sudo The user of the command . If its unauthorized user attempts to use sudo, Will send a warning email to the Administrator . The user to use sudo when , You must first enter the current user password , After a 5 Minutes of validity , If the time limit is exceeded, you must re-enter the password .

grammar :

sudo [-bhHpV][-s ][-u < user >][ Instructions ] or sudo [-klv]

Parameters :




Execute instructions in the background


take HOME The environment variable is set to the new identity HOME environment variable


End the validity period of the password , That is to say, the next time you execute sudo You need to enter a password


Same as -k


List the instructions that can and cannot be executed by the current user


Change the prompt symbol for asking for the password


Execute specified shell


As the new identity of the designated user . If this parameter is not added , The default is root As a new identity


Extend the password validity period 5 minute


Display version information

3、sudo Workflow

1) When the user executes sudo when , System in /etc/sudoers Search the file to see if the user has executed sudo Authority ;

2) If the user has an executable sudo Right after , Let users enter their own password to confirm ;

3) If the password is entered successfully , And we started sudo Subsequent instructions ( but root perform sudo when , No password required );

4) If the identity to be switched is the same as that of the executor , That doesn't require a password .

4、visudo Single user authorization

visudo It's direct operation /etc/sudoers file , We can also directly vi /etc/sudoers, however visudo The good thing about orders is , sign out /etc/sudoers When you file , The system will check /etc/sudoers Is the grammar correct .

[[email protected] ~]# visudo

....( Omit from the front )....

root ALL=(ALL) ALL #<== Find this line , Around the 80 Row or so

yang1 ALL=(ALL) ALL #<== New line ! be yang1 User pass sudo Have all permissions

....( Omit from the front )....

Grammar explanation :




User account

The source host name of the login =( Switchable identities )

Instructions that can be given

Explain in detail :

User accounts

On behalf of which user to use sudo Authority

Source host name

Specify the trusted user , According to w see [ User accounts ] Source host of

Switchable identities

Represents a switchable user role , and sudo -u Use a combination of , The default is to switch to root.

Instructions that can be given

For permission settings , You can also use ! To represent an unenforceable command

give an example :

[[email protected] ~]# visudo

yang2 ALL=(root) !/usr/bin/passwd,!/usr/bin/passwd root

# allow yang2 User pass sudo To change the passwords of all other users , But it can't be modified root Password


5、visudo Using group Authorization

[[email protected] ~]# visudo

....( Omit from the front )....

%test ALL=(ALL) ALL

# Add... To the far left % , The representative is followed by a group , The format is the same as single user authorization

[[email protected] ~]# usermod -a -G testtest #<== take test Join in root In the group of

Anyone who joins test Users of this group , Can use sudo Switch any identity to operate any instruction


You don't need a password to use it sudo

[[email protected] ~]# visudo

....( Omit from the front )....


# Add... To the command NOPASSWD:ALL that will do


6、visudo Use alias Authorization

The company has many departments , To facilitate management , You can use aliases , Such as : Development Department , Operation and maintenance department , Technical support department , There are many people in each department , Different departments have different command authority , The same department has the same authority . If you write one by one , It's troublesome to write , It's even more troublesome .

How to use alias :

It can be used through man sudoers The following examples find





User account

The source host name of the login

Switchable identities

Instructions that can be given

User_Alias FULLTIMERS = millert, mikef, dowdy

Host_Alias CSNETS =,,

Runas_Alias OP = root, operator

Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

example :

[[email protected] ~]# visudo

User_Alias ADMPW = pro1,pro2, pro3, myuser1, myuser2 # Configure user aliases ADMPW

Cmnd_Alias ADMPWCOM =!/usr/bin/passwd, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

# Configure command aliases ADMPWCOM

ADMPW ALL=(root) ADMPWCOM # Specify the members in the user alias , Have permissions in the command alias


7、visudo And environment variables

1) Phenomenon description :test1 user sudo The command already has all the permissions , But you can't view the NIC information .

[[email protected] ~]$ sudo -l

… Omit …

User test1 may run thefollowing commands on this host:


sudo I've got all the permissions

[[email protected] ~]$ sudo ifconfig eth0

sudo: ifconfig: command notfound

You can't see ! Prompt this command cannot be found ? Why? ? This is caused by system environment variables .


2) root Compare environment variables with common user environment variables

test1 The user can't find which Where is the order , and root Users can .

[[email protected] ~]$ which ifconfig

/usr/bin/which: no ifconfig in(/application/mysql/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/test1/bin)

[[email protected] ~]$ su - root


[[email protected] ~]# which ifconfig



3) See two test1 and root Of PATH Variable

[[email protected] ~]# echo $PATH


[[email protected] ~]# su - test1

[[email protected] ~]$ echo $PATH


Found that ordinary users do not have sbin The path of , And a lot of commands are placed in these paths .


4) Add the above path to the normal user variable file ,cd ~ && vi ~.profile

stay PATH Then add :/sbin:/usr/sbin:/usr/local/sbin

[[email protected] ~]$ cat.bash_profile |grep PATH


[[email protected] ~]$ source.bash_profile # Make the modified variable file effective

# After modifying variables , Next, continue to view the network card information

[[email protected] ~]$ sudo ifconfigeth0

eth0 Link encap:Ethernet HWaddr 00:0C:29:3B:DA:97

inet addr: Bcast: Mask:

It can be executed normally !


5) To prevent commands that users cannot find from appearing , There are two ways

5.1) Add the above path to the environment variable ,~/.bash_profile file ( Ordinary users can edit ), or /etc/profile Global file ( Need to be root User edit )

5.2) Execute command with absolute path , Such as : /sbin/ifconfig eth0

notes :centos6.4 There is no such problem


8、 To configure sudo Log file tracking

Operation steps :

1) Inquire about sample.sudoers file location

[[email protected] ~]# rpm -ql sudo



2) see sample.sudoers Log related configuration in

sample.syslog.conf This file is the official configuration sudo Log configuration notes

[[email protected] ~]# cat/usr/share/doc/sudo-1.7.2p1/sample.sudoers|grep "log"

Defaults syslog=auth

Defaults>root !set_logname

[email protected] log_year, logfile=/var/log/sudo.log

3) Create a log file

touch /var/log/sudo.log

4) hold sudo Log files are added to the system log

Add the following command to /etc/syslog.conf At the end of

local2.debug /var/log/sudo.log

notes : You can't use spaces in the blanks , Must use tab

centos6.4 The log service of is rsyslog

5) stay /etc/sudoers Add log path to ( Also available visudo edit )

Add to /etc/sudoers At the end of :

echo 'Defaults logfile=/var/log/sudo.log' >> /etc/sudoers

6) test

[[email protected] ~]# cat/var/log/sudo.log # Before testing sudo.log It's empty

[[email protected] ~]# su - yang1 # Enter ordinary users ( Authorized in advance )

[[email protected] ~]$ sudo -l # View the current user sudo Executable commands

[sudo] password for yang1:

Matching Defaults entries foryang1 on this host:





Runas and Command-specificdefaults for yang1:


User yang1 may run the followingcommands on this host:

(ALL)!/usr/sbin/useradd, (ALL) !/usr/sbin/userdel, (ALL) /bin/touch # Found unable to create delete user , Can create files .

[[email protected] ~]$ sudo touchyangrong # Use sudo Create a file

[[email protected] ~]$ cat/var/log/sudo.log # see sudo.log file , There are records , Test success

9 month 5 12:37:46 : yang1 : TTY=pts/2; PWD=/home/yang1 ; USER=root ; COMMAND=list

9 month 5 12:38:05 : yang1 : TTY=pts/2; PWD=/home/yang1 ; USER=root ;

COMMAND=/bin/touch yangrong

Test success !

The above is a simple audit , If it's more complicated, you can store logs in a centralized way , More complicated, you can play back the user's behavior , Filtration analysis, etc .