`

举例如何配置sudoers

阅读更多

 

本文为转帖,是在学习的时候搜索到的,现在收藏下,但是来源必须得标示出来:

http://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html

 

The sudoers file located at: /etc/sudoers, contains the rules that users must follow when using the sudo command.

If you have ever used used Ubuntu, you know that the root account is disabled. This is because the root password is not set in Ubuntu, you can assign one and use it as with every other Linux distribution. That anyway is another story. On normal Ubuntu Linux computers you need to use sudo to act as root.

I like using sudo, I’m not using Ubuntu anymore. The first thing I do when I install a new Linux is to use visudo to edit the sudoers file. And I always give my account root rights, then I can run commands as root without switching users.

The best way to understand the sudo command, and the rules in sudoers file, the funny way is by this comics.

sudo make me a sandwich sudoers file

credit to: XKCD

As you can see from this funny picture, using sudo command, makes the system obey any given order.

The two best advantages about using sudo command are:

  • Restricted privileges
  • Logs of the actions taken by users

I’m sure you are now fully aware of the advantages of using sudo command in a daily basis, how to use it?

In order to use sudo you first need to configure the sudoers file. The sudoers file is located at /etc/sudoers. And you should not edit it directly, you need to use the visudo command.

Once you enter visudo command, you will see something like this:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

Almost all lines are commented out, the one that matters in this sudoers file example is:

root ALL=(ALL) ALL

This line means: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.

The first part is the user, the second is the terminal from where the user can use sudo command, the third part is which users he may act as, and the last one, is which commands he may run when using sudo.

sudoers examples

operator ALL= /sbin/poweroff

The above command, makes the user operator can from any terminal, run the command power off.

You can also create aliases for: users -> User_Alias, run commands as other users -> Runas_Alias, host -> Host_Alias and command -> Cmnd_Alias

User_Alias OPERATORS = joe, mike, jude Runas_Alias OP = root, operator Host_Alias OFNET = 10.1.2.0/255.255.255.0 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

As you can see the alias OPERATORS includes the users joe, mike and jude, the alias OP includes the users root and operator, alias OFNET includes the network 10.1.2.0 (all the C class), and the command alias PRINTING includes the commands lpc and lprm.

So, a typical sudoers file may look like this:

 User_Alias     OPERATORS = joe, mike, jude
 Runas_Alias    OP = root, operator
 Host_Alias     OFNET = 10.1.2.0/255.255.255.0
 Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm

OPERATORS ALL=ALL

#The users in the OPERATORS group can run any command from
 any terminal.

linus ALL=(OP) ALL

# The user linus can run any command from any terminal as any 
user in the OP group (root or operator).

user2 OFNET=(ALL) ALL

# user user2 may run any command from any machine in the 
OFNET network, as any user.

user3 ALL= PRINTING

# user user3 may run lpc and lprm from any machine.

go2linux ALL=(ALL) ALL

# user go2linux may run any command from any machine acting
 as any user. (like Ubuntu)

If you want not to be asked for a password use this form:

go2linux ALL=(ALL) NOPASSWD: ALL

You may want to read sudoers man page

Considering that you are still reading here a bonus:

visudo command uses vi as the editor here some tips to use it:

  1. Switch to root, (su root), then run visudo, (as above).
  2. Find where it says “root ALL=(ALL) ALL”.
  3. Type “o” to insert a new line below it.
  4. Now type what you want to insert, eg “username ALL=(ALL) ALL”.
  5. Hit esc to exit insert-mode.
  6. Type “:x” to save and exit.

Can I change the default visudo editor?

Yes, changing the default visudo editor is easy.

And just because of your dedication, and still reading until here, I’ll show you how to set nano or vim to use with visudo command as default editor.

Using vim with visudo

export VISUAL=vim; visudo

Using nano with visudo

export VISUAL=nano; visudo

 

分享到:
评论

相关推荐

    ubuntu系统中有关sudoers文件访问错误的解决方法

    在Ubuntu系统中,`sudoers`文件是管理sudo权限的核心配置文件,位于`/etc/sudoers`。这个文件定义了哪些用户可以使用sudo命令,以及他们可以执行哪些操作。当`sudoers`文件出现问题,比如权限错误或者内容格式不正确...

    sudoers文件编辑和使用

    sudoers 文件编辑和使用 sudoers 文件是 Unix 系统中一个非常重要的文件,它控制着用户对 root 权限的访问。今天,我们将深入探讨 sudoers 文件的编辑和使用。 一、sudo 简介 sudo 是 Unix 系统中一个非常重要的...

    详解Linux下的sudo及其配置文件/etc/sudoers的详细配置

    本文将深入讲解`sudo`以及其配置文件`/etc/sudoers`的详细配置。 ### 1. `sudo`简介 `sudo`的主要功能是让用户在不需要知道root密码的情况下,临时获取超级用户权限。它不是替代shell,而是对每个命令单独授权。`...

    ansible-sudoers:在类似Debian的系统中管理sudoers和sudoers.d的角色

    sudoers_sudoers.defaults :[默认:请参见defaults/main.yml ]:默认配置选项 sudoers_sudoers.host_aliases :[默认值: [] ]: Host_Alias类型的别名列表 sudoers_sudoers.host_aliases.name :别名的名称 ...

    ansible-sudoers:控制默认etcsudoers文件和包含的文件目录的配置

    `ansible-sudoers` 是一个 Ansible 角色,专门用于管理和配置 `/etc/sudoers` 文件以及与之相关的目录。这个角色提供了便捷的方式来控制 sudo 访问权限和策略,这对于保持系统的安全性和合规性至关重要。 `/etc/...

    xxx is not in the sudoers file解决方法

    用sudo时提示"xxx is not in the sudoers file. This incident will be reported.其中XXX是你的用户名,也就是你的用户名没有权限使用sudo,我们只要修改一下/etc/sudoers文件就行了。

    Ansible-ansible-sudoers.zip

    Ansible-ansible-sudoers.zip,控制默认/etc/sudoers文件和包含的文件/目录的配置。,ansible是一个简单而强大的自动化引擎。它用于帮助配置管理、应用程序部署和任务自动化。

    Mac sudoers.dmg

    最新Mac OS --sudo 工具,安装以后,Mac 可以执行sudo命令

    linux不能使用sudo命令解决方案

    解决 "username is not in the sudoers file" 的问题需要将当前用户添加到 sudoers 文件中,步骤包括查找 sudoers 配置文件、更改权限、编辑 sudoers 文件、保存并退出编辑器、恢复权限等。通过掌握 sudo 命令的使用...

    030101配置用户使用sudo无需密码

    #1.root执行sudo时不需要输入密码(eudoers文件中有配置root ALL=(ALL) ALL这样一条规则) #2.欲切换的身份与执行者的身份相同,不需要输入密码 3./etc/sudoers文件设置为允许用户在不输入该用户的密码的情况下使用...

    linux系统使用sudo命令报xxx is not in the sudoers file.This incident will be reported.的解决方法.pdf

    This incident will be reported."的错误信息,这意味着你的用户名没有在sudoers配置文件中被授权使用sudo权限。以下是如何解决这个问题的详细步骤: 1. **切换到root用户**:首先,你需要获取root用户的权限来...

    Linux系统如何添加普通用户到 sudoers 文件

    在Linux系统中,sudoers文件是一个至关重要的安全配置文件,它定义了哪些非root用户可以使用sudo命令来执行需要管理员权限的操作。sudo命令允许普通用户以超级用户(root)的身份运行特定命令,而无需实际切换到root...

    树莓派sudoers文件

    树莓派使用的sudoers文件,当调用管理员权限出问题时,很有可能是该文件出现了问题,一个可行的方法就是使用另一个Linux系统替换该文件。

    Linux用户配置sudo权限(visudo)的方法

    总结来说,配置`sudo`权限是通过`visudo`编辑`/etc/sudoers`文件,设置用户、用户组和命令的规则。正确地配置`sudoers`文件可以有效地控制系统的访问权限,同时保持系统的安全。务必谨慎操作,因为错误的配置可能...

    解决 用户不在 sudoers 文件中 的问题

    当尝试使用`sudo`时收到“用户不在 sudoers 文件中”的错误提示,这意味着当前的用户没有在系统授权文件 `/etc/sudoers` 中被赋予使用`sudo`的权限。以下将详细解释如何解决这个问题,并介绍一些相关的Linux用户管理...

    sudo软件的安装与配置

    sudoers文件是sudo软件的配置文件,用于定义用户权限和命令。该文件必须使用visudo命令编辑,以避免语法错误。 文件的结构包括: * Host alias specification:定义主机别名。 * User alias specification:定义...

    ansible-user:为基于SSH密钥的登录名和无密码sudo创建和配置用户

    接下来是sudoers配置。sudo允许非root用户执行特定的命令,具有管理员权限。通过无密码sudo,我们可以减少用户交互,提高自动化任务的效率。在Ansible中,我们可以使用`sudoers`模块或`lineinfile`模块来编辑`/etc/...

    DBA实战配置Linux sudo

    `sudo`的主要配置文件位于`/etc/sudoers`。这是一个非常敏感且重要的文件,因为它直接决定了哪些用户或用户组可以在不暴露root密码的情况下拥有执行某些命令的权限。 ##### 2. 使用visudo编辑sudoers文件 由于`/...

    mac10.15 sudoers

    sudo修复

    CentOS 7中sudo权限配置

    在CentOS 7系统中,sudo的配置通常通过编辑/etc/sudoers文件来实现,但编辑这个文件时需要非常谨慎,因为一个错误的配置可能导致系统安全问题或者系统无法使用。因此,在修改/etc/sudoers文件之前,建议使用visudo...

Global site tag (gtag.js) - Google Analytics