个人工具

“Quick HOWTO : Ch09 : Linux Users and Sudo”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
(不要直接翻译本页面!)
第1行: 第1行:
{{From|http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch09_:_Linux_Users_and_Sudo}}
+
{{From|http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch09_:_Linux_Users_and_Sudo}} {{Languages|Quick HOWTO : Ch09 : Linux Users and Sudo}}
{{Languages|Quick HOWTO : Ch09 : Linux Users and Sudo}}
+
= '''序言''' =
+
  
在我们开始之前,最好先讲一些基本的用户管理系统,这在以后的章节中是非常有用的。添加用户在管理linux盒子中非常重要的一项操作。在这里你会看到几个为以后章节准备简单的例子。你不一定能够完全理解它,but is a good memory refresher(此句不会翻译)。你可以用这个命令man useradd来获得关于用useradd命令添加用户的帮助,或者用命令man usermod来进一步熟悉关于用usermod命令来修改用户的帮助信息。
+
= Introduction =
  
= 谁是超级用户? =
+
Before we proceed, it would be best to cover some basic user administration topics that will be very useful in later chapters. Adding Users
  
 +
One of the most important activities in administering a Linux box is the addition of users. Here you'll find some simple examples to provide a foundation for future chapters. It is not intended to be comprehensive, but is a good memory refresher. You can use the command man useradd to get the help pages on adding users with the useradd command or the man usermod to become more familiar with modifying users with the usermod command.
  
超级用户被命名为root,在linux中超级用户可以不受任何限制地访问
+
<br>
  
 +
= Who Is the Super User? =
  
所有的系统资源和文件。超级用户有一个用户ID,为0,它被linux应用软件普遍的确定为所属于具有最高权限的用户(翻译不好,原文:This user has a user ID, of 0 which is universally identified by Linux applications as belonging to a user with supreme privileges)。你需要以root用户登录来为你的linux服务器添加一个新的用户。
+
The super user with unrestricted access to all system resources and files in Linux is the user named root. This user has a user ID, of 0 which is universally identified by Linux applications as belonging to a user with supreme privileges. You will need to log in as user root to add new users to your Linux server.
  
'''注意:'''''''''当你安装Ubuntu linux系统的时候,系统提示你创建的用户并不是root用户。root会自动建立但是没有密码,所以最初你不能以root用户登录。用sudo su命令,第一个用户可以变成root用户,这在以后会论述。''
+
'''Debian Note:''' When installing Ubuntu Linux systems, you are prompted to create a primary user that is not <code>root</code>. A <code>root</code> user is created but no password is set, so you initially cannot log in as this user. The primary user can become the root user using the <code>sudo su -</code> command that will be discussed later.
  
= 怎样添加用户 =
+
= How To Add Users =
  
添加用户需要一些计划,在你开始之前先浏览一下下面这几步:
+
Adding users takes some planning; read through these steps below before starting:
  
<br>1)按功能排列你要添加的用户所加入的组。在这个例子中有三个群组“parents”,“children"和“soho”。
+
1) Arrange your list of users into groups by function. In this example there are three groups "parents", "children" and "soho".
  
 
  Parents Children Soho
 
  Parents Children Soho
Paul   Accounts Derek
+
 
Jane   Alice
+
Paul Alice Accounts
 +
Jane Derek Sales
  
&nbsp;
+
2) Add the Linux groups to your server:
 
+
<br>2)在你的服务器中添加linux群组:
+
  
 
  [[email protected] tmp]# groupadd parents
 
  [[email protected] tmp]# groupadd parents
 +
[[email protected] tmp]# groupadd children
 +
[[email protected] tmp]# groupadd soho
  
[[email protected] tmp]# groupadd children [[email protected] tmp]# groupadd soho
+
3) Add the Linux users and assign them to their respective groups
  
3)添加linux用户并且分配他们到他们各自的群组
+
[[email protected] tmp]# useradd -g parents paul
 +
[[email protected] tmp]# useradd -g parents jane
 +
[[email protected] tmp]# useradd -g children derek
 +
[[email protected] tmp]# useradd -g children alice
 +
[[email protected] tmp]# useradd -g soho accounts
 +
[[email protected] tmp]# useradd -g soho sales
 +
 
 +
If you don't specify the group with the -g, RedHat/Fedora Linux creates a group with the same name as the user you just created; this is also known as the User Private Group Scheme. When each new user first logs in, they are prompted for their new permanent password.
 +
 
 +
4) Each user's personal directory is placed in the /home directory. The directory name will be the same as their user name.
 +
 
 +
[[email protected] tmp]# ll /home
 +
drwxr-xr-x 2 root root 12288 Jul 24 20:04 lost+found
 +
drwx------ 2 accounts soho 1024 Jul 24 20:33 accounts
 +
drwx------ 2 alice children 1024 Jul 24 20:33 alice
 +
drwx------ 2 derek children 1024 Jul 24 20:33 derek
 +
drwx------ 2 jane parents 1024 Jul 24 20:33 jane
 +
drwx------ 2 paul parents 1024 Jul 24 20:33 paul
 +
drwx------ 2 sales soho 1024 Jul 24 20:33 sales
 +
  
 
<br>
 
<br>
  
[[email protected] tmp]# useradd -g parents paul
+
= How to Change Passwords =
[[email protected] tmp]# useradd -g parents jane
+
[[email protected] tmp]# useradd -g children derek
+
[[email protected] tmp]# useradd -g children alice
+
[[email protected] tmp]# useradd -g soho accounts
+
[[email protected] tmp]# useradd -g soho sales
+
  
<br>&nbsp;如果你不用-g指定群组,RedHat/Fedora Linux会自动建立一个和你所添加的用户名字一样的群组;也就是用户私有组方案。每一个新用户在第一次登录的时候,都会被提示设置他们新的永久密码。
+
You need to create passwords for each account. This is done with the passwd command. You are prompted once for your old password and twice for the new one.
  
4)每一个用户的个人目录都被设定在/home目录下。目录的名字就是他们的用户名。
+
* User root changing the password for user paul.
  
<br>
+
[[email protected] root]# passwd paul
 +
Changing password for user paul.
 +
New password:
 +
Retype new password:
 +
passwd: all authentication tokens updated successfully.
 +
  
[[email protected] tmp]# ll /home
+
* Users might wish to change their passwords at a future date. Here is how unprivileged user paul would change his own password.
drwxr-xr-x 2 root root 12288 Jul 24 20:04 lost+found
+
drwx------ 2 accounts soho 1024 Jul 24 20:33 accounts
+
drwx------ 2 alice children 1024 Jul 24 20:33 alice
+
drwx------ 2 derek children 1024 Jul 24 20:33 derek
+
drwx------ 2 jane parents 1024 Jul 24 20:33 jane
+
drwx------ 2 paul parents 1024 Jul 24 20:33 paul
+
drwx------ 2 sales soho 1024 Jul 24 20:33 sales
+
[[email protected] tmp]# <span id="fck_dom_range_temp_1200546147140_202"></span>
+
+
+
  
<br>&nbsp;
+
[[email protected] paul]$ passwd
 +
Changing password for paul
 +
Old password: your current password
 +
Enter the new password (minimum of 5, maximum of 8 characters)
 +
Please use a combination of upper and lower case letters and numbers.
 +
New password: your new password
 +
Re-enter new password: your new password
 +
Password changed.
 +
  
 +
<br>
  
 +
== How to Delete Users ==
  
 +
The userdel command is used to remove the user's record from the /etc/passwd and /etc/shadow used in the login process. The command has a single argument, the username.
  
 +
[[email protected] tmp]# userdel paul
  
== 怎样更改密码 ==
+
There is also an optional -r switch that additionally removes all the contents of the user's home directory. Use this option with care. The data in a user's directory can often be important even after the person has left your company.
  
====== 你需要为第一个帐户创建一个密码。这可以用passwd命令来完成。 系统会提示输入你的旧密码一次,输入你的新密码两次。 ======
+
[[email protected] tmp]# userdel -r paul
  
用root用户更改用户paul的密码
+
<br>
<pre>[[email protected] root]# passwd paul
+
Changing password for user paul. New password:
+
Retype new password: passwd:
+
all authentication tokens updated successfully.
+
[[email protected] root]#</pre>
+
  
===== 用户以後可能会改他们自己的密码。这个例子说明用户paul改自己的密码没有特权。 =====
+
== How to Tell the Groups to Which a User Belongs ==
<pre>[[email protected] paul]$ passwd
+
Changing password for paul Old password: your current password
+
Enter the new password (minimum of 5, maximum of 8 characters)
+
Please use a combination of upper and lower case letters and numbers.
+
New password: your new password
+
Re-enter new password: your new password
+
Password changed.
+
[[email protected] paul]$</pre>
+
  
== 怎样删除用户 ==
+
Use the groups command with the username as the argument.
  
==== userdel命令可以用来把用户记录从目录/etc/passwd和登录进程所用到的目录/etc/shadow中删除。这个命令只有一个参数,就是你要删的用户名 ====
+
[[email protected] root]# groups paul
 +
paul&nbsp;: parents
 +
  
该命令也有一个选项 -r用来将该用户在/home目录下所有的内容一起删除。用这个选项要小心。用户目录下的数据可能非常重要即使该用户已经离开你的公司。
+
<br>
<pre>&lt;pre&gt;[[email protected] tmp]# userdel paul
+
[[email protected] tmp]# userdel -r paul &nbsp;</pre>
+
  
=== 怎样让群组知道用户属于哪个群组 ===
+
== How to Change the Ownership of a File ==
  
==== Use the groups command with the username as the argument.用用户名作groups命令的参数 ====
+
You can change the ownership of a file with the chown command. The first argument is the desired username and group ownership for the file separated by a colon (:) followed by the filename. In the next example we change the ownership of the file named text.txt from being owned by user root and group root to being owned by user testuser in the group users:
<pre>[root@bigboy root]# groups paul paul&nbsp;: parents
+
[[email protected] root]#</pre>
+
  
=== 怎样更改文件的所有权 ===
+
[[email protected] tmp]# ll test.txt
 +
-rw-r--r-- 1 root root 0 Nov 17 22:14 test.txt
 +
[[email protected] tmp]# chown testuser:users test.txt
 +
[[email protected] tmp]# ll test.txt
 +
-rw-r--r-- 1 testuser users 0 Nov 17 22:14 test.txt
 +
  
==== 你可以用chown命令来更改文件的所有权。第一个对象是该文件 期望的用户名和群组所有权被一个冒号(:)分开,後面是文件名。在下面的例子中,我们改变了名为text.txt的文件的所有权,从root用户和root群组拥有改为testuser用户和users群组拥有: ====
+
You can also use the chown command with the -r switch for it to doe recursive searches down into directories to change permissions.
<pre>[[email protected] tmp]# ll test.txt
+
-rw-r--r-- 1 root root 0 Nov 17 22:14 test.txt
+
[[email protected] tmp]# chown testuser:users test.txt
+
[[email protected] tmp]# ll test.txt
+
-rw-r--r-- 1 testuser users 0 Nov 17 22:14 test.txt
+
[[email protected] tmp]#</pre>
+
您也可以使用chown命令後加上- R的参数,它能递归搜索目录并改变其权限。
+
  
= 用sudo命令 =
+
<br>
  
如果一台聒噪需要同时由几个人来管理,最好不要让他们都用root帐号。因为如果每个人都用一样的权限,很难确定是谁什么时间什么位置做了什么。sudo命令就是用来解决这个难题的。
+
= Using sudo =
  
 +
If a server needs to be administered by a number of people it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty.
  
 +
The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands they would not normally be able to due to file permission restrictions. The commands can be run as user "root" or as any other user defined in the /etc/sudoers configuration file.
  
sudo命令允许在/etc/sudoers配置文件中所定义的用户拥有临时的权限来运行一些在正常情况下根据文件访问权限他们不能运行的命令。这些命令可以以root用户或者其他在/etc/sudoers配置文件中所定义的用户所运行。
+
The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax. When running the command with the sudo prefix, you will be prompted for your regular password before it is executed. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages.
  
如果你想运行有特权的命令你必须在这个命令前加上sudo。当运行带有sudo作前缀的命令时,系统在执行该命令之前,会提醒你输入你的密码。在五分钟内你也可以运行其他有特权的命令而不需要输入密码。所有的以sudo执行的命令都会被记录在日志文件/var/log/messages中。<br>
+
<br>
  
== 简单的sudo例子 ==
+
== Simple Sudo Examples ==
  
以下是几个运用sudo的简单的实例。
+
Using sudo is relatively simple as we can see from these examples.
  
=== 临时获得root用户权限 ===
+
=== Temporarily Gaining root Privileges ===
  
在这个例子中,用户bob试图浏览文件/etc/sudoers中的目录,而那是需要特权才能访问的。因为没有用sudo,该命令失败:
+
In this example, user bob attempts to view the contents of the /etc/sudoers file, which is an action that normally requires privileged access. Without sudo, the command fails:
  
 
  [[email protected] bob]$ more /etc/sudoers
 
  [[email protected] bob]$ more /etc/sudoers
/etc/sudoers: Permission denied
+
/etc/sudoers: Permission denied
+
  
这一次Bob用了sudo命令并且输入了他自己的密码,他成功了:
+
Bob tries again using sudo and his regular user password and is successful:
  
 
  [[email protected] bob]$ sudo more /etc/sudoers
 
  [[email protected] bob]$ sudo more /etc/sudoers
Password:
+
Password:
...
+
...
...
+
...
+
  
以后的章节会讲到安装配置sudo命令的细节。
+
The details of configuring and installing sudo are covered in later sections.
  
=== 完全以root用户登录 ===
+
=== Becoming root for a Complete Login Session ===
  
su命令允许一个般的用户转变成root用户,只要他知道root用户的密码。而一个用户以sudo权限运行su命令时也可以变成root用户,不过这时他们只需要知道他们自己的密码,而不是root用户的密码,就像你在这里看到的。
+
The <code>su</code> command allows a regular user to become the system's <code>root</code> user if they know the <code>root</code> password. A user with <code>sudo</code> rights to use the <code>su</code> command can become <code>root</code>, but they only need to know their own password, not that of <code>root</code> as seen here.
  
 
  [email protected]:~$ sudo su -
 
  [email protected]:~$ sudo su -
Password:
+
Password:
+
  
一些系统管理员允许用sudo命令来获得root权限操作他们自己的帐户而不需要输入密码。
+
Some systems administrators will use <code>sudo</code> to grant <code>root</code> privileges to their own personal user account without the need to provide a password.
  
 +
Later sections describe how to disable <code>sudo su</code> ability and also how to use <code>sudo</code> without password prompts.
  
 +
== Downloading and Installing the sudo Package ==
  
以后的章节会讲到怎样使sudo su命令失效以及怎样用sudo命令而不需要输入密码。
+
Fortunately the package is installed by default by RedHat/Fedora which eliminates the need to anything more in this regard. The visudo Command
  
== 下载安装sudo命令包 ==
+
The visudo command is a text editor that mimics the vi editor that is used to edit the /etc/sudoers configuration file. It is not recommended that you use any other editor to modify your sudo parameters because the sudoers file isn't located in the same directory on all versions of Linux. visudo uses the same commands as the vi text editor. The visudo command must run as user root and should have no arguments:
 
+
很幸运在RedHat/Fedora中sudo命令包是被默认安装的,也就不需要再安装了。
+
 
+
<br>visudo命令是一个模仿vi编辑器的文字编辑器,vi编辑器是用来编辑配置文件/etc/sudoers的。我们不建议你们其它文字编辑器来修改sudo参数,因为sudoers文件在不同版本的Linux有不有同的目录。visudo用的命令和vi编辑器一样,visudo命令毫无疑问必须以root用户运行:
+
  
 
  [[email protected] tmp]# visudo
 
  [[email protected] tmp]# visudo
第170行: 第175行:
 
<br>
 
<br>
  
==  
+
== The /etc/sudoers File ==
== &nbsp; ==
+
文件/etc/sudoers ==
+
 
+
 
+
文件/etc/sudoers包含所有的运行
+
 
+
 
+
sudo需要的配置和许可参数。在用visudo编辑该文件时有很多建议需要遵循。
+
 
+
 
+
&nbsp;
+
  
 +
The /etc/sudoers file contains all the configuration and permission parameters needed for sudo to work. There are a number of guidelines that need to be followed when editing it with visudo. General /etc/sudoers Guidelines
  
表9-1所示的是文件/etc/sudodrs的大概格式:
+
The /etc/sudoers file has the general format shown in Table 9-1.
  
 
<br>
 
<br>
  
=== 表9-1 文件/etc/sudoers的格式 ===
+
=== Table 9-1 Format of the /etc/sudoers File ===
 
<div align="center">
 
<div align="center">
{| class="MsoTableGrid" cellspacing="0" cellpadding="0" border="1"
+
{| cellspacing="0" cellpadding="0" border="1" style="border: medium none ; border-collapse: collapse;" class="MsoTableGrid"
 
|-
 
|-
| valign="top" width="738" |  
+
| width="738" valign="top" style="border: 1pt solid windowtext; padding: 0.05in; background: green none repeat scroll 0%; width: 6.15in; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;" |  
'''<span>General sudoers File Record Format</span>'''
+
'''<span style="color: white;">General sudoers File Record Format</span>'''
  
 
|-
 
|-
| valign="top" width="738" |  
+
| width="738" valign="top" style="border-style: none solid solid; border-color: -moz-use-text-color windowtext windowtext; border-width: medium 1pt 1pt; padding: 0.05in; width: 6.15in;" |  
 
<tt>'''usernames/group&nbsp;servername = (usernames command can be run as) command'''</tt>
 
<tt>'''usernames/group&nbsp;servername = (usernames command can be run as) command'''</tt>
  
 
|}
 
|}
</div>
+
</div>  
几条编辑该文件的建议:
+
There are some general guidelines when editing this file:
  
 
* Groups are the same as user groups and are differentiated from regular users by a % at the beginning. The Linux user group "users" would be represented by %users.
 
* Groups are the same as user groups and are differentiated from regular users by a % at the beginning. The Linux user group "users" would be represented by %users.
第213行: 第208行:
 
<br>
 
<br>
  
== 简单的/etc/sudoers例子 ==
+
== Simple /etc/sudoers Examples ==
  
 
This section presents some simple examples of how to do many commonly required tasks using the sudo utility.
 
This section presents some simple examples of how to do many commonly required tasks using the sudo utility.
  
 +
=== Granting All Access to Specific Users ===
  
本章介绍关于怎样用sudo作用来做
+
You can grant users bob and bunny full access to all privileged commands, with this sudoers entry.
 
+
 
+
一些经常需要的的工作。
+
 
+
===
+
=== Granting All Access to Specific Users 允许 ===
+
 
+
===  ===
+
 
+
特殊用户拥有所有权限 ===
+
 
+
你可以通过添加以下来使用户bob,bunny能够通过sudo命令来获得运行所有命令的权力
+
  
 
  bob, bunny ALL=(ALL) ALL
 
  bob, bunny ALL=(ALL) ALL
  
 
This is generally not a good idea because this allows bob and bunny to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo. The example on using aliases in the sudoers file shows how to eliminate this prob
 
This is generally not a good idea because this allows bob and bunny to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo. The example on using aliases in the sudoers file shows how to eliminate this prob
 
这通常来说不是个好办法,因为这会让用户bob和bunny能通过用sudo su命令
 
 
而让他们永久地成为root权限从而体现不出使用sudo命令的特点。下面的例子说明了怎样用sudoers文件中的别名来避免这种可能。<br>
 
  
 
=== Granting Access To Specific Users To Specific Files ===
 
=== Granting Access To Specific Users To Specific Files ===
 
= '''让特定的用户获得特定的文件访问权''' =
 
  
 
This entry allows user peter and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:
 
This entry allows user peter and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:
第249行: 第227行:
  
 
Notice also that the lack of any username entries within parentheses () after the = sign prevents the users from running the commands automatically masquerading as another user. This is explained further in the next example.
 
Notice also that the lack of any username entries within parentheses () after the = sign prevents the users from running the commands automatically masquerading as another user. This is explained further in the next example.
 
下面的输入会让用户peter和所有组的管理员获得所有位于/sbin及/usr/sbin目录下的文件访问权,还有运行位于/usr/local/apps/check.pl的命令,注意“/”在
 
 
指定目录位置时的用法
 
  
 
=== Granting Access to Specific Files as Another User ===
 
=== Granting Access to Specific Files as Another User ===
第281行: 第255行:
  
 
  Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, \
 
  Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, \
/usr/bin/ksh, /usr/local/bin/tcsh, \
+
  /usr/bin/ksh, /usr/local/bin/tcsh, \
/usr/bin/rsh, /usr/local/bin/zsh
+
  /usr/bin/rsh, /usr/local/bin/zsh
 
+
 
 
+
 
 
+
User_Alias ADMINS = peter, bob, bunny, %operator
User_Alias ADMINS = peter, bob, bunny, %operator ADMINS ALL =&nbsp;!/usr/bin/su,&nbsp;!SHELLS
+
ADMINS ALL =&nbsp;!/usr/bin/su,&nbsp;!SHELLS
  
 
This attempts to ensure that users don't permanently su to become root, or enter command shells that bypass sudo's command logging. It doesn't prevent them from copying the files to other locations to be run. The advantage of this is that it helps to create an audit trail, but the restrictions can be enforced only as part of the company's overall security policy.
 
This attempts to ensure that users don't permanently su to become root, or enter command shells that bypass sudo's command logging. It doesn't prevent them from copying the files to other locations to be run. The advantage of this is that it helps to create an audit trail, but the restrictions can be enforced only as part of the company's overall security policy.
第301行: 第275行:
  
 
  [[email protected] tmp]# grep sudo /var/log/messages
 
  [[email protected] tmp]# grep sudo /var/log/messages
Nov 18 22:50:30 bigboy sudo(pam_unix)[26812]: authentication failure; logname=bob uid=0 euid=0 tty=pts/0 ruser= rhost= user=bob
+
Nov 18 22:50:30 bigboy sudo(pam_unix)[26812]: authentication failure; logname=bob uid=0 euid=0 tty=pts/0 ruser= rhost= user=bob
Nov 18 22:51:25 bigboy sudo: bob&nbsp;: TTY=pts/0&nbsp;; PWD=/etc&nbsp;; USER=root&nbsp;; COMMAND=/bin/more sudoers
+
Nov 18 22:51:25 bigboy sudo: bob&nbsp;: TTY=pts/0&nbsp;; PWD=/etc&nbsp;; USER=root&nbsp;; COMMAND=/bin/more sudoers
+
 +
 
 +
<br>
 +
 
 +
= Conclusion =
  
= 总结 =
+
It is important to know how to add users, not just so they can log in to our system. Most server based applications usually run via a dedicated unprivileged user account, for example the MySQL database application runs as user mysql and the Apache Web server application runs as user apache. These accounts aren't always created automatically, especially if the software is installed using TAR files.
  
知道怎样添加用户非常重要,不仅仅是他们可以登录我们的系统。大部分基于应用软件的服务器都是通过没有特权的用户帐号运行,例如MySQL数据库以用户mysql的身份运行,服务器应用程序Apache Web以用户apache的身份运行。这些帐号一般不会被自动建立,特别是当然这些软件是通过TAR文件安装的时候。<br>最後,sudo实际上提供了一种分散责任,系统管理多用户化的方法,。你甚至可以根据一些用户在组织中的角色让这些群体的用户的拥有局部的访问特权命令,这使得sudo成为任何公司的服务器管理和安全政策中非常有用的一部分。
+
Finally, the sudo utility provides a means of dispersing the responsibility of systems management to multiple users. You can even give some groups of users only partial access to privileged commands depending on their roles in the organization. This makes sudo a valuable part of any company's server administration and security policy.

2008年2月23日 (六) 15:00的版本


Introduction

Before we proceed, it would be best to cover some basic user administration topics that will be very useful in later chapters. Adding Users

One of the most important activities in administering a Linux box is the addition of users. Here you'll find some simple examples to provide a foundation for future chapters. It is not intended to be comprehensive, but is a good memory refresher. You can use the command man useradd to get the help pages on adding users with the useradd command or the man usermod to become more familiar with modifying users with the usermod command.


Who Is the Super User?

The super user with unrestricted access to all system resources and files in Linux is the user named root. This user has a user ID, of 0 which is universally identified by Linux applications as belonging to a user with supreme privileges. You will need to log in as user root to add new users to your Linux server.

Debian Note: When installing Ubuntu Linux systems, you are prompted to create a primary user that is not root. A root user is created but no password is set, so you initially cannot log in as this user. The primary user can become the root user using the sudo su - command that will be discussed later.

How To Add Users

Adding users takes some planning; read through these steps below before starting:

1) Arrange your list of users into groups by function. In this example there are three groups "parents", "children" and "soho".

Parents Children Soho
 
Paul Alice Accounts
Jane Derek Sales

2) Add the Linux groups to your server:

[[email protected] tmp]# groupadd parents
[[email protected] tmp]# groupadd children
[[email protected] tmp]# groupadd soho

3) Add the Linux users and assign them to their respective groups

[[email protected] tmp]# useradd -g parents paul
[[email protected] tmp]# useradd -g parents jane
[[email protected] tmp]# useradd -g children derek
[[email protected] tmp]# useradd -g children alice
[[email protected] tmp]# useradd -g soho accounts
[[email protected] tmp]# useradd -g soho sales

If you don't specify the group with the -g, RedHat/Fedora Linux creates a group with the same name as the user you just created; this is also known as the User Private Group Scheme. When each new user first logs in, they are prompted for their new permanent password.

4) Each user's personal directory is placed in the /home directory. The directory name will be the same as their user name.

[[email protected] tmp]# ll /home
drwxr-xr-x 2 root root 12288 Jul 24 20:04 lost+found
drwx------ 2 accounts soho 1024 Jul 24 20:33 accounts
drwx------ 2 alice children 1024 Jul 24 20:33 alice
drwx------ 2 derek children 1024 Jul 24 20:33 derek
drwx------ 2 jane parents 1024 Jul 24 20:33 jane
drwx------ 2 paul parents 1024 Jul 24 20:33 paul
drwx------ 2 sales soho 1024 Jul 24 20:33 sales
[[email protected] tmp]#


How to Change Passwords

You need to create passwords for each account. This is done with the passwd command. You are prompted once for your old password and twice for the new one.

  • User root changing the password for user paul.
[[email protected] root]# passwd paul
Changing password for user paul.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[[email protected] root]#
  • Users might wish to change their passwords at a future date. Here is how unprivileged user paul would change his own password.
[[email protected] paul]$ passwd
Changing password for paul
Old password: your current password
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
New password: your new password
Re-enter new password: your new password
Password changed.
[[email protected] paul]$


How to Delete Users

The userdel command is used to remove the user's record from the /etc/passwd and /etc/shadow used in the login process. The command has a single argument, the username.

[[email protected] tmp]# userdel paul

There is also an optional -r switch that additionally removes all the contents of the user's home directory. Use this option with care. The data in a user's directory can often be important even after the person has left your company.

[[email protected] tmp]# userdel -r paul


How to Tell the Groups to Which a User Belongs

Use the groups command with the username as the argument.

[[email protected] root]# groups paul
paul : parents
[[email protected] root]#


How to Change the Ownership of a File

You can change the ownership of a file with the chown command. The first argument is the desired username and group ownership for the file separated by a colon (:) followed by the filename. In the next example we change the ownership of the file named text.txt from being owned by user root and group root to being owned by user testuser in the group users:

[[email protected] tmp]# ll test.txt
-rw-r--r-- 1 root root 0 Nov 17 22:14 test.txt
[[email protected] tmp]# chown testuser:users test.txt
[[email protected] tmp]# ll test.txt
-rw-r--r-- 1 testuser users 0 Nov 17 22:14 test.txt
[[email protected] tmp]#

You can also use the chown command with the -r switch for it to doe recursive searches down into directories to change permissions.


Using sudo

If a server needs to be administered by a number of people it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty.

The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands they would not normally be able to due to file permission restrictions. The commands can be run as user "root" or as any other user defined in the /etc/sudoers configuration file.

The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax. When running the command with the sudo prefix, you will be prompted for your regular password before it is executed. You may run other privileged commands using sudo within a five-minute period without being re-prompted for a password. All commands run as sudo are logged in the log file /var/log/messages.


Simple Sudo Examples

Using sudo is relatively simple as we can see from these examples.

Temporarily Gaining root Privileges

In this example, user bob attempts to view the contents of the /etc/sudoers file, which is an action that normally requires privileged access. Without sudo, the command fails:

[[email protected] bob]$ more /etc/sudoers
/etc/sudoers: Permission denied
[[email protected] bob]$

Bob tries again using sudo and his regular user password and is successful:

[[email protected] bob]$ sudo more /etc/sudoers
Password:
...
...
[[email protected] bob]$

The details of configuring and installing sudo are covered in later sections.

Becoming root for a Complete Login Session

The su command allows a regular user to become the system's root user if they know the root password. A user with sudo rights to use the su command can become root, but they only need to know their own password, not that of root as seen here.

[email protected]:~$ sudo su -
Password:
[email protected]:~#

Some systems administrators will use sudo to grant root privileges to their own personal user account without the need to provide a password.

Later sections describe how to disable sudo su ability and also how to use sudo without password prompts.

Downloading and Installing the sudo Package

Fortunately the package is installed by default by RedHat/Fedora which eliminates the need to anything more in this regard. The visudo Command

The visudo command is a text editor that mimics the vi editor that is used to edit the /etc/sudoers configuration file. It is not recommended that you use any other editor to modify your sudo parameters because the sudoers file isn't located in the same directory on all versions of Linux. visudo uses the same commands as the vi text editor. The visudo command must run as user root and should have no arguments:

[[email protected] tmp]# visudo


The /etc/sudoers File

The /etc/sudoers file contains all the configuration and permission parameters needed for sudo to work. There are a number of guidelines that need to be followed when editing it with visudo. General /etc/sudoers Guidelines

The /etc/sudoers file has the general format shown in Table 9-1.


Table 9-1 Format of the /etc/sudoers File

General sudoers File Record Format

usernames/group servername = (usernames command can be run as) command

There are some general guidelines when editing this file:

  • Groups are the same as user groups and are differentiated from regular users by a % at the beginning. The Linux user group "users" would be represented by %users.
  • You can have multiple usernames per line separated by commas.
  • Multiple commands also can be separated by commas. Spaces are considered part of the command.
  • The keyword ALL can mean all usernames, groups, commands and servers.
  • If you run out of space on a line, you can end it with a back slash (\) and continue on the next line.
  • sudo assumes that the sudoers file will be used network wide, and therefore offers the option to specify the names of servers which will be using it in the servername position in Table 9-1. In most cases, the file is used by only one server and the keyword ALL suffices for the server name.
  • The NOPASSWD keyword provides access without prompting for your password.


Simple /etc/sudoers Examples

This section presents some simple examples of how to do many commonly required tasks using the sudo utility.

Granting All Access to Specific Users

You can grant users bob and bunny full access to all privileged commands, with this sudoers entry.

bob, bunny ALL=(ALL) ALL

This is generally not a good idea because this allows bob and bunny to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo. The example on using aliases in the sudoers file shows how to eliminate this prob

Granting Access To Specific Users To Specific Files

This entry allows user peter and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:

peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl

Notice also that the lack of any username entries within parentheses () after the = sign prevents the users from running the commands automatically masquerading as another user. This is explained further in the next example.

Granting Access to Specific Files as Another User

The sudo -u entry allows allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.

This feature can be convenient for programmers who sometimes need to kill processes related to projects they are working on. For example, programmer peter is on the team developing a financial package that runs a program called monthend as user accounts. From time to time the application fails, requiring "peter" to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill commands but only as user "accounts". The sudoers entry would look like this:

peter ALL=(accounts) /bin/kill, /usr/bin/kill /usr/bin/pkill

User peter is allowed to stop the monthend process with this command:

[[email protected] peter]# sudo -u accounts pkill monthend


Granting Access Without Needing Passwords

This example allows all users in the group operator to execute all the commands in the /sbin directory without the need for entering a password. This has the added advantage of being more convenient to the user:

%operator ALL= NOPASSWD: /sbin/

Using Aliases in the sudoers File

Sometimes you'll need to assign random groupings of users from various departments very similar sets of privileges. The sudoers file allows users to be grouped according to function with the group and then being assigned a nickname or alias which is used throughout the rest of the file. Groupings of commands can also be assigned aliases too.

In the next example, users peter, bob and bunny and all the users in the operator group are made part of the user alias ADMINS. All the command shell programs are then assigned to the command alias SHELLS. Users ADMINS are then denied the option of running any SHELLS commands and su:

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, \
 /usr/bin/ksh, /usr/local/bin/tcsh, \
 /usr/bin/rsh, /usr/local/bin/zsh
 
 
User_Alias ADMINS = peter, bob, bunny, %operator
ADMINS ALL = !/usr/bin/su, !SHELLS

This attempts to ensure that users don't permanently su to become root, or enter command shells that bypass sudo's command logging. It doesn't prevent them from copying the files to other locations to be run. The advantage of this is that it helps to create an audit trail, but the restrictions can be enforced only as part of the company's overall security policy.

Other Examples

You can view a comprehensive list of /etc/sudoers file options by issuing the command man sudoers.

Using syslog To Track All sudo Commands

All sudo commands are logged in the log file /var/log/messages which can be very helpful in determining how user error may have contributed to a problem. All the sudo log entries have the word sudo in them, so you can easily get a thread of commands used by using the grep command to selectively filter the output accordingly.

Here is sample output from a user bob failing to enter their correct sudo password when issuing a command, immediately followed by the successful execution of the command /bin/more sudoers.

[[email protected] tmp]# grep sudo /var/log/messages
Nov 18 22:50:30 bigboy sudo(pam_unix)[26812]: authentication failure; logname=bob uid=0 euid=0 tty=pts/0 ruser= rhost= user=bob
Nov 18 22:51:25 bigboy sudo: bob : TTY=pts/0 ; PWD=/etc ; USER=root ; COMMAND=/bin/more sudoers
[[email protected] tmp]#


Conclusion

It is important to know how to add users, not just so they can log in to our system. Most server based applications usually run via a dedicated unprivileged user account, for example the MySQL database application runs as user mysql and the Apache Web server application runs as user apache. These accounts aren't always created automatically, especially if the software is installed using TAR files.

Finally, the sudo utility provides a means of dispersing the responsibility of systems management to multiple users. You can even give some groups of users only partial access to privileged commands depending on their roles in the organization. This makes sudo a valuable part of any company's server administration and security policy.