最後更新: 2021-08-04
目錄
- su
- sudo
- sudo 的 config
-
Alias
Host & Host_Alias - Environment
- sudo 後執行一堆 command
- 轉成 apache 身份
- runuser
- Troubleshoot
su
su Run a command as another user (Defaults to root).
If no command is specified, a new shell is started.
If the initial hyphen is included, then the user's login environment is duplicated.
Version
su --version
su from util-linux 2.23.2
Syntax
su [opts] [-] [user [args...]]
opts
-c command # Pass command to the shell with the -c option
-s shell # Runs the specified shell instead of the default.
# (/bin/sh if a shell could not be found by /etc/passwd)
-, -l, --login # Starts the shell as login shell (similar to a real login)
i.e.
su -c "id" datahunter
uid=1100(datahunter) gid=1100(datahunter) groups=1100(datahunter),1064(sshusers)
sudo
Usage:
sudo [options] command
Opts:
-u user # Run the command as the specified user (rather than root).
-c # pass a single COMMAND to the shell with -c (如果那 user 的 shell 是 /sbin/nologin 就會行唔到 cmd )
-l # List allowed commands for the current user and host
Matching Defaults entries for root on NAS: syslog=authpriv User root may run the following commands on NAS: (ALL) ALL
-s SHELL # run SHELL
sudo 的 Configuration file:
/etc/sudoers
visudo:
sudo package provides the visudo command for editing and validating the configuration file
Usage example:
sudo -u operator -g operator /bin/ls
opts:
-u
用 root 以外的 User 身份
-g
primary group set to group instead of the primary group specified by the target user's password database entry.
-l
If no command is specified, list the allowed commands for the invoking user on the current host.
If a command is specified and is permitted by the security policy,
the fully-qualified path to the command is displayed along with any command line arguments.
sudo 的 config
config file:
/etc/sudoers
/etc/sudoers.d/* # Include user-defined sudoers
edit cmd:
visudo
aliases:
- User_Alias
- Runas_Alias
- Host_Alias
- Cmnd_Alias
Format:
#### Alis List #### # Alias_Type Name = List User_Alias FULLTIMERS = millert, mikef, dowdy Host_Alias SPARC = bigtime, eclipse, moet, anchor Host_Alias SGI = grolsch, dandelion Cmnd_Alias KILL = /usr/bin/kill Runas_Alias OP = root, operator #### Rule #### # User Host AsUser CMD root ALL = (ALL) ALL %wheel ALL = (ALL) ALL # user bob 在不同機有不同權限, 用 ":" 分隔每架機 bob SPARC = (OP) ALL : SGI = (OP) ALL # 用 "," 去分隔每 command 的 permission waf-web ALL = (www) ALL, (root) /usr/bin/su www #### Not #### jen ALL, !SPARC = ALL #### Spec Tag #### # By default, sudo requires that a user authenticate herself FULLTIMERS ALL = NOPASSWD: ALL # NOEXEC tag can be used to prevent a dynamically-linked executable aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
說明:
ALL Reserved keyword that expands to all of the given types
! Logical NOT operator.
":" put several alias definitions of the same type on a single line, joined by a colon (':').
e.g.
Alias_Type NAME1 = item1, item2, item3 : NAME2 = item4, item5
* When multiple entries match for a user => last match is used
Default Setting
Defaults requiretty Defaults !visiblepw Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY"
One particular user to not require a tty.
error log: sudo: sorry, you must have a tty to run sudo
Defaults:username !requiretty
Alias
Alias_Type NAME = item1, item2, ...
Alias_Type: User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias
NAME: uppercase letters, numbers, and underscore characters (‘_’)
* It is a syntax error to redefine an existing alias. It is possible to use the same name for aliases of different types.
User_Alias
user IDs item (prefixed with ‘#’)
system group names item (prefixed with ‘%’)
Host & Host_Alias
Host
# User Host AsUser CMD root ALL = (ALL) ALL
The host specification just tells sudo on which hosts that user is allowed to run those commands.
這裡的 'which hosts' 很特別, 它不是指 remote host, 而係指 sudoers 檔在那機
Host_Alias
A host alias is a list of hostname, ip addresses, networks
i.e.
Host_Alias OfficeServer = 192.168.123.149, 192.168.123.150 Host_Alias HomeNet = 192.168.123.0/255.255.255.0, 192.168.234.0/24
* 當沒有填 netmask, 那就會用相對應 NIC 的 netmask
* the host name “localhost” will only match if that is the actual hostname
* sudo only inspects actual network interfaces => IP address 127.0.0.1 (localhost) will never match
Runas_Spec
用中括號定義
(user[:group])
i.e.
(user) (:group) (user:group) (root,bin:operator,system)
User specification
User_Spec
- User_List Host_List = Cmnd_Spec_List
- User_List Host_List = Cmnd_Spec_List : Host_List = Cmnd_Spec_List ...
Cmnd_Spec_List
- Cmnd_Spec
- Cmnd_Spec_2 , Cmnd_Spec_2
Cmnd_Spec
- Cmnd
- Tag_Spec Cmnd
Tag_Spec
- NOEXEC:
- NOEXEC:NOPASSWD:..
Environment
By default, the env_reset option is enabled (TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and USERNAME)
=> sudoers will initialize the environment regardless of the value of env_reset
-i [command]
The -i <- simulate initial login
If a command is specified => it is passed to the shell for execution via the shell's "-c" option
"*.profile" or ".login" will be read by the shell.
(只有這些會轉: HOME, MAIL, SHELL, USER, and LOGNAME)
-s [command]
runs the shell specified by the SHELL environment variable if it is set or
the shell as specified in the password database.
If a command is specified => execution via the shell's "-c" option
EBNF Definition
The sudoers file grammar will be described below in Extended Backus-Naur Form (EBNF)
* When multiple entries match for a user => last match is used
Format:
symbol ::= definition | alternate1 | alternate2
支援
* Matches any character or no character.
? Matches only one character.
[range, range...] Matches any character in the specified range.
[!range, !range...] Matches any character not in the specified range.
\ Escape character: Function is the same as in the shell.
"" Null string: Used to prevent a command from accepting flags or arguments.
# Comment: Sudo will ignore all characters on the same line as this character.
% Specifies a Linux group.
+ Specifies a netgroup.
sudo - Allowed CLI Arguments
情況
# allow a user to run
/usr/bin/pacman -S -u
# without allowing him to run
/usr/bin/pacman -S -u some_package
設定
[1] 一般
Cmnd_Alias PACMAN = /usr/bin/pacman -S -u, ! /usr/bin/pacman -S -u some_package
[2] 進階
myuser ALL=NOPASSWD:/bin/chmod [0-7][0-5][0-5] /var/www/html/*,/bin/chown myuser:mygroup /var/www/html/*
sudo in cron
"sudo: sorry, you must have a tty to run sudo"
方案1:
You have to run your ssh command as follows to avoid this error:
ssh -t hostname sudo command
方案2:
在 /etc/sudoers comment out 以下一行
Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#Defaults requiretty
sudo - stdout to file
# The problem is that the command gets run under sudo, but the redirection gets run under your user.
解決: 行一個新 shell
sudo sh -c "ls -hal /root/ > /root/test.out"
SETENV and NOSETENV
SETENV and NOSETENV
These tags override the value of the setenv option on a per-command basis.
SETENV: the user may disable the env_reset option from the command line via the -E option
not subject to the restrictions imposed by env_check, env_delete, or env_keep
If the command matched is ALL, the SETENV tag is implied for that command
sudo 後執行一堆 command
sudo -s <<EOF whoami hostname EOF
轉成 apache 身份
su apache
This account is currently not available.
su apache /bin/bash
This account is currently not available.
su -s /bin/bash apache
Remark
sudo -u apache -s /bin/bash
runuser
- -, -l, --login make the shell a login shell
- -u, --user <user>
- -c, --command <command> pass a single command to the shell with -c
- -P, --pty create a new pseudo-terminal
- -s, --shell <shell> run <shell> if /etc/shells allows it
Troubleshoot
問題1:
sudo: sorry, you must have a tty to run sudo
edit /etc/sudoers to comment out the "requiretty" stuff
Otherwise just use “ssh -t”, which allocates a sudo tty on the remote machine.