su 與 sudo

最後更新: 2016-10-06

目錄

 


su

 

su Run a command as another user (Defaults to root).

If no command is specified, a new shell is started.

If the initial hyphen is included, then the user's login environment is duplicated.

-l

 make it run your shell as a login shell

su nologin account

-s parameter and put as the argument the shell of your choice (/bin/sh if a shell could not be found by /etc/passwd)

 


sudo

 

usage:

sudo [options] command

su [-] [-u user] [-c "command"]

options:

-u user            # Run the command as the specified user (rather than root).

-c                    # pass a single COMMAND to the shell with -c (如果那 user 的 shell 是 /sbin/nologin 就會行唔到 cmd )

-l                     # List allowed commands for the current user and host

Matching Defaults entries for root on NAS:
    syslog=authpriv

User root may run the following commands on NAS:
    (ALL) ALL

-s SHELL          # run SHELL

Configuration file:

/etc/sudoers

Package:

sudo package provides the visudo command for editing and validating the configuration file

 


sudo 與 tty

 

config file:

/etc/sudoers

edit cmd:

visudo

aliases:

  • User_Alias
  • Runas_Alias
  • Host_Alias
  • Cmnd_Alias

format:

#### Alis List
# Type Name = List

User_Alias   FULLTIMERS = millert, mikef, dowdy
Host_Alias        SPARC = bigtime, eclipse, moet, anchor
Host_Alias          SGI = grolsch, dandelion
Cmnd_Alias         KILL = /usr/bin/kill
Runas_Alias	     OP = root, operator


#### Rule
# <user list> <host list> = <operator list> <tag list> <command list>

#    User      Host  AsUser   CMD
root           ALL = (ALL)    ALL
%wheel         ALL = (ALL)    ALL

####             Permission_1 : Permission_2
bob          SPARC = (OP) ALL : SGI = (OP) ALL

WEBMASTERS     www = (www) ALL, (root) /usr/bin/su www

#### not
jen    ALL, !SPARC = ALL


#### Spec Tag
# By default, sudo requires that a user authenticate herself
# NOEXEC tag can be used to prevent a dynamically-linked executable
FULLTIMERS     ALL = NOPASSWD: ALL

說明:

ALL     Reserved keyword that expands to all of the given types

!          Logical NOT operator.

":"      put several alias definitions of the same type on a single line, joined by a colon (':').

e.g.

Alias_Type NAME = item1, item2, item3 : NAME = item4, item5

Usage:

sudo -u operator -g operator /bin/ls

opts:

-l

Matching Defaults entries for ansible on this host:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ansible may run the following commands on this host:
    (root) /sbin/iptables

-u

用 root 以外的 User 身份

Default 設定

Defaults    requiretty
Defaults   !visiblepw

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

one particular user to not require a tty.

log: sudo: sorry, you must have a tty to run sudo

Defaults:username !requiretty

 


hosts

 

host specifies the host names this line is valid for.

Sudo doesn't do any network authentication:

the host list is there so that you can deploy a single sudoers file on multiple machines and

give users different permissions on different machines.

 


Environment

 

By default, the env_reset option is enabled (TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and USERNAME)

# sudoers will initialize the environment regardless of the value of env_reset

-i [command]

The -i <- simulate initial login

If a command is specified => it is passed to the shell for execution via the shell's -c option.

"*.profile" or ".login" will be read by the shell.

(只有這些會轉: HOME, MAIL, SHELL, USER, and LOGNAME)

-s [command]

runs the shell specified by the SHELL environment variable if it is set or the shell as specified in the password database.

If a command is specified => execution via the shell's -c option.

 


EBNF definition:

 

Format:

symbol ::= definition | alternate1 | alternate2

支援

*     Matches any character or no character.
?     Matches only one character.
[range, range...]     Matches any character in the specified range.
[!range, !range...]     Matches any character not in the specified range.
\     Escape character: Function is the same as in the shell.
""     Null string: Used to prevent a command from accepting flags or arguments.
#     Comment: Sudo will ignore all characters on the same line as this character.
%     Specifies a Linux group.
+     Specifies a netgroup.

 


Allowed commandline arguments)

 

情況

# allow a user to run

/usr/bin/pacman -S -u

# without allowing him to run

/usr/bin/pacman -S -u some_package

設定

<1> 一般

Cmnd_Alias PACMAN = /usr/bin/pacman -S -u, ! /usr/bin/pacman -S -u some_package

<2> 進階

myuser  ALL=NOPASSWD:/bin/chmod [0-7][0-5][0-5] /var/www/html/*,/bin/chown myuser:mygroup /var/www/html/*

 


Host_Alias 的 IP

 

# 雖然 sshgw 及 127.0.0.1 是一樣的

ping sshgw

PING sshgw (127.0.0.1)

# 以下一句是唔 work 的 !!

Host_Alias      OFFICE = 127.0.0.1

# 要用

Host_Alias      OFFICE = sshgw

 


use sudo in cron

 

"sudo: sorry, you must have a tty to run sudo"

方案1:

You have to run your ssh command as follows to avoid this error:

ssh -t hostname sudo command

方案2:

在 /etc/sudoers comment out 以下一行

#Defaults requiretty

 


sudo stdout to file

 

# The problem is that the command gets run under sudo, but the redirection gets run under your user.

解決: 行一個新 shell

sudo sh -c "ls -hal /root/ > /root/test.out"

 


Troubleshoot

 

問題1:

sudo: sorry, you must have a tty to run sudo

edit /etc/sudoers to comment out the "requiretty" stuff.

Otherwise just use “ssh -t”, which allocates a sudo tty on the remote machine.