su 與 sudo

最後更新: 2016-10-06

目錄

 


su

 

su Run a command as another user (Defaults to root).

If no command is specified, a new shell is started.

If the initial hyphen is included, then the user's login environment is duplicated.

-l

 make it run your shell as a login shell

su nologin account

-s parameter and put as the argument the shell of your choice (/bin/sh if a shell could not be found by /etc/passwd)

 


sudo

 

Usage:

sudo [options] command

su [-] [-u user] [-c "command"]

Opts:

-u user            # Run the command as the specified user (rather than root).

-c                    # pass a single COMMAND to the shell with -c (如果那 user 的 shell 是 /sbin/nologin 就會行唔到 cmd )

-l                     # List allowed commands for the current user and host

Matching Defaults entries for root on NAS:
    syslog=authpriv

User root may run the following commands on NAS:
    (ALL) ALL

-s SHELL          # run SHELL

sudo 的 Configuration file:

/etc/sudoers

visudo:

sudo package provides the visudo command for editing and validating the configuration file

 


sudo 的 config

 

config file:

/etc/sudoers

/etc/sudoers.d/*                 # Include user-defined sudoers

edit cmd:

visudo

aliases:

  • User_Alias
  • Runas_Alias
  • Host_Alias
  • Cmnd_Alias

format:

#### Alis List ####
# Type Name = List

User_Alias   FULLTIMERS = millert, mikef, dowdy
Host_Alias        SPARC = bigtime, eclipse, moet, anchor
Host_Alias          SGI = grolsch, dandelion
Cmnd_Alias         KILL = /usr/bin/kill
Runas_Alias	     OP = root, operator

#### Rule ####

#    User      Host  AsUser   CMD
root           ALL = (ALL)    ALL
%wheel         ALL = (ALL)    ALL

#### 用 ":" 及 "," 分隔權限 - Permission 1 : Permission 2 
bob          SPARC = (OP) ALL : SGI = (OP) ALL
WEBMASTERS     www = (www) ALL, (root) /usr/bin/su www

#### Not #### 
jen    ALL, !SPARC = ALL


#### Spec Tag ####
# By default, sudo requires that a user authenticate herself
FULLTIMERS     ALL = NOPASSWD: ALL

# NOEXEC tag can be used to prevent a dynamically-linked executable
aaron   shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

說明:

ALL     Reserved keyword that expands to all of the given types

!          Logical NOT operator.

":"      put several alias definitions of the same type on a single line, joined by a colon (':').

e.g.

Alias_Type NAME = item1, item2, item3 : NAME = item4, item5

 * When multiple entries match for a user => last match is used

Usage

sudo -u operator -g operator /bin/ls

opts:

-u

用 root 以外的 User 身份

-g

primary group set to group instead of the primary group specified by the target user's password database entry.

-l

If no command is specified, list the allowed commands for the invoking user on the current host.

If a command is specified and is permitted by the security policy,

the fully-qualified path to the command is displayed along with any command line arguments.

Default Setting

Defaults    requiretty
Defaults   !visiblepw

Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

i.e. one particular user to not require a tty.

error log: sudo: sorry, you must have a tty to run sudo

Defaults:username !requiretty

 


Alias

 

Alias_Type NAME = item1, item2, ...

Alias_Type: User_Alias, Runas_Alias, Host_Alias, or Cmnd_Alias

NAME: uppercase letters, numbers, and underscore characters (‘_’)

 * It is a syntax error to redefine an existing alias. It is possible to use the same name for aliases of different types.

 


Runas_Spec

 

用中括號定義

(user[:group])

i.e.

(user)
(:group)
(user:group)
(root,bin:operator,system)

 


User specification

 

User_Spec

User_List Host_List = Cmnd_Spec_List
User_List Host_List = Cmnd_Spec_List : Host_List = Cmnd_Spec_List ...

Cmnd_Spec_List

Cmnd_Spec
Cmnd_Spec , Cmnd_Spec_List

Cmnd_Spec

Cmnd
Tag_Spec Cmnd

Tag_Spec

NOEXEC:
NOEXEC:NOPASSWD:..

 


User_Alias

 

user IDs item (prefixed with ‘#’)

system group names item (prefixed with ‘%’)

 


Host & Host_Alias

 

Host

The host specification just tells sudo on which hosts that user is allowed to run those commands.

這裡的 'which hosts' 很特別, 它不是指 remote host, 而係指 sudoers 檔在那機

Host_Alias

A host alias is a list of hostname, ip addresses, networks

i.e.

Host_Alias      OfficeServer = 192.168.123.149, 192.168.123.150

#IP address notation / CIDR
Host_Alias      HomeNet = 192.168.123.0/255.255.255.0, 192.168.234.0/24

 * 當沒有填 netmask, 那就會用相對應 NIC 的 netmask

 * the host name “localhost” will only match if that is the actual hostname

 * sudo only inspects actual network interfaces => IP address 127.0.0.1 (localhost) will never match

 


Environment

 

By default, the env_reset option is enabled (TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and USERNAME)

=> sudoers will initialize the environment regardless of the value of env_reset

-i [command]

The -i <- simulate initial login

If a command is specified => it is passed to the shell for execution via the shell's "-c" option

"*.profile" or ".login" will be read by the shell.

(只有這些會轉: HOME, MAIL, SHELL, USER, and LOGNAME)

-s [command]

runs the shell specified by the SHELL environment variable if it is set or

the shell as specified in the password database.

If a command is specified => execution via the shell's "-c" option

 


EBNF Definition

 

The sudoers file grammar will be described below in Extended Backus-Naur Form (EBNF)

 * When multiple entries match for a user => last match is used

Format:

symbol ::= definition | alternate1 | alternate2

支援

*     Matches any character or no character.

?     Matches only one character.

[range, range...]        Matches any character in the specified range.

[!range, !range...]     Matches any character not in the specified range.

\     Escape character: Function is the same as in the shell.

""     Null string: Used to prevent a command from accepting flags or arguments.

#     Comment: Sudo will ignore all characters on the same line as this character.

%     Specifies a Linux group.

+     Specifies a netgroup.

 


sudo - Allowed CLI Arguments

 

情況

# allow a user to run

/usr/bin/pacman -S -u

# without allowing him to run

/usr/bin/pacman -S -u some_package

設定

<1> 一般

Cmnd_Alias PACMAN = /usr/bin/pacman -S -u, ! /usr/bin/pacman -S -u some_package

<2> 進階

myuser  ALL=NOPASSWD:/bin/chmod [0-7][0-5][0-5] /var/www/html/*,/bin/chown myuser:mygroup /var/www/html/*

 


sudo in cron

 

"sudo: sorry, you must have a tty to run sudo"

方案1:

You have to run your ssh command as follows to avoid this error:

ssh -t hostname sudo command

方案2:

在 /etc/sudoers comment out 以下一行

Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#Defaults requiretty

 


sudo - stdout to file

 

# The problem is that the command gets run under sudo, but the redirection gets run under your user.

解決: 行一個新 shell

sudo sh -c "ls -hal /root/ > /root/test.out"

 


Tag_Spec

 

SETENV and NOSETENV

These tags override the value of the setenv option on a per-command basis.

SETENV: the user may disable the env_reset option from the command line via the -E option

             not subject to the restrictions imposed by env_check, env_delete, or env_keep

If the command matched is ALL, the SETENV tag is implied for that command

 


Example

 

 

 


Troubleshoot

 

問題1:

sudo: sorry, you must have a tty to run sudo

edit /etc/sudoers to comment out the "requiretty" stuff

Otherwise just use “ssh -t”, which allocates a sudo tty on the remote machine.