sudo权限的含义:root用户把本来只能由超级用户执行的命令赋予普通用户执行。sudo的操作对象是系统命令。
Sudo既然是root赋予普通用户执行系统命令的权限,那么root是在哪个地方给普通用户赋予sudo权限的呢?
切换到root用户,然后键入一下命令:
root@ubuntu:# visudo # 注意visudo是连在一起的vi和sudo之间没有空格
#
# This file MUST be edited with the'visudo' command as root.
#
# Please consider adding local content in/etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how towrite a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:$
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
# Members of the admin group may gain rootprivileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to executeany command
%sudo ALL=(ALL) ALL
# See sudoers(5) for more information on"#include" directives:
#includedir /etc/sudoers.d
注意到visudo实际修改的是/etc/sudoers.d文件,其中的关键部分是
root ALL=(ALL) ALL
举个例子:
test ALL=(ALL) ALL
1. test:打算给test用户赋予sudo权限;
2. 第一个ALL:sudo命令可以操作的主机地址,在本例中就是主机地址;
3. 第二个ALL:test执行sudo时可以使用的身份,ALL表示test可以使用任何身份(包括root);
4. 第三个ALL:test执行sudo时可以使用的命令;
普通用户不能执行shutdown命令,我们给test用户赋予重启系统的sudo权限:
1. 切换到root用户:
test@ubuntu:~$ sudo su
[sudo] password for test:
root@ubuntu:/home/test#
2. 执行visudo命令,打开/etc/sudoers.d文件:
root@ubuntu:/home/test#visudo
GNU nano 2.4.2 File: /etc/sudoers.tmp
#
# Thisfile MUST be edited with the 'visudo' command as root.
#
# Pleaseconsider adding local content in /etc/sudoers.d/ instead of
#directly modifying this file.
#
# See theman page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:$
# Hostalias specification
# Useralias specification
# Cmndalias specification
# Userprivilege specification
root ALL=(ALL:ALL) ALL
# Membersof the admin group may gain root privileges
%adminALL=(ALL) ALL
# Allowmembers of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Seesudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
3. 在/etc/sudoers.d文件的末尾添加如下指令:
test ALL=(ALL) /sbin/shutdown -rnow
赋予test用户sudo权限,test可以在ALL主机(本机)上切换成ALL(任何)用户,执行/sbin/shutdown -r now命令。
退出root,回到test用户:
root@ubuntu:/home/test#exit
exit
查看test的sudo权限:
test@ubuntu:~$sudo -l
MatchingDefaults entries for test on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User test mayrun the following commands on ubuntu:
(ALL : ALL) ALL
(ALL) /sbin/shutdown -r now
(ALL)/sbin/shutdown -r now
就是我们刚才添加的sudo命令
我们就可以用test用户关机啦~
test@ubuntu:~$sudo /sbin/shutdown -r now