![sudo su在linux](https://img-blog.csdnimg.cn/img_convert/856aab23b196c7c9132b4856ede7701b.png)
sudo su在linux
![A Linux terminal window on a Ubuntu-style desktop.](https://img-blog.csdnimg.cn/img_convert/4810fce54ed491e93f7f56beff98e9c5.png)
The sudo
command lets you run commands on Linux as though you were someone else, such as root
. sudo
also lets you control who can access root's
capabilities, with granularity. Give users full access or let them use a small subset of commands. We show you how.
sudo
命令使您可以像在其他人上一样在Linux上运行命令,例如root
。 sudo
还使您可以控制谁可以访问root's
功能。 为用户提供完全访问权限,或者让他们使用一小部分命令。 我们向您展示如何。
sudo和Root权限 (sudo and Root Permissions)
We’ve all heard (the oversimplification) that everything in Linux is a file. In truth, virtually everything in the operating system from processes, files, directories, sockets, and pipes talk to the kernel through a file descriptor. So although everything isn’t a file, most operating system objects are handled as though they were. Where possible, the design of Linux and Unix-like operating systems adhere to this principle.
我们都听说过(过于简化)Linux中的所有内容都是文件。 实际上,实际上操作系统中的所有内容(包括进程,文件,目录,套接字和管道)都通过文件描述符与内核通信。 因此,尽管所有内容都不是文件,但是大多数操作系统对象都像对待文件一样进行处理。 在可能的情况下,Linux和类Unix操作系统的设计都遵循此原则。
The concept of “everything is a file” is far-reaching in Linux. It’s easy to see then, how file permissions in Linux became one of the mainstays of user privileges and rights. If you own a file or directory (a special kind of file), you can do what you like with it, including editing, renaming, moving, and deleting it. You can also set the permissions on the file so that other users or groups of users can read, modify, or execute the file. Everyone is governed by these permissions.
“一切都是文件”的概念在Linux中影响深远。 显而易见,Linux中的文件权限如何成为用户特权和权限的主要Struts之一 。 如果您拥有文件或目录(一种特殊类型的文件),则可以使用它进行所需的操作,包括编辑,重命名,移动和删除它。 您还可以在文件上设置权限,以便其他用户或用户组可以读取,修改或执行文件。 每个人都受这些权限的约束。
Everyone that is, apart from the superuser, known as root
. The root
account is a specially privileged account. It is not bound by the permissions on any of the objects in the operating system. The root user can do anything to anything and, pretty much, at any time.
除超级用户外,每个人都称为root
。 root
帐户是一个特权帐户。 它不受操作系统中任何对象的权限的约束。 根用户可以随时随地执行任何操作。
Of course, anyone with access to root's
password can do the same. They could wreak havoc either maliciously or accidentally. In fact, the root
user can wreak havoc by making a mistake too. No one is infallible. It’s dangerous stuff.
当然,有权访问root's
密码的任何人都可以这样做。 他们可能会恶意或意外地造成破坏。 实际上, root
用户也可以通过犯错误来造成破坏。 没有人是绝对可靠的。 这是危险的东西。
This is why it is now considered best practice to not log in as root
at all. Log in with a regular user account and use sudo
to elevate your privileges for the short duration you need them. Often that is just to issue a single command.
这就是为什么现在认为最佳做法是完全不以root
身份登录。 使用常规用户帐户登录,并使用sudo
在需要它们的短暂时间内提升特权 。 通常,这只是发出单个命令。
sudoers列表 (The sudoers List)
sudo
was already installed on the Ubuntu 18.04.3, Manjaro 18.1.0, and Fedora 31 computers used to research this article. This is not a surprise. sudo
has been around since the early 1980s and has become the standard means of superuser operation for almost all distributions.
sudo
已经安装在用于研究本文的Ubuntu 18.04.3,Manjaro 18.1.0和Fedora 31计算机上。 这不足为奇。 sudo
从1980年代初开始出现,并且已成为几乎所有发行版的超级用户操作的标准方法。
When you install a modern distro, the user you create during the install is added to a list of users called sudoers. These are the users who can use the sudo
command. Because you have sudo
powers, you can use them to add other users to the list of sudoers.
当您安装现代发行版时,在安装过程中创建的用户将添加到名为sudoers的用户列表中。 这些是可以使用sudo
命令的用户。 由于您具有sudo
权限,因此可以使用它们将其他用户添加到sudoer列表中。
Of course, it is reckless to hand out full superuser status willy-nilly, or to anyone who has only a partial or specific need. The sudoers list allows you to specify which commands the various users are allowed to use sudo
with. That way, you don’t give them the keys to the kingdom, but they can still accomplish what they need to do.
当然,毫不留情地将完全的超级用户身份或任何只具有部分或特定需要的用户分发给任何人都是不计后果的。 sudoers列表允许您指定允许各种用户使用sudo
。 这样,您就不会将他们的王国钥匙给他们,但他们仍然可以完成他们需要做的事情。
以其他用户身份运行命令 (Running a Command as Another User)
Originally, it was called “superuser do”, because you could do things as the superuser. Its scope has been widened now, and you can use sudo
to execute a command as though you were any user. It has been renamed to reflect that new functionality. It is now called “substitute user do.”
最初,它被称为“超级用户执行”,因为您可以作为超级用户来执行操作。 现在它的范围已经扩大了,您可以像使用任何用户一样使用sudo
执行命令。 它已被重命名以反映该新功能。 现在称为“替代用户”。
To use sudo
to run a command as another user, we need to use the -u
(user) option. Here, we’re going run the whoami command as the user mary
. If you use the sudo
command without the -u
option, you’ll run the command as root
.
要使用sudo
以另一个用户身份运行命令,我们需要使用-u
(用户)选项。 在这里,我们将以mary
用户身份运行whoami命令。 如果使用不带-u
选项的sudo
命令,则将以root
身份运行该命令。
And of course, because you’re using sudo
you’ll be prompted for your password.
当然,由于您使用的是sudo
,系统会提示您输入密码。
sudo -u mary whoami
![sudo -u whoami in a terminal window](https://img-blog.csdnimg.cn/img_convert/6b0ac241f8888caba1936eefbdfe5cdd.png)
The response from whoami
tells us that the user account running the command is mary
.
whoami
的响应告诉我们,运行该命令的用户帐户是mary
。
You can use the sudo
command to log in as another user without knowing their password. You’ll be prompted for your own password. We need to use the -i
(login) option.
您可以使用sudo
命令以其他用户身份登录而无需知道其密码。 系统将提示您输入自己的密码。 我们需要使用-i
(登录)选项。
sudo -i -u mary
pwd
whoami
ls -hl
exit
![sudo -i -u mary in a terminal window](https://img-blog.csdnimg.cn/img_convert/a54a06eb8f9d40727a514a4f80e2df18.png)
You are logged in as mary
. The “.bashrc”, “.bash_aliases”, and “.profile” files for the mary user account are processed exactly as if the owner of the mary user account had logged in themselves.
您以mary
登录。 玛丽用户帐户的“ .bashrc”,“。bash_aliases”和“ .profile”文件的处理过程就如同玛丽用户帐户的所有者已自行登录一样。
The command prompt changes to reflect this is a session for user account
mary
.命令提示符更改以反映这是用户帐户
mary
的会话。The
pwd
command reprots that you are now inmary's
home directory.pwd
命令表示您现在位于mary's
主目录中 。whoami
tells us you are using user accountmary
.whoami
告诉我们您正在使用用户帐户mary
。The files in the directory belong to the
mary
user account.目录中的文件属于
mary
用户帐户。The
exit
command returns you to your normal user account session.exit
命令使您返回到正常的用户帐户会话 。
编辑sudoers文件 (Editing the sudoers File)
To add users to the list of people who can use sudo
, you need to edit the sudoers
file. It is vitally important that you only ever do so using the visudo
command. The visudo
command prevents multiple people from trying to edit the sudoers file at once. It also performs syntax checking and parsing on the file contents as you save them.
要将用户添加到可以使用sudo
的人员列表中,您需要编辑sudoers
文件。 至关重要的是,您只能使用visudo
命令这样做。 visudo
命令可防止多个人尝试一次编辑sudoers文件。 保存文件时,它还会对文件内容执行语法检查和解析 。
If your edits don’t pass the tests, the file isn’t blindly saved. You get options. You can cancel and abandon the changes, go back and edit the changes again, or force the incorrect edits to be saved. The last option is a seriously bad idea. Don’t be tempted to do that. You can find yourself in a situation where everyone is accidentally locked out of using sudo
.
如果您的编辑未通过测试,则不会盲目保存文件。 您会得到选择。 您可以取消并放弃更改,返回并再次编辑更改,或强制保存不正确的编辑。 最后一个选择是一个严重的坏主意。 不要试图这样做。 您会发现自己处在所有人意外被禁止使用sudo
。
Although you start the editing process using the visudo
command, visudo
isn’t an editor. It calls one of your existing editors to perform the file edits. On Manjaro and Ubuntu, the visudo
command launched the simple editor nano
. On Fedora, visudo
launched the more capable—but less intuitive—vim
.
尽管使用visudo
命令开始编辑过程,但visudo
不是编辑器。 它调用您现有的编辑器之一来执行文件编辑。 在Manjaro和Ubuntu上, visudo
命令启动了简单的编辑器 nano
。 在Fedora上, visudo
启动了功能更强大但不那么直观的 vim
。
If you’d prefer to use nano
on Fedora, you can do so easily. First, install nano
:
如果您想在Fedora上使用nano
,则可以轻松做到。 首先,安装nano
:
sudo dnf install nano
须藤dnf安装纳米
![sudo dnf install nano in a terminal window](https://img-blog.csdnimg.cn/img_convert/708d8786525f8012d12059d678894510.png)
And then visudo
had to be invoked with this command:
然后必须使用此命令调用visudo
:
sudo EDITOR=nano visudo
![sudo EDITOR=nano visudo in a terminal window](https://img-blog.csdnimg.cn/2022010621331436164.png)
That looks like a good candidate for an alias. The nano
editor is opened with the sudoers file loaded in it.
这看起来像是别名的不错候选者 。 nano
编辑器将在其中加载了sudoers文件的情况下打开。
![nano editor with sudoers file loaded in it](https://img-blog.csdnimg.cn/img_convert/5bf4d1cdc45607ff5cb63dd291f86bbc.png)
将用户添加到sudo组 (Adding Users to the sudo Group)
Use visudo
to open the sudoers file. Either use this command or the one described above to specify the editor of your choice:
使用visudo
打开sudoers文件。 使用此命令或上述命令来指定您选择的编辑器:
sudo visudo
![sudo visudo in a terminal window](https://img-blog.csdnimg.cn/img_convert/245217910328f988d4a049bef321494e.png)
Scroll through the sudoers file until you see the definition of the %sudo
entry.
滚动浏览sudoers文件,直到看到%sudo
条目的定义。
![The sudoers file with the %sudo line highlighted](https://img-blog.csdnimg.cn/img_convert/5dfc5f15a98b7dee6e3d3631f36c3738.png)
The percentage sign indicates that this is a group definition and not a user definition. On some distributions, the %sudo
line has a hash #
at the start of the line. This makes the line a comment. If this is the case, remove the hash and save the file.
百分号表示这是一个组定义,而不是用户定义。 在某些发行版中, %sudo
行的开头是井号#
。 这使该行成为注释。 在这种情况下,请删除哈希并保存文件。
The %sudo
line breaks down like this:
%sudo
行像这样分解:
%sudo: The name of the group.
%sudo :组的名称。
ALL=: This rule applies to all hosts on this network.
ALL = :此规则适用于该网络上的所有主机。
(ALL:ALL): members of this group can run commands as all users and all groups.
(ALL:ALL) :该组的成员可以以所有用户和所有组的身份运行命令。
All: members of this group can run all commands.
全部 :该组的成员可以运行所有命令。
To reword that slightly, members of this group can run any command, as any user or any group, on this computer or on any other host in this network. So a simple way to give someone root privileges and the ability to use sudo
, is to add them to the sudo
group.
为了稍微说明一下,此组的成员可以在此计算机或该网络中的任何其他主机上,以任何用户或任何组的身份运行任何命令。 因此,授予某人root特权和使用sudo
的能力的一种简单方法是将其添加到sudo
组中。
We’ve got two users, Tom and Mary, with user accounts tom
and mary
respectively. We’ll add user account tom
to the sudo
group with the usermod
command. The -G
(groups) option specifies the group we’re going to add the tom
account to. The -a
(append) option adds this group to the list of groups the user account tom
is already in. Without this option, the user account tom
would be placed in the new group but removed from any other groups.
我们有两个用户Tom和Mary,分别具有用户帐户tom
和mary
。 我们将使用usermod
命令将用户帐户tom
添加到sudo
组。 -G
(组)选项指定要添加tom
帐户的组。 -a
(附加)选项将此组添加到用户帐户tom
已在的组的列表中。如果没有此选项,则用户帐户tom
将被放置在新组中,但从任何其他组中删除。
sudo usermod -a -G sudo tom
![sudo usermod -a -G sudo tom in a terminal window](https://img-blog.csdnimg.cn/img_convert/5d38913eba8e9d52ff983e396568a097.png)
Let’s check which groups Mary is in:
让我们检查一下Mary所在的组:
groups
![groups in a terminal window](https://img-blog.csdnimg.cn/img_convert/c3437b9f139646d727adf7b068f2667c.png)
The user account mary
is only in the mary
group.
用户帐户mary
仅在mary
组中。
Let’s check with Tom:
让我们与汤姆确认一下:
groups
![groups in a terminal window](https://img-blog.csdnimg.cn/img_convert/44af436acbc677e7b216aaaf1055a804.png)
The tom
user account—and therefore, Tom—is in the groups tom
and sudo
.
tom
用户帐户(因此为Tom)位于tom
和sudo
组中。
Let’s try to get Mary to do something that requires sudo
privileges.
让我们尝试让Mary做一些需要sudo
特权的事情。
sudo less /etc/shadow
![sudo less /etc/shadow in a terminal window](https://img-blog.csdnimg.cn/img_convert/8e7938e1703f5b577a613029830e3aa1.png)
Mary cannot look inside the restricted file “/etc/shadow.” She gets a mild telling off for trying to use sudo
without permission. Let’s how Tom fares:
玛丽无法查看受限文件“ / etc / shadow”。 她因未经许可而尝试使用sudo
而发出温和的告诫。 让我们来看看汤姆的票价:
sudo less /etc/shadow
![sudo less /etc/shadow in a terminal window](https://img-blog.csdnimg.cn/img_convert/2045feb56b175aa794dfc34f553fb439.png)
As soon as Tom enters his password, he is shown the /etc/shadow file.
Tom一旦输入密码,就会显示/ etc / shadow文件。
![th e/etc/shadow file in less in a terminal window](https://img-blog.csdnimg.cn/img_convert/1ed7c7c5d9577a22806a50d91ade1495.png)
Just by adding him to the sudo
group, he’s been elevated to the elite ranks of those who can use sudo
. Completely unrestricted.
只需将他添加到sudo
组中,他就被提升为可以使用sudo
的精英阶层。 完全不受限制。
授予用户受限的sudo权限 (Giving Users Restricted sudo Rights)
Tom has been given full sudo
rights. He can do anything that root
—or anyone else in the sudo
group—can do. That might grant him more power than you’re happy to hand over. Sometimes there’s a requirement for a user to perform a function that requires root
privileges, but there isn’t a justifiable case for them to have full sudo
access. You can achieve that balance by adding them to the sudoers file and listing the commands they can use.
汤姆已获得全部的sudo
权利。 他可以做任何有root
-或sudo
组中的其他任何人-可以做。 这可能会给他带来比您乐意交出的权力更大的权力。 有时,要求用户执行要求具有root
特权的功能,但是没有充分的理由让他们拥有完全的sudo
访问权限。 您可以通过将它们添加到sudoers文件并列出它们可以使用的命令来达到这种平衡。
Let’s meet Harry, owner of the user account harry
. He isn’t in the sudo
group, and he has no sudo
privileges.
让我们认识一下用户帐户harry
所有者harry
。 他不在sudo
群组中,并且没有sudo
特权。
groups
![groups in a terminal window](https://img-blog.csdnimg.cn/img_convert/1714331546c655bd2852b510e7bbe0e6.png)
It is useful for Harry to be able to install software, but we don’t want him to have full sudo
rights. OK, no problem. let’s fire up visudo
:
对于Harry来说,能够安装软件很有用,但是我们不希望他拥有完整的sudo
权限。 好,没问题 让我们启动visudo
:
sudo visudo
![sudo visudo in a terminal window](https://img-blog.csdnimg.cn/img_convert/245217910328f988d4a049bef321494e.png)
Scroll down through the file until you get past the group definitions. We’re going to add a line in for Harry. Because this is a user definition and not a group definition, we don’t need to start the line with a percentage sign.
向下滚动文件,直到超过组定义。 我们将为Harry添加一行。 因为这是用户定义而不是组定义,所以我们不需要以百分号开头。
![sudoer file entry for harry](https://img-blog.csdnimg.cn/img_convert/8f287c1052ba4e83028ed386786a773c.png)
The entry for the user account harry is:
用户帐户harry的条目是:
harry ALL=/usr/bin/apt-get
Note that there is a tab between “harry” and the “ALL=.”
请注意,在“ harry”和“ ALL =”之间有一个选项卡。
This reads as user account harry
can use the listed commands on all hosts connected to this network. There is one command listed, which is “/usr/bin/apt-get.” We can grant Harry access to more than one command by adding them to the command list, separated by commas.
读取为用户帐户harry
可以在连接到该网络的所有主机上使用列出的命令。 列出了一个命令,即“ / usr / bin / apt-get”。 通过将它们添加到命令列表(以逗号分隔),我们可以授予Harry对多个命令的访问权限。
Add the line to the sudoers file, and save the file. If you want to double-check that the line is syntactically correct, we can ask visudo
to scan the file and check the syntax for us, by using the -c
(check only) option:
将行添加到sudoers文件中,然后保存文件。 如果要仔细检查该行在语法上是否正确,可以使用-c
(仅检查)选项来要求visudo
扫描文件并为我们检查语法:
sudo visudo -c
![sudo visudo -c in a terminal window](https://img-blog.csdnimg.cn/img_convert/36d75f871e4ce45b0f370799ef68ecd7.png)
The checks take place and visudo
reports that all is well. Harry should now be able to use apt-get
to install software but should be refused if he tries to use any other command requiring sudo
.
进行检查并以visudo
报告一切正常。 现在,Harry应该能够使用apt-get
来安装软件,但是如果他尝试使用任何其他需要sudo
命令,则应该将其拒绝。
sudo apt-get install finger
![sudo apt-get install finger in a terminal window](https://img-blog.csdnimg.cn/img_convert/e7287876a3849b66f3097a9336baa3af.png)
The appropriate sudo
rights have been granted to Harry, and he is able to install the software.
适当的sudo
权限已授予Harry,他可以安装该软件。
What happens if Harry tries to use a different command that requires sudo
?
如果Harry尝试使用需要sudo
的其他命令怎么办?
sudo shutdown now
![sudo shutdown now in a terminal window](https://img-blog.csdnimg.cn/img_convert/4956a4be11dd0ab16f5afea30ce2b013.png)
Harry is prevented from running the command. We have successfully granted him specific, restricted, access. He can use the nominated command and nothing else.
哈利无法执行命令。 我们已成功授予他特定的,受限的访问权限。 他可以使用提名的命令,而不能使用其他任何命令。
使用sudoers用户别名 (Using sudoers User Aliases)
If we want to give Mary the same privileges, we could add a line in the sudoers file for the user account mary
in exactly the same way as we did with Harry. Another, neater, way to achieve the same thing is to use a User_Alias
.
如果我们想给Mary相同的特权,我们可以在sudoers文件中为用户帐户mary
添加一行,方法与使用Harry完全相同。 实现相同目标的另一种更整洁的方法是使用User_Alias
。
in the sudoers file, a User_Alias
contains a list of user account names. The name of the User_Alias
can then be used in a definition to represent all of those user accounts. If you want to change the privileges for those user accounts, you only have one line to edit.
在sudoers文件中, User_Alias
包含用户帐户名称列表。 然后可以在定义中使用User_Alias
的名称来表示所有这些用户帐户。 如果要更改这些用户帐户的权限,则只能编辑一行。
Let’s create a User_Alias
and use it in our sudoers file.
让我们创建一个User_Alias
并在我们的sudoers文件中使用它。
sudo visudo
![sudo visudo in a terminal window](https://img-blog.csdnimg.cn/img_convert/245217910328f988d4a049bef321494e.png)
Scroll down in the file until you come to the User_Alias specification line.
Add the User_Alias
by typing:
通过输入以下内容添加User_Alias
:
User_Alias INSTALLERS = harry, mary
Each element is separated by a space, not a tab. The logic breaks down as:
每个元素都由空格而不是制表符分隔。 逻辑分解为:
User_Alias: This tells
visudo
this is going to be aUser_Alias
.User_Alias :这告诉
visudo
这将是User_Alias
。INSTALLERS: This is an arbitrary name for this alias.
安装程序 :这是此别名的任意名称。
= harry, mary: The list of users to include in this alias.
= harry,mary :要包含在此别名中的用户列表。
Now we’ll edit the line that we added previously for the user account harry
:
现在,我们将编辑先前为用户帐户harry
添加的行:
harry ALL=/usr/bin/apt-get
Change it so that it reads:
对其进行更改,使其显示为:
INSTALLERS ALL=/usr/bin/apt-get
This says that all user accounts contained in the definition of the “INSTALLERS” User_Alias
can run the apt-get
command. We can test this with Mary, who should now be able to install software.
这表示“ INSTALLERS” User_Alias
定义中包含的所有用户帐户User_Alias
可以运行apt-get
命令。 我们可以与Mary进行测试,Mary现在应该可以安装软件。
sudo apt-get install colordiff
![sudo apt-get install colordiff in a terminal window](https://img-blog.csdnimg.cn/img_convert/bf60349a5a49cb102419f1af419a4a17.png)
Mary is able to install the software because she is in the “INSTALLERS” User_Alias
, and that User_Alias
has been awarded those rights.
Mary可以安装该软件,因为她位于“安装人员” User_Alias
,并且User_Alias
已获得这些权利。
三个快速的sudo技巧 (Three Quick sudo Tricks)
When you forget to add sudo
to a command, type
当您忘记将sudo
添加到命令时,键入
sudo !!
And the last command will be repeated with sudo
added to the start of the line.
并且将重复最后一个命令,并将sudo
添加到该行的开头。
Once you’ve used sudo
and authenticated with your password, you won’t have to use your password with further sudo
commands for 15 minutes. If you want to have your authentication forgotten straight away, use:
使用sudo
并通过密码进行身份验证后,您将不必再在15分钟内将密码与其他sudo
命令一起使用。 如果您想立即忘记认证,请使用:
sudo -k
Ever wonder where you can see failed sudo
command attempts? They go to the “/var/log/auth.log” file. You can view it with:
有没有想过在哪里可以看到失败的sudo
命令尝试? 他们进入“ /var/log/auth.log”文件。 您可以使用以下方式查看它:
less /var/log/auth.log
![The /var/log/auth.log file in a terminal window](https://img-blog.csdnimg.cn/img_convert/9e285807d8e1c62a0f914ba035b12208.png)
We can see the entry for user account mary who was logged in at TTY pts/1 when she tried to run the shutdown
command as user “root.”
我们可以看到当用户帐户mary尝试以“ root”用户身份运行shutdown
命令时在TTY pts / 1上登录的用户帐户。
拥有强大的力量... (With Great Power…)
…comes the ability to delegate portions of it to others. Now you know how to empower other users selectively.
…具有将其部分委派给他人的能力。 现在您知道了如何有选择地授权其他用户。
翻译自: https://www.howtogeek.com/447906/how-to-control-sudo-access-on-linux/
sudo su在linux