sudo su在linux_如何在Linux上控制sudo访问

sudo su在linux

Fatmawati Achmad Zaenuri/Shutterstock Fatmawati Achmad Zaenuri / Shutterstock

The sudo command lets you run commands on Linux as though you were someone else, such as root. sudo also lets you control who can access root's capabilities, with granularity. Give users full access or let them use a small subset of commands. We show you how.

sudo命令使您可以像在其他人上一样在Linux上运行命令，例如root 。 sudo还使您可以控制谁可以访问root's功能。 为用户提供完全访问权限，或者让他们使用一小部分命令。 我们向您展示如何。

sudo和Root权限 (sudo and Root Permissions)

We’ve all heard (the oversimplification) that everything in Linux is a file. In truth, virtually everything in the operating system from processes, files, directories, sockets, and pipes talk to the kernel through a file descriptor. So although everything isn’t a file, most operating system objects are handled as though they were. Where possible, the design of Linux and Unix-like operating systems adhere to this principle.

我们都听说过(过于简化)Linux中的所有内容都是文件。 实际上，实际上操作系统中的所有内容(包括进程，文件，目录，套接字和管道)都通过文件描述符与内核通信。 因此，尽管所有内容都不是文件，但是大多数操作系统对象都像对待文件一样进行处理。 在可能的情况下，Linux和类Unix操作系统的设计都遵循此原则。

The concept of “everything is a file” is far-reaching in Linux. It’s easy to see then, how file permissions in Linux became one of the mainstays of user privileges and rights. If you own a file or directory (a special kind of file), you can do what you like with it, including editing, renaming, moving, and deleting it. You can also set the permissions on the file so that other users or groups of users can read, modify, or execute the file. Everyone is governed by these permissions.

“一切都是文件”的概念在Linux中影响深远。 显而易见，Linux中的文件权限如何成为用户特权和权限的主要Struts之一 。 如果您拥有文件或目录(一种特殊类型的文件)，则可以使用它进行所需的操作，包括编辑，重命名，移动和删除它。 您还可以在文件上设置权限，以便其他用户或用户组可以读取，修改或执行文件。 每个人都受这些权限的约束。

Everyone that is, apart from the superuser, known as root. The root account is a specially privileged account. It is not bound by the permissions on any of the objects in the operating system. The root user can do anything to anything and, pretty much, at any time.

除超级用户外，每个人都称为root 。 root帐户是一个特权帐户。 它不受操作系统中任何对象的权限的约束。 根用户可以随时随地执行任何操作。

Of course, anyone with access to root's password can do the same. They could wreak havoc either maliciously or accidentally. In fact, the root user can wreak havoc by making a mistake too. No one is infallible. It’s dangerous stuff.

当然，有权访问root's密码的任何人都可以这样做。 他们可能会恶意或意外地造成破坏。 实际上， root用户也可以通过犯错误来造成破坏。 没有人是绝对可靠的。 这是危险的东西。

This is why it is now considered best practice to not log in as root at all. Log in with a regular user account and use sudo to elevate your privileges for the short duration you need them. Often that is just to issue a single command.

这就是为什么现在认为最佳做法是完全不以root身份登录。 使用常规用户帐户登录，并使用sudo在需要它们的短暂时间内提升特权 。 通常，这只是发出单个命令。

sudoers列表 (The sudoers List)

sudo was already installed on the Ubuntu 18.04.3, Manjaro 18.1.0, and Fedora 31 computers used to research this article. This is not a surprise. sudo has been around since the early 1980s and has become the standard means of superuser operation for almost all distributions.

sudo已经安装在用于研究本文的Ubuntu 18.04.3，Manjaro 18.1.0和Fedora 31计算机上。 这不足为奇。 sudo从1980年代初开始出现，并且已成为几乎所有发行版的超级用户操作的标准方法。

When you install a modern distro, the user you create during the install is added to a list of users called sudoers. These are the users who can use the sudo command. Because you have sudo powers, you can use them to add other users to the list of sudoers.

当您安装现代发行版时，在安装过程中创建的用户将添加到名为sudoers的用户列表中。 这些是可以使用sudo命令的用户。 由于您具有sudo权限，因此可以使用它们将其他用户添加到sudoer列表中。

Of course, it is reckless to hand out full superuser status willy-nilly, or to anyone who has only a partial or specific need. The sudoers list allows you to specify which commands the various users are allowed to use sudo with. That way, you don’t give them the keys to the kingdom, but they can still accomplish what they need to do.

当然，毫不留情地将完全的超级用户身份或任何只具有部分或特定需要的用户分发给任何人都是不计后果的。 sudoers列表允许您指定允许各种用户使用sudo 。 这样，您就不会将他们的王国钥匙给他们，但他们仍然可以完成他们需要做的事情。

以其他用户身份运行命令 (Running a Command as Another User)

Originally, it was called “superuser do”, because you could do things as the superuser. Its scope has been widened now, and you can use sudo to execute a command as though you were any user. It has been renamed to reflect that new functionality. It is now called “substitute user do.”

最初，它被称为“超级用户执行”，因为您可以作为超级用户来执行操作。 现在它的范围已经扩大了，您可以像使用任何用户一样使用sudo执行命令。 它已被重命名以反映该新功能。 现在称为“替代用户”。

To use sudo to run a command as another user, we need to use the -u (user) option. Here, we’re going run the whoami command as the user mary. If you use the sudo command without the -u option, you’ll run the command as root.

要使用sudo以另一个用户身份运行命令，我们需要使用-u (用户)选项。 在这里，我们将以mary用户身份运行whoami命令。 如果使用不带-u选项的sudo命令，则将以root身份运行该命令。

And of course, because you’re using sudo you’ll be prompted for your password.

当然，由于您使用的是sudo ，系统会提示您输入密码。

sudo -u mary whoami

The response from whoami tells us that the user account running the command is mary.

whoami的响应告诉我们，运行该命令的用户帐户是mary 。

You can use the sudo command to log in as another user without knowing their password. You’ll be prompted for your own password. We need to use the -i (login) option.

您可以使用sudo命令以其他用户身份登录而无需知道其密码。 系统将提示您输入自己的密码。 我们需要使用-i (登录)选项。

sudo -i -u mary

pwd

whoami

ls -hl

exit

You are logged in as mary. The “.bashrc”, “.bash_aliases”, and “.profile” files for the mary user account are processed exactly as if the owner of the mary user account had logged in themselves.

您以mary登录。 玛丽用户帐户的“ .bashrc”，“。bash_aliases”和“ .profile”文件的处理过程就如同玛丽用户帐户的所有者已自行登录一样。

• The command prompt changes to reflect this is a session for user account mary.

  命令提示符更改以反映这是用户帐户mary的会话。

• The pwdcommand reprots that you are now in  mary's home directory.

  pwd命令表示您现在位于mary's 主目录中 。

• whoami tells us you are using user account mary.

  whoami告诉我们您正在使用用户帐户mary 。

• The files in the directory belong to the mary user account.

  目录中的文件属于mary用户帐户。

• The exit command returns you to your normal user account session.

  exit命令使您返回到正常的用户帐户会话 。

编辑sudoers文件 (Editing the sudoers File)

To add users to the list of people who can use sudo , you need to edit the sudoers file. It is vitally important that you only ever do so using the visudo command. The visudo command prevents multiple people from trying to edit the sudoers file at once. It also performs syntax checking and parsing on the file contents as you save them.

要将用户添加到可以使用sudo的人员列表中，您需要编辑sudoers文件。 至关重要的是，您只能使用visudo命令这样做。 visudo命令可防止多个人尝试一次编辑sudoers文件。 保存文件时，它还会对文件内容执行语法检查和解析 。

If your edits don’t pass the tests, the file isn’t blindly saved. You get options. You can cancel and abandon the changes,  go back and edit the changes again, or force the incorrect edits to be saved. The last option is a seriously bad idea. Don’t be tempted to do that. You can find yourself in a situation where everyone is accidentally locked out of using sudo.

如果您的编辑未通过测试，则不会盲目保存文件。 您会得到选择。 您可以取消并放弃更改，返回并再次编辑更改，或强制保存不正确的编辑。 最后一个选择是一个严重的坏主意。 不要试图这样做。 您会发现自己处在所有人意外被禁止使用sudo 。

Although you start the editing process using the visudo command, visudo isn’t an editor. It calls one of your existing editors to perform the file edits. On Manjaro and Ubuntu, the visudo command launched the simple editor nano. On Fedora, visudo launched the more capable—but less intuitive—vim.

尽管使用visudo命令开始编辑过程，但visudo不是编辑器。 它调用您现有的编辑器之一来执行文件编辑。 在Manjaro和Ubuntu上， visudo命令启动了简单的编辑器 nano 。 在Fedora上， visudo启动了功能更强大但不那么直观的 vim 。

If you’d prefer to use nano on Fedora, you can do so easily. First, install nano:

如果您想在Fedora上使用nano ，则可以轻松做到。 首先，安装nano ：

sudo dnf install nano

须藤dnf安装纳米

And then visudo had to be invoked with this command:

然后必须使用此命令调用visudo ：

sudo EDITOR=nano visudo

That looks like a good candidate for an alias. The nano editor is opened with the sudoers file loaded in it.

这看起来像是别名的不错候选者 。 nano编辑器将在其中加载了sudoers文件的情况下打开。

将用户添加到sudo组 (Adding Users to the sudo Group)

Use visudo to open the sudoers file. Either use this command or the one described above to specify the editor of your choice:

使用visudo打开sudoers文件。 使用此命令或上述命令来指定您选择的编辑器：

sudo visudo

Scroll through the sudoers file until you see the definition of the %sudo entry.

滚动浏览sudoers文件，直到看到%sudo条目的定义。

The percentage sign indicates that this is a group definition and not a user definition. On some distributions, the %sudo line has a hash # at the start of the line. This makes the line a comment. If this is the case, remove the hash and save the file.

百分号表示这是一个组定义，而不是用户定义。 在某些发行版中， %sudo行的开头是井号# 。 这使该行成为注释。 在这种情况下，请删除哈希并保存文件。

The %sudo line breaks down like this:

%sudo行像这样分解：

• %sudo: The name of the group.

  ％sudo ：组的名称。

• ALL=: This rule applies to all hosts on this network.

  ALL = ：此规则适用于该网络上的所有主机。

• (ALL:ALL): members of this group can run commands as all users and all groups.

  (ALL：ALL) ：该组的成员可以以所有用户和所有组的身份运行命令。

• All: members of this group can run all commands.

  全部 ：该组的成员可以运行所有命令。

To reword that slightly, members of this group can run any command, as any user or any group, on this computer or on any other host in this network. So a simple way to give someone root privileges and the ability to use sudo, is to add them to the sudo group.

为了稍微说明一下，此组的成员可以在此计算机或该网络中的任何其他主机上，以任何用户或任何组的身份运行任何命令。 因此，授予某人root特权和使用sudo的能力的一种简单方法是将其添加到sudo组中。

We’ve got two users, Tom and Mary, with user accounts tom and mary respectively. We’ll add user account tom to the sudo group with the usermod command. The -G (groups) option specifies the group we’re going to add the tom account to. The -a (append) option adds this group to the list of groups the user account tom is already in. Without this option, the user account tom would be placed in the new group but removed from any other groups.

我们有两个用户Tom和Mary，分别具有用户帐户tom和mary 。 我们将使用usermod命令将用户帐户tom添加到sudo组。 -G (组)选项指定要添加tom帐户的组。 -a (附加)选项将此组添加到用户帐户tom已在的组的列表中。如果没有此选项，则用户帐户tom将被放置在新组中，但从任何其他组中删除。

sudo usermod -a -G sudo tom

Let’s check which groups Mary is in:

让我们检查一下Mary所在的组：

groups

The user account mary is only in the  mary  group.

用户帐户mary仅在mary组中。

Let’s check with Tom:

让我们与汤姆确认一下：

groups

The tom user account—and therefore, Tom—is in the groups tom and sudo.

tom用户帐户(因此为Tom)位于tom和sudo组中。

Let’s try to get Mary to do something that requires sudo privileges.

让我们尝试让Mary做一些需要sudo特权的事情。

sudo less /etc/shadow

Mary cannot look inside the restricted file “/etc/shadow.” She gets a mild telling off for trying to use sudo without permission. Let’s how Tom fares:

玛丽无法查看受限文件“ / etc / shadow”。 她因未经许可而尝试使用sudo而发出温和的告诫。 让我们来看看汤姆的票价：

sudo less /etc/shadow

As soon as Tom enters his password, he is shown the /etc/shadow file.

Tom一旦输入密码，就会显示/ etc / shadow文件。

Just by adding him to the sudo group, he’s been elevated to the elite ranks of those who can use sudo. Completely unrestricted.

只需将他添加到sudo组中，他就被提升为可以使用sudo的精英阶层。 完全不受限制。

授予用户受限的sudo权限 (Giving Users Restricted sudo Rights)

Tom has been given full sudo rights. He can do anything that root—or anyone else in the sudo group—can do. That might grant him more power than you’re happy to hand over. Sometimes there’s a requirement for a user to perform a function that requires root privileges, but there isn’t a justifiable case for them to have full sudo access. You can achieve that balance by adding them to the sudoers file and listing the commands they can use.

汤姆已获得全部的sudo权利。 他可以做任何有root -或sudo组中的其他任何人-可以做。 这可能会给他带来比您乐意交出的权力更大的权力。 有时，要求用户执行要求具有root特权的功能，但是没有充分的理由让他们拥有完全的sudo访问权限。 您可以通过将它们添加到sudoers文件并列出它们可以使用的命令来达到这种平衡。

Let’s meet Harry, owner of the user account harry. He isn’t in the sudo group, and he has no sudo privileges.

让我们认识一下用户帐户harry所有者harry 。 他不在sudo群组中，并且没有sudo特权。

groups

It is useful for Harry to be able to install software, but we don’t want him to have full sudo rights. OK, no problem. let’s fire up visudo:

对于Harry来说，能够安装软件很有用，但是我们不希望他拥有完整的sudo权限。 好，没问题 让我们启动visudo ：

sudo visudo

Scroll down through the file until you get past the group definitions. We’re going to add a line in for Harry. Because this is a user definition and not a group definition, we don’t need to start the line with a percentage sign.

向下滚动文件，直到超过组定义。 我们将为Harry添加一行。 因为这是用户定义而不是组定义，所以我们不需要以百分号开头。

The entry for the user account harry is:

用户帐户harry的条目是：

harry    ALL=/usr/bin/apt-get

Note that there is a tab between “harry” and the “ALL=.”

请注意，在“ harry”和“ ALL =”之间有一个选项卡。

This reads as user account harry can use the listed commands on all hosts connected to this network. There is one command listed, which is “/usr/bin/apt-get.” We can grant Harry access to more than one command by adding them to the command list, separated by commas.

读取为用户帐户harry可以在连接到该网络的所有主机上使用列出的命令。 列出了一个命令，即“ / usr / bin / apt-get”。 通过将它们添加到命令列表(以逗号分隔)，我们可以授予Harry对多个命令的访问权限。

Add the line to the sudoers file, and save the file. If you want to double-check that the line is syntactically correct, we can ask visudo to scan the file and check the syntax for us, by using the -c (check only) option:

将行添加到sudoers文件中，然后保存文件。 如果要仔细检查该行在语法上是否正确，可以使用-c (仅检查)选项来要求visudo扫描文件并为我们检查语法：

sudo visudo -c

The checks take place and visudo reports that all is well. Harry should now be able to use apt-get to install software but should be refused if he tries to use any other command requiring sudo.

进行检查并以visudo报告一切正常。 现在，Harry应该能够使用apt-get 来安装软件，但是如果他尝试使用任何其他需要sudo命令，则应该将其拒绝。

sudo apt-get install finger

The appropriate sudo rights have been granted to Harry, and he is able to install the software.

适当的sudo权限已授予Harry，他可以安装该软件。

What happens if Harry tries to use a different command that requires sudo?

如果Harry尝试使用需要sudo的其他命令怎么办？

sudo shutdown now

Harry is prevented from running the command. We have successfully granted him specific, restricted, access. He can use the nominated command and nothing else.

哈利无法执行命令。 我们已成功授予他特定的，受限的访问权限。 他可以使用提名的命令，而不能使用其他任何命令。

使用sudoers用户别名 (Using sudoers User Aliases)

If we want to give Mary the same privileges, we could add a line in the sudoers file for the user account mary in exactly the same way as we did with Harry. Another, neater, way to achieve the same thing is to use a User_Alias.

如果我们想给Mary相同的特权，我们可以在sudoers文件中为用户帐户mary添加一行，方法与使用Harry完全相同。 实现相同目标的另一种更整洁的方法是使用User_Alias 。

in the sudoers file, a User_Alias contains a list of user account names. The name of the User_Alias can then be used in a definition to represent all of those user accounts. If you want to change the privileges for those user accounts, you only have one line to edit.

在sudoers文件中， User_Alias包含用户帐户名称列表。 然后可以在定义中使用User_Alias的名称来表示所有这些用户帐户。 如果要更改这些用户帐户的权限，则只能编辑一行。

Let’s create a User_Alias and use it in our sudoers file.

让我们创建一个User_Alias并在我们的sudoers文件中使用它。

sudo visudo

Scroll down in the file until you come to the User_Alias specification line.


   
   

    
    
   
   

Add the User_Alias by typing:

通过输入以下内容添加User_Alias ：

User_Alias INSTALLERS = harry, mary

Each element is separated by a space, not a tab. The logic breaks down as:

每个元素都由空格而不是制表符分隔。 逻辑分解为：

• User_Alias: This tells visudo this is going to be a User_Alias.

  User_Alias ：这告诉visudo这将是User_Alias 。

• INSTALLERS: This is an arbitrary name for this alias.

  安装程序 ：这是此别名的任意名称。

• = harry, mary: The list of users to include in this alias.

  = harry，mary ：要包含在此别名中的用户列表。

Now we’ll edit the line that we added previously for the user account harry:

现在，我们将编辑先前为用户帐户harry添加的行：

harry    ALL=/usr/bin/apt-get

Change it so that it reads:

对其进行更改，使其显示为：

INSTALLERS    ALL=/usr/bin/apt-get

This says that all user accounts contained in the definition of the “INSTALLERS” User_Alias  can run the apt-get command. We can test this with Mary, who should now be able to install software.

这表示“ INSTALLERS” User_Alias定义中包含的所有用户帐户User_Alias可以运行apt-get命令。 我们可以与Mary进行测试，Mary现在应该可以安装软件。

sudo apt-get install colordiff

Mary is able to install the software because she is in the “INSTALLERS” User_Alias, and that User_Alias has been awarded those rights.

Mary可以安装该软件，因为她位于“安装人员” User_Alias ，并且User_Alias已获得这些权利。

三个快速的sudo技巧 (Three Quick sudo Tricks)

When you forget to add sudo to a command, type

当您忘记将sudo添加到命令时，键入

sudo !!

And the last command will be repeated with sudo added to the start of the line.

并且将重复最后一个命令，并将sudo添加到该行的开头。

Once you’ve used sudo and authenticated with your password, you won’t have to use your password with further sudo commands for 15 minutes. If you want to have your authentication forgotten straight away, use:

使用sudo并通过密码进行身份验证后，您将不必再在15分钟内将密码与其他sudo命令一起使用。 如果您想立即忘记认证，请使用：

sudo -k

Ever wonder where you can see failed sudo command attempts? They go to the “/var/log/auth.log” file. You can view it with:

有没有想过在哪里可以看到失败的sudo命令尝试？ 他们进入“ /var/log/auth.log”文件。 您可以使用以下方式查看它：

less /var/log/auth.log

We can see the entry for user account mary who was logged in at TTY pts/1 when she tried to run the shutdown command as user “root.”

我们可以看到当用户帐户mary尝试以“ root”用户身份运行shutdown命令时在TTY pts / 1上登录的用户帐户。

拥有强大的力量... (With Great Power…)

…comes the ability to delegate portions of it to others. Now you know how to empower other users selectively.

…具有将其部分委派给他人的能力。 现在您知道了如何有选择地授权其他用户。

翻译自: https://www.howtogeek.com/447906/how-to-control-sudo-access-on-linux/

sudo su在linux