preface
- In daily server development, it is often necessary to give ordinary users root permission, that is, super administrator permission
- Here is a record of how to set administrator permissions to ordinary users in Linux
PS: there are three methods to grant administrator permissions. Only two commonly used methods are recorded here
PS2: the two methods are basically to add the user’s secondary group to the management group. The difference is that the first wheel group exists by default, and the second one needs to be added by ourselves. Whichever is used is the same. The first one is convenient and fast
Method 1
- Create a normal user and add the wheel group to the secondary group
[[email protected] mysql]# visudo
//If "#" precedes% wheel, delete it, save and exit
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
[ [email protected] mysql]# useradd -G wheel suhai // Add a new user and set the secondary group as the management group wheel
[[email protected] mysql]# passwd suhai
//At this point, the user suhai has administrator privileges and can use the sudo + command- View the administrators under the group
[[email protected] mysql]# cat /etc/group |grep wheel
wheel:x:10:suhai- Delete administrator privileges for a user
[[email protected] mysql]# gpasswd -d suhai wheel
Removing user 'suhai' from 'wheel' group
[[email protected] mysql]# cat /etc/group |grep wheel
wheel:x:10:
//After deleting the permission, if you want to add it back, use the gpasswd - a suhai wheel commandMethod 2
- Create an ordinary user suhai and assign a password
[[email protected] ~]# useradd suhai
[[email protected] ~]# passwd suhai
Change the password of the user.
New password:***
Invalid password: password is less than 8 characters
重新输入New password:***
Passwd: all authentication tokens have been successfully updated.- Switch to suhai user and access / etc / shadow (password mapping file) with or without sudo command respectively [test permission step, can be skipped]
[ [email protected] ~]# su - suhai // Switch to suhai account environment
[[email protected] ~]$ ll /etc/shadow
//At this time, you can see that the permission of the shadow file is 000, and only the root account can access it
----------. 1 root 940 January 5 21:59 / etc / shadow
//Ordinary accounts cannot be accessed without root permission
[[email protected] ~]$ cat /etc/shadow
Cat: / etc / Shadow: insufficient permissions
[[email protected] ~]$ sudo cat /etc/shadow
[sudo] suhai's password:
Suhai is not in the sudoers file. The matter will be reported.- Switch to the root account
visudoCommand to modify the / etc / sudoers configuration file and give administrator privileges
[ [email protected] ~]$ su - // Switch to root account environment
[[email protected] ~]# visudo
//Find the following content location, add the same content under the root line, and change the user name to suhai, save and exit after modification
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
suhai ALL=(ALL) ALL- After modification, switch to suhai user and view the / etc / shadow file
[[email protected] ~]# su - suhai
Last login: at 22:03:56 CST 2021pts / 1 on January 5, 2002
[[email protected] ~]$ cat /etc/shadow
Cat: / etc / Shadow: insufficient permissions
[ [email protected] ~]$ sudo cat /etc/shadow // When using administrator privileges, be sure to add sudo before the command
[sudo] suhai's password:
root:$6$bOvtr3SEDmKnR1sP$eL98pSpNMPakWsk9QsjqnU/XSZZMeU5YwDr4U9l4eoC9u/Ard6N..UtT5pdcO5xroLKvOpe6OcUKWp2WdUDug/::0:99999:7:::
bin:*:18397:0:99999:7:::
。。。。。。。。。。。。 Omit........
suhai:$6$Vh9/o5kehkhaw8MT$q/5XSOa5zt45kP5e2zZcQGDgDa4uQgxwjcaG5blkJkOFy/64AF0MsKhpr415ck6VOhJRlXf5tcTH25wLjuGB61:18632:0:99999:7:::- Although it is administrator permission, you need to enter the user password every time. At this time, you can modify the sudoers configuration file to exempt password authentication
//At this time, you can directly modify it with sudo administrator privileges under suhai account without switching to root
[[email protected] ~]$ sudo visudo
//Find the following content, add the same content under the% where line, modify it to suhai user name, save and exit after modification
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
suhai ALL=(ALL) NOPASSWD: ALL
//At this time, you can view the content directly without secret when using the command sudo cat / etc / shadow under suhai account- This method is set to check which administrators only need to view the visudo file. If you delete it, delete the original place