The method of configuring sudo permission for Linux users

Time:2021-2-14

The working process of sudo is as follows:

1. When a user executes sudo, the system will actively look for the / etc / sudoers file to determine whether the user has permission to execute sudo

2. After confirming that the user has the permission to execute sudo, let the user input his own password to confirm

3. If the password is successfully entered, the following sudo commands will be executed

4. When root executes sudo, it does not need to enter a password (there is a rule in the eudoers file that root all = (all) all is configured)

5. If the identity to be switched is the same as that of the executor, no password is required

Visudo uses VI to open the / etc / sudoers file, but when saving and exiting, visudo will check the internal syntax to avoid the user entering error information

Visudo requires root permission

[[email protected] ~]$ visudo
Visudo / etc / sudoers: insufficient permissions
Visudo / etc / sudoers: insufficient permissions使用visudo命令打开sudo配置文件

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##This file allows a specific user to use a variety of commands just like the root user without the password of the root user
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##At the bottom of the file, there are many examples of related commands to choose from, which can be used by specific users or users
##Used by user groups 
##
## This file must be edited with the 'visudo' command.
##The file must be edited with the "visudo" command

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
##For a group of servers, you may prefer to use the host name (which may be a full domain name wildcard)
##, or IP address
# Host_Alias   FILESERVERS = fs1, fs2
# Host_Alias   MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
##This is not very common because you can use groups instead of aliases for a group of users
# User_Alias ADMINS = jsmith, mikem

## Command Aliases
## These are groups of related commands...
##Specifies the alias of a series of interrelated commands (which can be one of course),
##You can use sudo to call all the commands contained in the alias. Here are some examples

##Network operation related command alias
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient
, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig
, /sbin/mii-tool

##Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

##Services service related command alias
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

##Updating the local database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

##Storage disk operation related command alias
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe
, /bin/mount, /bin/umount

##Delegating permissions proxy permission related command alias
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

##Process related command aliases
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

##Drivers driver command alias
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. 
#     You have to run "ssh -t hostname sudo <cmd>".
#For the configuration of some environment variables, see man soduers
Defaults  requiretty

Defaults  env_reset
Defaults  env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults  env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults  env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults  env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults  env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults  secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
##Here is the rule configuration: which users can execute which commands on which server (sudoers files can be shared on multiple systems)
##Syntax:
##
##User machine = commands the host on which the user logs in = (identity that can be changed) commands that can be executed
##
## The COMMANDS section may have other options added to it.
##The command section can come with some other options
##
## Allow root to run any commands anywhere 
##Allow root to execute any command in any path
root ALL=(ALL) ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
##Allows users in the user group in sys to use commands configured in all aliases such as networking
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE
, DRIVERS

## Allows people in group wheel to run all commands
##Allow users in the wheel user group to execute all commands
%wheel ALL=(ALL) ALL

## Same thing without a password
##Allows users in the wheel user group to use all commands without entering the user's password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
##Users in the users group are allowed to use mount, unmount and chrome commands just like root users
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
##Allow users in the users group to shut down the localhost server
# %users localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
##Read the file placed in / etc / sudoers.d/ (the # here does not mean that this is a declaration)
#includedir /etc/sudoers.d

In particular, aliases must be capitalized

The above Linux user configuration sudo permissions (visudo) method is small to share with you all the content, I hope to give you a reference, also hope you can support developer.