Linux常用命令-sudo

发表于 分类于

命令

sudo

描述

execute a command as another user
切换管理员权限执行命令

用法

1
2
3
4
5
6
sudo -h | -K | -k | -V
sudo -v [-AknS] [-a type] [-g group] [-h host] [-p prompt] [-u user]
sudo -l [-AknS] [-a type] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
sudo [-AbEHnPS] [-a type] [-C num] [-c class] [-g group] [-h host] [-p prompt] [-r role]
     [-t type] [-T timeout] [-u user] [VAR=value] [-i | -s] [command]
sudoedit [-AknS] [-a type] [-C num] [-c class] [-g group] [-h host] [-p prompt] [-T timeout] [-u user] file ...

选项

1
2
3
4
5
Options:
  -l  查看sudo用户可以执行的命令,配合-U选项可以查看指定用户
  -u  指定用户运行命令
  -g  指定组
  -T  指定命令超时时间

注意

sudo操作日志记录在/var/log/secure

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# 注意文件权限
$ ll -d /etc/sudo*
-rw-r-----. 1 root root 1786 Sep 30 21:18 /etc/sudo.conf
-r--r-----. 1 root root 4356 Jan  7 22:50 /etc/sudoers
drwxr-x---. 2 root root    6 Oct  1 01:42 /etc/sudoers.d/
-rw-r-----. 1 root root 3181 Sep 30 21:18 /etc/sudo-ldap.conf

# /etc/sudoers中用户权限说明
# 第一列 表示用户名(root)或组名(%wheel),组名加%前缀
# 第二列 等号左边表示允许指定主机登录本服务器执行sudo命令,等号右边表示可以切换的用户
# 第三列 表示可以执行的命令,如果加了NOPASSWD: 表示无需输入密码
root    ALL=(ALL)   ALL
%wheel  ALL=(ALL)   NOPASSWD: ALL
usera   ALL=(root)   /sbin/nginx

# 通过visudo命令来编辑/etc/sudoers,添加和修改用户的sudo权限
# 如下表示允许usera切换到root权限执行/sbin/nginx相关命令
$ visudo
...
usera ALL=(root) /sbin/nginx
# 切换的usera用户,默认usera用户没有权限执行nginx命令
$ su - usera
$ nginx -t
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2021/03/16 20:55:34 [warn] 13088#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:5
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
2021/03/16 20:55:34 [emerg] 13088#0: open() "/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed
# 添加sudo即可执行,注意需要输入usera用户的密码
$ sudo nginx -t
[sudo] password for usera: 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# 如下表示userb用户可以切换到root执行任何命令,且无需输入密码,即授权userb为管理员
$ visudo
...
userb ALL=(ALL) NOPASSWD: ALL
# 切换到userb用户
$ su - userb
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 可以切换到root用户执行任何命令,且无需加sudo
$ sudo su - root
$ whoami
root
$ touch /root/userb
$ ll /root/userb
-rw-r--r-- 1 root root 0 Mar 16 21:01 /root/userb

# 查看usera和userb的sudo权限
$ sudo -l -U usera
Matching Defaults entries for usera on centos7:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
    env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
    USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User usera may run the following commands on centos7:
    (root) /sbin/nginx
$ sudo -l -U userb
...
User userb may run the following commands on centos7:
    (ALL) NOPASSWD: ALL

# 注意su和sudo的使用方式,以及文件权限和属组的差异
$ su - userb -c 'touch /tmp/userb1'
$ su - userb -c 'sudo touch /tmp/userb2'
$ sudo -u userb touch /tmp/userb3
$ ll /tmp/user*
-rw-rw-r-- 1 userb userb 0 Mar 16 21:38 /tmp/userb1
-rw-r--r-- 1 root  root  0 Mar 16 21:38 /tmp/userb2
-rw-r--r-- 1 userb userb 0 Mar 16 21:38 /tmp/userb3
$ su - userb
$ sudo -u usera touch /tmp/usera
$ ll /tmp/usera
-rw-r--r-- 1 usera usera 0 Mar 16 21:43 /tmp/usera