Linux_sudo权限

一、sudo权限(只能由管理员操作)

　　1. 操作对象 --> 命令(命令也是文件)

　　2. 命令存放路径/sbin与/bin --> 只由root管理员用户操作

　　3. 实际工作中,是不允许你使用root用户大量操作系统的,在使用到一些特殊命令需要使用root权限,

　　　 这时sudo就发挥了其存在的作用

　　　 也就是root管理员将部分命令授权于普通用户的过程

[root@hadoop09-linux bin]# su - eRrsr　　# 使用普通用户去操作关机命令时
[eRrsr@hadoop09-linux ~]$ shutdown -r now
shutdown: Need to be root

　　4. 使用root赋予普通用户权限

[eRrsr@hadoop09-linux ~]$ visudo　　# 用户赋予权限(root用户操作),其实visudo命令操作的是/etc/sudoers文件
visudo: /etc/sudoers: Permission denied
visudo: /etc/sudoers: Permission denied
[eRrsr@hadoop09-linux ~]$ su -
Password:
[root@hadoop09-linux ~]# visudo

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
...

　　

...
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL　　　　# 赋予权限,可以看到root用户具有所有权限,通过下面的查看赋值格式来分析：
　　　　　　　　　　　　　　　　　　　 # root 用户
　　　　　　　　　　　　　　　　　　　 # All(第一个)   就相当于Lisa用户的 各网段IP
　　　　　　　　　　　　　　　　　　　 #(All)(第二个)  用户的身份,(ALL)也就代表管理员身份,可写可不写
　　　　　　　　　　　　　　　　　　　 # ALL(最后一个) 具体的命令 (绝对路径:查看命令位置whereis或which)
...

　　查看赋值格式

[root@hadoop09-linux ~]# man visudo  # 这里只是查看到visudo命令的相关信息
...
SEE ALSO
     vi(1), sudoers(5), sudo(8), vipw(8)  # sudoers(5) 5 代表配置文件,我们要查看的是这个5
---

　　

[root@hadoop09-linux ~]# man 5 sudoers
...
    jack            CSNETS = ALL   # CENTES 是网段的别名 ,就是说该条命令表示jack在这个网段下可以使用所有命令

     The user jack may run any command on the machines in the CSNETS alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0).  Of those
     networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it is a class C network.  For the other networks in CSNETS,
     the local machine’s netmask will be used during matching.

     lisa           CUNETS = ALL

     The user lisa may run any command on any host in the CUNETS alias (the class B network 128.138.0.0).

...

...
 　　jack            CSNETS = ALL

     The user jack may run any command on the machines in the CSNETS alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0).  Of those
     networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it is a class C network.  For the other networks in CSNETS,
     the local machine’s netmask will be used during matching.

     Host_Alias      CUNETS = 128.138.0.0/255.255.0.0
     Host_Alias      CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0  #!
     Host_Alias      SERVERS = master, mail, www, ns
     Host_Alias      CDROM = orion, perseus, hercules
...

　　刚才普通用户eRrsr重启系统命令显示root用户操作,那么来给eRrsr授权吧

[eRrsr@hadoop09-linux ~]$ su -
Password:
[root@hadoop09-linux ~]# visudo
...
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
eRrsr   ALL=            /sbin/shutdown -r now
...

[root@hadoop09-linux ~]# su - eRrsr
[eRrsr@hadoop09-linux ~]$ sudo shutdown -r now

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for eRrsr: 

Broadcast message from root@hadoop09-linux.ibeifeng.com
	(/dev/pts/1) at 5:53 ...

The system is going down for reboot NOW!

　　发现每次普通用户使用sudo时还要输入密码,那在赋予其不必输入密码权限

eRrsr   ALL=(root)      NOPASSWD:ALL

　　查看当前用户被赋予了那些权限

[root@hadoop09-linux ~]# sudo -l
Matching Defaults entries for root on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
    LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User root may run the following commands on this host:
    (ALL) ALL
[root@hadoop09-linux ~]# su - eRrsr
[eRrsr@hadoop09-linux ~]$ sudo -l
Matching Defaults entries for eRrsr on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
    LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User eRrsr may run the following commands on this host:
    (root) /sbin/shutdown -r now
    (root) NOPASSWD: ALL