sudo命令,可以不切换用户就可以获取其他用户的权限来执行相关命令。(通常情况就是,给普通用户授权root用户的身份)
[root@hf-01 ~]# su - hanfeng
上一次登录:四 11月 2 03:52:44 CST 2017pts/0 上
[hanfeng@hf-01 ~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[hanfeng@hf-01 ~]$ sudo /usr/bin/ls /root/ 在执行命令后,会提示输入hanfeng用户的密码
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for hanfeng:
11.txt 234 33.txt ha.txt
[hanfeng@hf-01 ~]$ ls /root/ 在hanfeng用户下直接去执行会发现无法打开/root/目录
ls: 无法打开目录/root/: 权限不够
[hanfeng@hf-01 ~]$ sudo /usr/bin/ls /root/
11.txt 234 33.txt ha.txt
[hanfeng@hf-01 ~]$ mv /root/ha.txt /root/haha.txt
mv: 无法打开目录/root/: 权限不够
[hanfeng@hf-01 ~]$ sudo /usr/bin/mv /root/ha.txt /root/haha.txt
[hanfeng@hf-01 ~]$ 登出
[root@hf-01 ~]#
[root@hf-01 ~]# visudo
[root@hf-01 ~]# su - user2
上一次登录:四 11月 2 07:17:04 CST 2017pts/0 上
[user2@hf-01 ~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[user2@hf-01 ~]$ sudo ls /root/
11.txt 234 33.txt haha.txt
[user2@hf-01 ~]$ sudo /usr/bin/ls /root/
11.txt 234 33.txt haha.txt
[user2@hf-01 ~]$ 登出
[root@hf-01 ~]#
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient , /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig , /sbin/mii-tool
例子:
[root@hf-01 ~]# visudo 进入到配置环境中
然后到
## Networking 那一段落最后加上
HANFENG_CMD = /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
并将用户名hanfeng后面,去除那些绝对路径命令,修改上HANFENG_CMD,然后保存退出
root ALL=(ALL) ALL
hanfeng ALL=(ALL) HANFENG_CMD
[root@hf-01 ~]# su - hanfeng
上一次登录:四 11月 2 05:46:40 CST 2017pts/0 上
[hanfeng@hf-01 ~]$ sudo ls /root/ 这里会发现可以查看/root/目录下的文件
[sudo] password for hanfeng:
11.txt 234 33.txt haha.txt
[hanfeng@hf-01 ~]$ sudo ls /root/
11.txt 234 33.txt haha.txt
[hanfeng@hf-01 ~]$ sudo cat /root/haha.txt
[hanfeng@hf-01 ~]$ 登出
[root@hf-01 ~]#
## Allows people in group wheel to run all commands
109 %wheel ALL=(ALL) ALL