この記事は Linux コマンド 全部オレ Advent Calendar 2017 の7日目の記事です。
NAME su - run a command with substitute user and group ID SYNOPSIS su [options...] [-] [user [args...]] DESCRIPTION su allows to run commands with substitute user and group ID. When called without arguments su defaults to running an interactive shell as root. For backward compatibility su defaults to not change the current directory and to only set the environment variables HOME and SHELL (plus USER and LOGNAME if the target user is not root). It is recommended to always use the --login option (instead it's shortcut -) to avoid side effects caused by mixing environments. This version of su uses PAM for authentication, account and session management. Some configuration options found in other su implementations such as e.g. support of a wheel group have to be configured via PAM.
## /etc/pam.d/su を編集して su - を禁止する [root@localhost ~]# cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. # ↓ のコメントアウトされてる箇所をアンコメントする auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so ## su - を許可するユーザを wheel グループに属させる。 [root@localhost ~]# usermod -G wheel sinsengumi
NAME sudo, sudoedit — execute a command as another user SYNOPSIS sudo -h | -K | -k | -V sudo -v [-AknS] [-a type] [-g group] [-h host] [-p prompt] [-u user] sudo -l [-AknS] [-a type] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] sudo [-AbEHnPS] [-a type] [-C num] [-c class] [-g group] [-h host] [-p prompt] [-r role] [-t type] [-u user] [VAR=value] [-i | -s] [command] sudoedit [-AknS] [-a type] [-C num] [-c class] [-g group] [-h host] [-p prompt] [-u user] file ... DESCRIPTION sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP. See the Plugins section for more information. The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-spe‐ cific; the default password prompt timeout for the sudoers security policy is 5 minutes. Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring authentication. The sudoers policy caches cre‐ dentials for 5 minutes, unless overridden in sudoers(5). By running sudo with the -v option, a user can update the cached credentials without running a command. When invoked as sudoedit, the -e option (described below), is implied. Security policies may log successful and failed attempts to use sudo. If an I/O plugin is configured, the running command's input and output may be logged as well.
superuser do らしいが、root にかぎらず別のユーザーとしてコマンドを実行できるようにするためのコマンド。
# visudo sinsengumi ALL=(ALL) NOPASSWD: /bin/systemctl * crond [sinsengumi ~]$ sudo -l Matching Defaults entries for sinsengumi on localhost: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User sinsengumi may run the following commands on localhost: (ALL) NOPASSWD: /bin/systemctl * crond [sinsengumi ~]$ sudo systemctl restart crond [sinsengumi ~]$ sudo systemctl restart sshd [sudo] password for sinsengumi: Sorry, user sinsengumi is not allowed to execute '/bin/systemctl restart sshd' as root on localhost.localdomain.