この記事は Linux コマンド 全部オレ Advent Calendar 2017 の7日目の記事です。
su
NAME
su - run a command with substitute user and group ID
SYNOPSIS
su [options...] [-] [user [args...]]
DESCRIPTION
su allows to run commands with substitute user and group ID.
When called without arguments su defaults to running an interactive shell as root.
For backward compatibility su defaults to not change the current directory and to only set the environment variables HOME and SHELL (plus USER and LOGNAME if the target user is
not root). It is recommended to always use the --login option (instead it's shortcut -) to avoid side effects caused by mixing environments.
This version of su uses PAM for authentication, account and session management. Some configuration options found in other su implementations such as e.g. support of a wheel
group have to be configured via PAM.
Switch User.
su - (root になるのを禁止する)
## /etc/pam.d/su を編集して su - を禁止する
[root@localhost ~]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# ↓ のコメントアウトされてる箇所をアンコメントする
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
## su - を許可するユーザを wheel グループに属させる。
[root@localhost ~]# usermod -G wheel sinsengumi
sudo
NAME
sudo, sudoedit — execute a command as another user
SYNOPSIS
sudo -h | -K | -k | -V
sudo -v [-AknS] [-a type] [-g group] [-h host] [-p prompt] [-u user]
sudo -l [-AknS] [-a type] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
sudo [-AbEHnPS] [-a type] [-C num] [-c class] [-g group] [-h host] [-p prompt] [-r role] [-t type] [-u user] [VAR=value] [-i | -s] [command]
sudoedit [-AknS] [-a type] [-C num] [-c class] [-g group] [-h host] [-p prompt] [-u user] file ...
DESCRIPTION
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID
is used to determine the user name with which to query the security policy.
sudo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O logging plugins to
work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP. See the Plugins section for
more information.
The security policy determines what privileges, if any, a user has to run sudo. The policy may require that users authenticate themselves with a password or another
authentication mechanism. If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit. This limit is policy-spe‐
cific; the default password prompt timeout for the sudoers security policy is 5 minutes.
Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring authentication. The sudoers policy caches cre‐
dentials for 5 minutes, unless overridden in sudoers(5). By running sudo with the -v option, a user can update the cached credentials without running a command.
When invoked as sudoedit, the -e option (described below), is implied.
Security policies may log successful and failed attempts to use sudo. If an I/O plugin is configured, the running command's input and output may be logged as well.
superuser do らしいが、root にかぎらず別のユーザーとしてコマンドを実行できるようにするためのコマンド。
visudo
sudo できるユーザやコマンドは /etc/sudoers を編集して設定する。
ただ、直接 /etc/sudoers を触ると間違えた時に危険なので、この visudo で編集する。
# visudo
sinsengumi ALL=(ALL) NOPASSWD: /bin/systemctl * crond
[sinsengumi ~]$ sudo -l
Matching Defaults entries for sinsengumi on localhost:
!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User sinsengumi may run the following commands on localhost:
(ALL) NOPASSWD: /bin/systemctl * crond
[sinsengumi ~]$ sudo systemctl restart crond
[sinsengumi ~]$ sudo systemctl restart sshd
[sudo] password for sinsengumi:
Sorry, user sinsengumi is not allowed to execute '/bin/systemctl restart sshd' as root on localhost.localdomain.