Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
0
Help us understand the problem. What are the problem?

More than 3 years have passed since last update.

posted at

su, sudo コマンド

この記事は Linux コマンド 全部オレ Advent Calendar 2017 の7日目の記事です。

su

NAME
       su - run a command with substitute user and group ID

SYNOPSIS
       su [options...] [-] [user [args...]]

DESCRIPTION
       su allows to run commands with substitute user and group ID.

       When called without arguments su defaults to running an interactive shell as root.

       For backward compatibility su defaults to not change the current directory and to only set the environment variables HOME and SHELL (plus USER and LOGNAME if the target user is
       not root).  It is recommended to always use the --login option (instead it's shortcut -) to avoid side effects caused by mixing environments.

       This version of su uses PAM for authentication, account and session management.  Some configuration options found in other su implementations such as e.g. support  of  a  wheel
       group have to be configured via PAM.

Switch User.

su - (root になるのを禁止する)

## /etc/pam.d/su を編集して su - を禁止する
[root@localhost ~]# cat /etc/pam.d/su
#%PAM-1.0
auth        sufficient  pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient  pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# ↓ のコメントアウトされてる箇所をアンコメントする
auth        required    pam_wheel.so use_uid
auth        substack    system-auth
auth        include     postlogin
account     sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account     include     system-auth
password    include     system-auth
session     include     system-auth
session     include     postlogin
session     optional    pam_xauth.so

## su - を許可するユーザを wheel グループに属させる。
[root@localhost ~]# usermod -G wheel sinsengumi

sudo

NAME
     sudo, sudoedit — execute a command as another user

SYNOPSIS
     sudo -h | -K | -k | -V
     sudo -v [-AknS] [-a type] [-g group] [-h host] [-p prompt] [-u user]
     sudo -l [-AknS] [-a type] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
     sudo [-AbEHnPS] [-a type] [-C num] [-c class] [-g group] [-h host] [-p prompt] [-r role] [-t type] [-u user] [VAR=value] [-i | -s] [command]
     sudoedit [-AknS] [-a type] [-C num] [-c class] [-g group] [-h host] [-p prompt] [-u user] file ...

DESCRIPTION
     sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.  The invoking user's real (not effective) user ID
     is used to determine the user name with which to query the security policy.

     sudo supports a plugin architecture for security policies and input/output logging.  Third parties can develop and distribute their own policy and I/O logging plugins to
     work seamlessly with the sudo front end.  The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP.  See the Plugins section for
     more information.

     The security policy determines what privileges, if any, a user has to run sudo.  The policy may require that users authenticate themselves with a password or another
     authentication mechanism.  If authentication is required, sudo will exit if the user's password is not entered within a configurable time limit.  This limit is policy-spe‐
     cific; the default password prompt timeout for the sudoers security policy is 5 minutes.

     Security policies may support credential caching to allow the user to run sudo again for a period of time without requiring authentication.  The sudoers policy caches cre‐
     dentials for 5 minutes, unless overridden in sudoers(5).  By running sudo with the -v option, a user can update the cached credentials without running a command.

     When invoked as sudoedit, the -e option (described below), is implied.

     Security policies may log successful and failed attempts to use sudo.  If an I/O plugin is configured, the running command's input and output may be logged as well.

superuser do らしいが、root にかぎらず別のユーザーとしてコマンドを実行できるようにするためのコマンド。

visudo

sudo できるユーザやコマンドは /etc/sudoers を編集して設定する。
ただ、直接 /etc/sudoers を触ると間違えた時に危険なので、この visudo で編集する。

# visudo
sinsengumi      ALL=(ALL)       NOPASSWD: /bin/systemctl * crond

[sinsengumi ~]$ sudo -l
Matching Defaults entries for sinsengumi on localhost:
    !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User sinsengumi may run the following commands on localhost:
    (ALL) NOPASSWD: /bin/systemctl * crond


[sinsengumi ~]$ sudo systemctl restart crond
[sinsengumi ~]$ sudo systemctl restart sshd
[sudo] password for sinsengumi:
Sorry, user sinsengumi is not allowed to execute '/bin/systemctl restart sshd' as root on localhost.localdomain.
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
0
Help us understand the problem. What are the problem?