命令行大全

visudo

瑞兹 发表于 2020-12-16 09:14浏览次数:

在类似Unix的操作系统上,visudo命令编辑sudoers文件,该文件由sudo命令使用。要更改允许哪些用户和组运行sudo,请运行visudo。

查看英文版

目录:

1 visudo 运行系统环境

2 visudo 描述

3 visudo 语法

4 visudo 例子

visudo 运行系统环境

Unix&Linux

visudo 描述

visudo编辑sudoers文件,该文件定义具有管理员权限的用户和组。

Visudo以安全的方式编辑sudoers文件,类似于vipw安全地编辑passwd文件的方式。Visudo锁定sudoers文件以防止同时进行多次编辑,提供基本的完整性检查并检查解析错误。如果当前正在由其他人或您在另一个会话中编辑sudoers文件,您将收到一条消息,稍后再试。

在编译时设置了visudo使用的一个或多个编辑器的硬编码列表。默认值为vi

注意

默认情况下,visudo不支持许多程序用来确定默认文本编辑器的VISUALEDITOR 环境变量。但是,如果使用--with-env-editor选项配置visudo或在sudoers文件中设置了env_editor Default变量,则visudo使用VISUALEDITOR定义的任何编辑。但是,这样做会使您的系统容易受到安全漏洞的攻击,因为它允许用户通过设置VISUALEDITOR来执行他们想要的任何程序。

编辑后,Visudo会解析sudoers文件,如果存在语法错误,Visudo将不会保存更改。发现错误后,visudo打印一条消息,指出发生错误的行号,并且用户将收到“现在如何?”。提示。在提示符下,键入e重新编辑sudoers文件,键入x退出而不保存更改,或者键入Q退出并保存更改。应该非常小心地使用“ Q”选项,因为如果visudo发现一个解析错误,那么sudo也会出现,并且没有人可以运行sudo再次,直到错误得到解决。如果在检测到解析错误后键入“ e”以编辑sudoers文件,则如果编辑器支持此功能,则光标将放置在发生错误的行上。

visudo edits the sudoers file, which defines the users and groups with administrator rights.

Visudo edits the sudoers file in a safe fashion, similar to the way that vipw safely edits the passwd file. Visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited by someone else, or by you in another session, you will receive a message to try again later.

There is a hard-coded list of one or more editors that visudo uses, set at compile-time. The default is vi.

Note

By default, visudo doesn't honor the VISUAL or EDITOR environment variables, used by many programs to determine the default text editor. However, if visudo is configured with the --with-env-editor option or the env_editor Default variable is set in the sudoers file, visudo uses any of the editors defined by VISUAL or EDITOR. Doing so can make your system vulnerable to a security breech, however, because it allows the user to execute any program they want by setting VISUAL or EDITOR.

Visudo parses the sudoers file after the edit, and will not save the changes if there is a syntax error. Upon finding an error, visudo prints a message stating the line number(s) where the error occurred and the user will receive the "What now?" prompt. At the prompt, type e to re-edit the sudoers file, x to exit without saving the changes, or Q to quit and save changes. The "Q" option should be used with extreme care, because if visudo finds a parse error, so will sudo, and no one can run sudo again until the error is fixed. If "e" is typed to edit the sudoers file after a parse error is detected, the cursor will be placed on the line where the error occurred, if the editor supports this feature.

查看英文版

查看中文版

visudo 语法

visudo [-c] [-h] [-q] [-s] [-V] [-f sudoers]

选件

-C 启用仅检查模式。现有的sudoers文件将被检查语法错误,所有者和模式。除非指定了-q选项,否则一条消息将被打印到标准输出中,以描述sudoers的状态。如果检查成功完成,visudo将以0值退出。如果遇到错误,visudo将以1的值退出。
-f sudoers 指定备用sudoers文件位置。使用此选项,visudo将编辑(或检查)您选择的sudoers文件,而不是默认的/ etc / sudoers。所使用的锁定文件是附加了“ .tmp”的指定sudoers文件。仅在仅检查方式下,-f的参数可能是-,指示将从标准输入读取sudoers
-H -h(帮助)选项导致visudo命令打印一个简短的帮助信息到标准输出并退出。
-q 启用安静模式。在此模式下,不打印有关语法错误的详细信息。仅当与-c选项结合使用时,此选项才有用。
-s 启用对sudoers文件的严格检查。如果在定义别名之前使用了别名,则visudo会将其视为解析错误。请注意,无法区分别名和仅由大写字母,数字和下划线(_)组成的主机名或用户名。
-V -V(版本)选项导致visudo命令打印其版本号并退出。

sudoers文件

一个典型的sudoers文件如下所示:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults  env_reset
Defaults  mail_badpass
Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root  ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

在这里,“ root ALL =(ALL:ALL)ALL ”表明登录到任何主机名的用户root可以作为任何用户或组作为任何命令运行。该指令的一般形式为:

user hostname=(runas-user:runas-group) command

特殊词ALL可以用于这些值中的任何一个,并且表示允许任何一个。

如果user开头,则将其解释为组的名称,该指令适用于该组中的所有用户。因此,“ %admin ALL =(ALL)ALL ”行允许属于组admin的任何用户以任何用户或组的身份运行任何命令。在三行之后,为组sudo的成员定义了相同的权限。

因此,使用此配置,如果您希望用户具有sudo权限,则可以将其添加到adminsudo组中,而根本不需要编辑sudoer。在这种情况下,命令:

usermod -aG sudo hope

将向用户希望下次登录时授予sudo权限。有关如何使用usermod更改用户的组成员身份的更多信息,请参见usermod命令。

如果您不想拥有专用的sudo组,则可以通过在文件中的任意位置添加一行来直接在sudoers中为用户定义sudo权限。例如,要给用户希望完全的sudo访问权限,请添加:

hope ALL=(ALL:ALL) ALL

然后保存文件并退出visudo启动的文本编辑器。

重要档案

/ etc / sudoers sudo命令的权限配置。
/etc/sudoers.tmp 锁定文件,可防止同时对sudoers进行多次编辑。
visudo [-c] [-h] [-q] [-s] [-V] [-f sudoers]

Options

-c Enable check-only mode. The existing sudoers file will be checked for syntax errors, owner and mode. A message will be printed to the standard output describing the status of sudoers unless the -q option was specified. If the check completes successfully, visudo will exit with a value of 0. If an error is encountered, visudo will exit with a value of 1.
-f sudoers Specify an alternate sudoers file location. With this option, visudo will edit (or check) the sudoers file of your choice, instead of the default, /etc/sudoers. The lock file used is the specified sudoers file with ".tmp" appended to it. In check-only mode only, the argument to -f may be -, indicating that sudoers will be read from the standard input.
-h The -h (help) option causes visudo to print a short help message to the standard output and exit.
-q Enable quiet mode. In this mode details about syntax errors are not printed. This option is only useful when combined with the -c option.
-s Enable strict checking of the sudoers file. If an alias is used before it is defined, visudo will consider this a parse error. Note that it is not possible to differentiate between an alias and a hostname or username that consists solely of uppercase letters, digits, and the underscore (‘_’) character.
-V The -V (version) option causes visudo to print its version number and exit.

The sudoers file

A typical sudoers file looks like this:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults  env_reset
Defaults  mail_badpass
Defaults  secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root  ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Here, "root ALL=(ALL:ALL) ALL" states that the user root, logged in to any hostname, may run, as any user or group, any command. The general form of this directive is:

user hostname=(runas-user:runas-group) command

The special word ALL may be used for any of these values, and means that any are allowed.

If user begins with a %, it's interpreted as the name of a group, and the directive applies to all users in that group. So the line "%admin ALL=(ALL) ALL" allows any user belonging to the group admin to run any command as any user or group. The same permissions are defined for members of group sudo, three lines later.

So, with this configuration, if you want a user to have sudo rights, you can add them to the admin or sudo group, and don't need to edit sudoers at all. In this case, the command:

usermod -aG sudo hope

Would grant sudo rights to the user hope next time they log in. For more information about how to use usermod to change a user's group membership, see the usermod command.

If you don't want to have a dedicated sudo group, you can define sudo rights for a user directly in sudoers, by adding a line anywhere in the file. To give user hope full sudo access, for instance, add:

hope ALL=(ALL:ALL) ALL

Then save the file and exit the text editor launched by visudo.

Important files

/etc/sudoers Permissions configuration for the sudo command.
/etc/sudoers.tmp The lock file, which prevents multiple simultaneous edits to sudoers.

查看英文版

查看中文版

visudo 例子

要编辑sudoers文件,请以root用户身份运行visudo。使用su将用户切换为root (需要root密码,该密码与您的用户密码不同):

su
Password:

然后运行visudo

visudo

或者,如果您已经拥有sudo权限,请使用sudo运行visudo

sudo visudo
[sudo] password for user:

Sudoer指令

以下是运行visudo时添加到sudoers的行的示例:

hope ALL=(ALL:ALL) ALL

用户hope可以以任何用户或组的身份运行所有命令,并登录到此配置适用的任何主机。

%hope ALL=(ALL:ALL) ALL

与上述相同,不同之处在于该许可适用于组hope的任何成员(可能包括或可能不包括用户hope)。

hope myhost=(mysqluser:mysqlusers) mysqldump

用户hope登录到主机myhost后,可以以用户mysqlusermysqlusers组的成员身份运行mysqldump命令。例如,此伪指令将允许用户hope运行以下命令:

sudo -u mysqluser -g mysqlusers mysqldump

To edit the sudoers file, run visudo as root. Switch user to root with su (requires the root password, which is different than your user password):

su
Password:

Then run visudo:

visudo

Or if you already have sudo rights, run visudo with sudo:

sudo visudo
[sudo] password for user:

Sudoer directives

The following are examples of lines added to sudoers when you run visudo:

hope ALL=(ALL:ALL) ALL

User hope can run all commands as any user or group, logged in to any host that this configuration applies.

%hope ALL=(ALL:ALL) ALL

Same as above, except the permission apply to any member of the group hope (which may or may not include user hope).

hope myhost=(mysqluser:mysqlusers) mysqldump

User hope, when logged in to host myhost, may run the command mysqldump as user mysqluser or a member of group mysqlusers. For example, this directive would allow user hope to run this command:

sudo -u mysqluser -g mysqlusers mysqldump

查看英文版

查看中文版

发表评论
评论列表
共0条
点击加载更多