Application of Super Privilege Control in Linux Operating System

In the Linux operating system, root has the highest authority and is also known as the owner of super authority. Operations that ordinary users cannot perform can be completed by root users, so they are also called super administrative users.

In the system, every file, directory, and process belongs to a certain user, and other ordinary users cannot operate without user permission, except for root. The privilege of the root user is also manifested in that root can read, modify or delete files or directories beyond any user and user group (within the normal permission range of the system); execution and termination of executable programs; and hardware devices Add, create and remove files and directories; you can also modify the ownership and permissions of files and directories to suit the needs of system management (because root is the most privileged user in the system);

Understanding of super users and ordinary users

What is a super user;

In all Linux systems, the system distinguishes user authority levels by UID, and users with UID 0 are agreed by the system to have super authority. The super user has the highest authority agreed by the system to operate in the full garden, so the super user can complete all the tools of system management; we can check through /etc/passwd that the user with UID 0 is root, and only the UID corresponding to root As 0, from this point of view, the root user has an irreplaceable supremacy and unlimited permissions in the system. The root user is a super user in the system;

Understand the correspondence between UID and user

When the system is installed by default, the system user and UID are in a one-to-one relationship, which means that one UID corresponds to one user. We know that user identity is confirmed by UID. In the explanation of UID in “Detailed Explanation of User and Group Configuration Files”, we talked about “UID is an identifier for confirming user rights. Users log in to the system. The role of the office is realized by UID, not user name; it is dangerous to share one UID for several users. For example, we change the UID of ordinary users to 0, and share the same UID with root, which in fact causes the system The confusion of management authority. If we want to use root authority, we can do it through su or sudo; we must not let a user and root share the same UID at will;”

In the system, can UID and user have a one-to-many relationship? Yes, for example, we can assign a UID of 0 to several users for common use. This is the one-to-many relationship between UID and users. But this is a bit dangerous; users with the same UID have the same identity and permissions. For example, after we change the UID of the ordinary user beinan to 0 in the system, in fact this ordinary user has super authority, and his abilities and permissions are the same as the root user; all operations of the user beinan will be marked as root Operation, because the UID of beinan is 0, and the user with UID 0 is root, is it a bit annoying? It can also be understood that the user whose UID is 0 is root, and the UID of the root user is 0;

The one-to-one correspondence between UID and user is just a rule that administrators must adhere to when system management is required, because system security is still the first. Therefore, it is the best choice for us to reserve the super authority to the only user root;

If we do not share the 0 value of UID with other users, only the root user is the only user with UID=0, and the root user is the only super user;

Ordinary users and disguised users

The opposite of super users are ordinary users and virtual users (also called disguised users). Both ordinary and disguised users are restricted users; but in order to complete specific tasks, ordinary users and disguised users are also necessary; Linux is a multi-user , Multi-tasking operating system, multi-user is mainly reflected in the diversity of users’ roles, and different users are assigned different permissions; this is the essence of Linux system being more secure than Windows system, even the latest version of Windows In 2003, it was unable to erase the brand of its single-user system;

The role of super user (authority) in system management

What role does a super user (user with a UID of 0) play in system management? Mainly manifested in the following two points;

Operate any file, directory or process;

But it is worth noting that this operation is within the highest permitted range of the system; some operations cannot be completed even by root with super authority;

For example, the /proc directory, /proc is used to reflect the real-time status information of the system running, so even root can’t do anything; its permissions are as follows

[root@localhost ~]# pwd
/root
[root@localhost ~]# cd /
[root@localhost /]# ls -ld /proc/
dr-xr-xr-x 134 root root 0 2025-10-27 /proc /

It is this directory that can only have read and execute permissions, but absolutely no write permissions; that is, we open the write permission of the /proc directory to root, and the root user cannot perform write operations;

[root@localhost ~]# chmod 755 /proc
[root@localhost /]# ls -ld /proc/
drwxr-xr-x 134 root root 0 2205-10-27 /proc/
[root@localhost /]# cd / proc/
[root@localhost proc]# mkdir testdir
mkdir: Cannot create directory'testdir': No such file or directory

For system management involving the overall system;

Hardware management, file system understanding, user management, and the global configuration of the system involved, etc… If you execute a command or tool, you are prompted to have no authority, most of which require super authority to complete;

For example, use adduser to add users, this can only be done by users with super privileges;

The irreplaceability of super authority;

Due to the indispensable and important role of super authority in system management, in order to complete system management tasks, we must use super authority; in general, for system security, for general-level applications, no root user is required to complete the operation. , The root user is only used to manage and maintain the system; such as viewing and cleaning system logs, adding and deleting users…

In an environment that does not involve system management work, ordinary users can do it, such as writing a file, listening to music; using gimp to process a picture, etc…. Based on ordinary application calls, most ordinary users can do it;

When we log in to the system as a user with ordinary authority, some system configuration and system management must be completed by a super authority user, such as the management of system logs, adding and deleting users. How can I not log in directly as root, but switch from a normal user to a root user to perform the work required for operating system management? This involves the issue of super authority management;

The process of obtaining super authority is the process of switching from a normal user identity to a super user identity; this process is mainly solved by su and sudo. 3. Use the su command to temporarily switch the user identity;

Applicable conditions and power of su

The su command is a tool for switching users, how do you understand it? For example, we log in as a normal user beinan, but to add user tasks and execute useradd, the beinan user does not have this permission, and this permission is owned by root. There are no two solutions. One is to log out of the beinan user and log in again as the root user, but this method is not the best; the second is that we do not need to log out of the beinan user, we can use su to switch to root to add users Work, and then exit root after the task is completed. We can see that of course switching through su is a better way;

You can switch between users through su. If the super-privileged user root is switched to a normal or virtual user without a password, what is power? This is! And ordinary users need password authentication to switch to any other users;

The usage of su:

su [OPTION option parameter] [user]

• -, -l, –login log in and change to the switched user environment;
• -c, –commmand=COMMAND execute a command, and then exit the switched user environment;

For more details, please refer to man su;

Examples of su:

Su without any parameters, the default is to switch to the root user, but not to the root user’s home directory, which means that although it is switched to the root user at this time, it does not change the root login environment; the user’s default login environment , Can be found in /etc/passwd, including home directory, SHELL definition, etc.;

[beinan@localhost ~]$ su
Password:
[root@localhost beinan]# pwd
/home/beinan

Su plus the parameter-means that the default switch to the root user, and change to the root user’s environment;

[beinan@localhost ~]$ pwd
/home/beinan
[beinan@localhost ~]$ su –

su parameter-username

[beinan@localhost ~]$ su – root

Note: This is the same function as su –;

[root@localhost ~]# pwd
/root

This is to switch to the linuxsir user

[beinan@localhost ~]$ su-linuxsir

Check the current location of the user:

[linuxsir@localhost ~]$ pwd

Check the user’s UID and GID information, mainly to see if it is switched over;

[ linuxsir@localhost ~]$ id

uid=505(linuxsir) gid=502(linuxsir) groups=0(root),500(beinan),502 (linuxsir)
[linuxsir@localhost ~]$

[beinan@localhost ~]$ su – -c ls

This is the parameter combination of su, which means switch to the root user and change to the root environment, then list the files in the root home directory, and then exit the root user;

The advantages and disadvantages of su;

su really brings convenience to management. By switching to root, all system management tools can be completed. As long as the root password is given to any ordinary user, he can switch to root to complete all system management tasks;

But after switching to root through su, there are also insecure factors; for example, the system has 10 users, and they all participate in management. If these 10 users are involved in the use of super authority, as an administrator, if you want other users to switch to super authority root through su, you must tell the root authority passwords to these 10 users; if all 10 users With root privileges, you can do anything with root privileges, which to a certain extent creates threats to the security of the system; think about Windows, it is a nightmare;

“There is no unsafe system, only unsafe people.” We absolutely cannot guarantee that these 10 users can manage the system according to the normal operation process. Any major mistake in the operation of the system may cause system crash or data loss. ；

Therefore, the su tool is not the best choice in multi-person system management. Su is only applicable to systems where one or two people participate in the management. After all, su cannot be restricted to ordinary users;

The super user root password should be in the hands of a few users, this is absolutely true! Therefore, the existence of centralized governance still makes sense;
Fourth, the su authorized by sudo is also restricted su

Applicable conditions of sudo;

Since su has no restrictions on the permissions after switching to the super-privileged user root, su cannot be a system managed by multiple administrators. If su is used to switch to the super user to manage the system, it is not clear which work is performed by which administrator. Especially when there are many people involved in the management of the server, it is best to focus on the technical expertise and management scope of each administrator, and decentralize the authority in a targeted manner, and agree on which tools to use to complete the work related to it. At this time, it is necessary to use sudo.

Through sudo, we can decentralize some super permissions in a targeted manner, and do not require ordinary users to know the root password, so sudo is relatively safe compared to su, which has unlimited permissions, so sudo can also be called Restricted su; In addition, sudo requires authorization, so it is also called authorized su;

The process of sudo executing commands is that the current user switches to root (or other users designated to switch to), and then executes the command as root (or other designated users to switch to). After the execution is complete, it returns directly to the current user; The premise is to authorize through the sudo configuration file /etc/sudoers;

Start with writing the sudo configuration file /etc/sudoers;

The configuration file of sudo is /etc/sudoers, we can use his special editing tool visodu. The advantage of this tool is that when adding rules are not accurate, it will prompt us with error messages when saving and exiting; after configuration, you can use switch Go to your authorized user and use sudo -l to see which commands are executable or prohibited;

Each line in the /etc/sudoers file counts as a rule, and the # sign in front of it can be regarded as the content of the description, and it will not be executed; if the rule is very long and there are no lines, you can use \ to continue the line, so A rule can also have multiple rows;

The rules of /etc/sudoers can be divided into two categories; one is alias definition, the other is authorization rule; alias definition is not necessary, but authorization rules are necessary;

Alias ​​rules in the /etc/sudoers configuration file

The format of the alias rule definition is as follows:

Alias_Type NAME = item1, item2,…

or

Alias_Type NAME = item1, item2, item3: NAME = item4, item5

Alias ​​type (Alias_Type): The alias types include the following four

• Host_Alias ​​defines the host alias;
• User_Alias ​​user alias, alias members can be users, user groups (preceded by %)
• Runas_Alias ​​is used to define runas aliases, this alias specifies the “destination user”, that is, the user that sudo allows to switch to;
• Cmnd_Alias Define command alias;

NAME is an alias. NAME names contain capital letters, underscores and numbers, but must start with a capital letter. For example, SYNADM, SYN_ADM or SYNAD0 are legal, but sYNAMDA or 1SYNAD is illegal;

Item according to Chinese translation is an item. Here we can translate it into members. If there are multiple members under an alias, the members are separated by half-width, signs; members must be valid and exist in fact. What is effective? For example, the host name, you can view the user’s host name (or ip address) through w. If you are only operating on the local machine, you can view it only through the hostname command; of course, the user name exists in the system and must be in /etc/paswd Exist; for the definition of command alias, the member must also be the file name that actually exists in the system (the absolute path is required);

Item members are restricted by the alias types Host_Alias, User_Alias, Runas_Alias, and Cmnd_Alias. What type of alias is defined depends on what type of member is matched. When we use Host_Alias ​​to define a host alias, the member must be associated with the host, such as the host name (including the remote login host name), ip address (single or entire segment), mask, etc.; when the user logs in, you can pass The w command is used to view the host information of the logged-in user; when using User_Alias ​​and Runas_Alias, the system user must be used as a member; when using Cmnd_Alias ​​to define the alias for executing the command, it must be a file that exists in the system. The file name can be represented by wildcards. Configure Cmnd_Alias When the command requires an absolute path;

Among them, Runas_Alias ​​and User_Alias ​​are somewhat similar, but they are definitely not the same concept as User_Alias. Runas_Alias ​​defines a system user who can sudo switch identity to members under Runas_Alias; we use examples to explain in authorization rules;

The alias rule is one rule per line. If an alias rule does not fit on one line, you can use \ to continue the line; the definition of the same type of alias can also define several aliases at a time, and they are separated by :

Host_Alias ​​HT01=localhost,st05,st04,10,0,0,4,255.255.255.0,192.168.1.0/24 

Note: Define the host alias HT01, and list the members

Host_Alias ​​HT02=st09,st10 Note: Host alias HT02, yes Two members;

Host_Alias ​​HT01=localhost,st05,st04,10,0,0,4,255.255.255.0,192.168.1.0/24:HT02=st09,st10

The above two definitions of the host can be implemented by one, Separate the aliases with;

Note: When we define a host alias through Host_Alias, the item can be a host name, a single ip (the entire ip address can also be), or a netmask; if it is a host name, it must be in the network of multiple machines. And these machines must be able to communicate with each other through the host name to be effective. So what counts as communicating or accessing each other through host names? For example, ping the host name, or access by remotely accessing the host name. In our local area network, if the computer is allowed to access the communication through the host name, you must set /etc/hosts, /etc/resolv.conf, and also have DNS for resolution, otherwise they cannot be accessed through the host name; when setting the host alias If one of the items in the project is a host name, you can use the hostname command to view the host name of the local host, use the w command to check that the login host is the source, and use the source to confirm the host name or ip address of other clients; The definition of host alias looks a bit complicated, but it is actually very simple.

If you don’t understand what Host_Alias ​​is, you can also use ALL to match all possible host situations when defining authorization rules without setting host aliases. If you understand the knowledge of the host better, you really need to learn more.

User_Alias ​​SYSAD=beinan,linuxsir,bnnnb,lanhaitun

Define the user alias, there are four members; it must exist in the system;

User_Alias ​​NETAD=beinan,bnnb

Define the user alias NETAD, I want this alias to be under users to manage the network, so take the alias NETAD of;

User_Alias WEBMASTER = linuxsir

The definition of user aliases WEBMASTER, I would like to use the user under the alias to manage the site;

User_Alias SysAD = beinan, linuxsir, bnnnb, lanhaitun: NETAD = beinan ,bnnb:WEBMASTER=linuxsir 

The alias definition of the above three lines can be realized through this line. Please see the previous description, is it consistent?

Cmnd_Alias ​​USERMAG=/usr/sbin/adduser,/usr/sbin/userdel,/usr/bin/passwd [A-Za-z]*,/bin/chown,/bin/chmod

The member under the command alias must be The absolute path of the file or directory;

Cmnd_Alias ​​DISKMAG=/sbin/fdisk,/sbin/parted
Cmnd_Alias ​​NETMAG=/sbin/ifconfig,/etc/init.d/network
Cmnd_Alias ​​KILL = /usr/bin/kill
Cmnd_Alias ​​PWMAG = /usr/ sbin/reboot,/usr/sbin/halt
Cmnd_Alias ​​SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh , \
/usr/local/bin/zsh

This line of defining command alias is a bit long, you can break the line through the \;

Cmnd_Alias ​​SU = /usr/bin/su,/bin,/sbin,/usr/sbin,/usr/ bin

In the above example, there are command alias definitions for KILL and PWMAG, we can merge them into one line to write, which is the equivalent line;

Cmnd_Alias ​​KILL = /usr/bin/kill:PWMAG = /usr/sbin/reboot,/usr/sbin/halt

This line represents the alias of KILL and PWMAG commands. It is also possible to combine the alias definitions of KILL and PWMAG in one line Yes

Runas_Alias ​​OP = root, operator
Runas_Alias ​​DBADM=mysql:OP = root, operator

This line is the equivalent line of the above two lines; as for how to understand Runas_Alias, we must understand through examples of authorization rules;

Authorization rules in /etc/sudoers:

Authorization rules are the execution rules for assigning permissions. The definition of aliases we mentioned earlier is mainly for more convenient authorization to refer to aliases; if there are only a few users in the system and the decentralized permissions are relatively limited, you can not define aliases, but target System users directly authorize directly, so aliases are not necessary in authorization rules;

Authorization rules are not out of order. We only talk about the basics and simpler writing. If you want to learn more about the authorization rules, please refer to man sudoers authorized user host=command action

These three elements are indispensable, but you can also specify to switch to a specific user before the action. The user specified here should be enclosed in (). If you do not need a password to run the command directly, you should add the NOPASSWD: parameter, But these can be omitted; give examples;

Example 1:

beinan ALL=/bin/chown,/bin/chmod

If we add this line to /etc/sudoers, it means that beinan can be in any system with a host name that may appear. You can switch to the root user to execute the /bin/chown and /bin/chmod commands, and use sudo -l to view The commands that beinan allows and prohibits running on this host;

It is worth noting that the /bin/shown and /bin/chmod commands are omitted here to specify the user to switch to; if omitted, the default is to switch to the root user for execution; at the same time, the need for beinan is also omitted The user enters the verification password. If omitted, the default is that the verification password is required.

In order to explain these in more detail, we can construct a more complicated formula;

Authorized user host=[(Which user or user group to switch to)] [Whether password verification is required] Command 1,[(Which user or user group to switch to)] [Whether password verification is required] [Command 2],[(Switch to Which users or user groups)] [Whether password verification is required] [Command 3]……

Any content in [] can be omitted; between commands and commands are separated by a sign; through the examples in this article, you can compare which ones are omitted and where spaces are needed;

In [(Which user or user group to switch to)], if omitted, the default is the root user; if it is ALL, it means that all users can be switched to; note that the destination user to be switched to must be enclosed in (), such as (ALL), (beinan)

Example 2:

beinan ALL=(root) /bin/chown, /bin/chmod

If we remove the line in the first instance and replace it with this line; it means that beinan can be in any host with a host name that may appear. You can switch to root to execute /bin/chown, and you can switch to any user Recruit to execute the /bin/chmod command, and use sudo -l to view the commands that beinan is allowed and forbidden to run on this host;

Example 3:

beinan ALL=(root) NOPASSWD: /bin/chown,/bin/chmod

What if you change to this example? It means that beinan can be in any host with a host name that may appear. You can switch to root to execute /bin/chown without entering the password of the beinan user; and you can switch to any user to execute the /bin/chmod command, but When executing chmod, beinan needs to enter his own password; use sudo -l to view the commands that beinan is allowed and prohibited to run on this host;

Regarding whether a command action requires a password, we can find that the system requires a user password by default, unless specifically pointed out that the user does not need to enter his own password, so add the NOPASSWD: parameter before executing the action;

It is possible that some brothers do not understand the commands of system management, and do not know their usage, which affects his understanding of the definition of sudoers. Let’s give another example of the simplest and most useful service;

Example four:

For example, when we want to use beinan ordinary users to pass the content of the more /etc/shadow file, the following situations may occur;

[beinan@localhost ~]$ more /etc/shadow
/etc/shadow: insufficient authority

At this time, we can use sudo more /etc/shadow to read the content of the file; we need to authorize beinan in /etc/soduers;

So we can first su to the root user to change /etc/sudoers through visudo; (for example, we log in to the system as a beinan user)

[beinan@localhost ~]$ su
[root@localhost beinan]# visudo

Add the following line to exit and save; exit and save, you will use vi here, visudo is also the vi editor; as for the usage of vi, I won’t say much;

beinan ALL=/bin/more

means beinan can switch to root and execute more to view files;

Return to user beinan and use the exit command;

[root@localhost beinan]# exit
exit
[beinan@localhost ~]$

Check what commands can be executed by sudo of beinan?

Finally, let’s see if beinan users have the ability to see the contents of the /etc/shadow file;

[beinan@localhost ~]$ sudo more /etc/shadow

beinan can not only see the contents of the /etc/shadow file, but also the contents of other files that can only be seen under root authority, such as;

[beinan@localhost ~]$ sudo more /etc/gshadow

For beinan users to view and read all system files, I just want to let him view the contents of /etc/shadow; you can add the following line;

beinan ALL=/bin/more /etc/shadow

Digression: Some brothers will say that I can see all the content I want to watch by switching to the root user via su, haha, yes. But are we not talking about the usage of sudo now? If there are multiple users on the host and do not know the password of the root user, but want to view some files they can’t see, then administrator authorization is required; this is the benefit of sudo;

Example 5: Practice user group writing in /etc/sudoers;

If the user group appears in /etc/sudoers, add a% sign in front, such as %beinan, without spaces;

%beinan ALL=/usr/sbin/*,/sbin/*

If we add the above line to /etc/sudoers, it means that all members of the beinan user group, under all possible host names, can switch to the root user to run the /usr/sbin and /sbin directories All commands

Example 6: Practice canceling the execution of certain types of programs;

To cancel the execution of a certain type of program, add the! Sign in front of the command action; in this example, the use of the wildcard character * also appears;

beinan ALL=/usr/sbin/*,/sbin/*,!/usr/sbin/fdisk

Add this rule to /etc/sudoers; but you must have the user group beinan, and beinan is also this group In

This rule indicates that the beinan user runs all programs under /usr/sbin and /sbin on all possible hosts with host names, except for the fdisk program;

[beinan@localhost ~]$ sudo -l
(root) /usr/sbin/*
(root) /sbin/*
( root) !/sbin/fdisk

[beinan @ localhost ~] $ sudo / sbin / fdisk the -l
Sorry, the User beinan IS not allowed to the Execute '/ sbin / fdisk the -l' AS ON root localhost.
-

7th Example: the practice of using an alias;

If we have a host localhost, which can be viewed by hostname, we will not define host alias here, and use ALL to match all possible host names; and there are beinan, linuxsir, lanhaitun users; mainly through small examples. Better understanding; although sudo is simple and easy to use, it is indeed difficult to understand what is said; the best way is to look at more examples and man soduers;

User_Alias ​​SYSADER=beinan,linuxsir,%beinan
User_Alias ​​DISKADER=lanhaitun
Runas_Alias ​​OP=root
Cmnd_Alias ​​SYDCMD=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z] *,!/usr/bin/passwd root
Cmnd_Alias ​​DSKCMD=/sbin/parted,/sbin/fdisk 

Define the command alias DSKCMD, under which there are members parted and fdisk;

SYSADER ALL= SYDCMD,DSKCMD
DISKADER ALL=(OP) DSKCMD

The first line: define the user alias SYSADER with members beinan, linuxsir and beinan user groups, the user group must be preceded by the% sign;

thesecond line: define the user alias DISKADER, the members have lanhaitun, the third line: define the Runas user, that is the target user’s alias OP, at root members of.

the fourth line: SYSCMD defined command aliases, use among members, separated by last / usr / bin / passwd root can not be represented by passwd to change the root password;!

the fifth line: defines the command alias DSKCMD, under which there are members parted and fdisk;

the sixth line: indicates that all members under SYSADER are authorized to run or prohibit the commands defined under SYDCMD and DSKCMD under all possible host names. To be more specific, members of the beinan, linuxsir, and beinan user groups can run chown, chmod, adduser, passwd as root, but cannot change the root password; they can also run parted and fdisk as root, etc.

the seventh line: indicates that all members under the authorization DISKADER can run DSKCMD as the OP without a password; more specifically, lanhaitun can run the parted and fdisk commands as root; the equivalent rules are:

lanhaitun ALL=(root) /sbin/parted,/sbin/fdisk

Some people may say that I want to switch to root and run the commands under SYDCMD and DSKCMD without entering the user’s password. Then, where should I add NOPASSWD:? Understand the following example, you can understand;

SYSADER ALL = NOPASSWD: SYDCMD, NOPASSWD: DSKCMD

Other unfinished items in /etc/sudoers;

In the authorization rules, there are also the usage of NOEXEC: and EXEC, check the man sudoers yourself to understand; and the usage of wildcards in the rules, also need to know. Not much to say about these contents, after all, it is just an introductory document. The soduers configuration file is as simple as it is simple, and as difficult as it is, it depends on your application.

The usage of sudo

The rule of /etc/sudoers we talked about earlier, the ultimate goal is to allow users to read the rules in the configuration file through sudo to achieve matching and authorization, so as to replace the identity to perform command operations, and then complete the inability to complete under its authority Task

We only talk about the simplest usage; for more details, please refer to man sudo

sudo [parameter options] command

• -l lists the commands available and forbidden by the user on the host; generally, after configuring /etc/sudoers, use this command to check and test whether the configuration is correct;
• -v verify the user’s Timestamp; if the user runs sudo and enters the user’s password, he can directly perform sudo operations without entering the password in a short time; use -v to track the latest timestamp;
• -u specify to perform specific operations as a user ;
• -K delete the timestamp, the next sudo command requires the user to provide a password;

For example, first, we use visudo to modify the /etc/sudoers file and add the following line;

einan,linuxsir,%beinan ALL=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,/ sbin/parted,/sbin/fdisk

Then list the commands that the beinan user can use or forbidden to use by sudo on the host;

[beinan@localhost ~]$ sudo -l

List the available or prohibited commands that the user can switch to on the host;

• User beinan may run the following commands on this host:
• (root) /bin/chown – You can switch to root with chown command;
• (root) /bin/chmod – You can switch to root with chmod command;
• (root) /usr/sbin/adduser – You can switch to root and use the adduser command;
• (root) /usr/bin/passwd [A-Za-z]* – You can switch to root and use the passwd command;
• (root) !/ usr/bin/passwd root – You can switch to root, but you cannot execute passwd root to change the root password;
• (root) /sbin/parted – You can switch to root to execute parted;
• (root) /sbin/fdisk – You can switch to root to execute fdisk;

After listing the available commands through the above sudo -l, I want to change the owner of the /opt directory to beinan through the chown command;

Check the owner of /opt;

[beinan@localhost ~]$ ls -ld /opt
rwxr-xr-x 26 root root 4096 October 27 10:09 /opt

To change the owner to beinan user and beinan user group through chown;

[beinan@localhost ~]$ sudo chown beinan:beinan /opt

[beinan@localhost ~]$ ls -ld /opt
drwxr-xr-x 26 beinan beinan 4096 October 27 10:09 /opt

We found through the above example that the beinan user can switch to root and execute the passwd command to change the user’s password; but the above sudo -l output also says that the root password cannot be changed; that is to say, except for the root password, the beinan user cannot change In addition, the passwords of other users can be changed. Let’s test;

For an ordinary user, in addition to changing his own password, he cannot change the passwords of other users. But if you switch to root to execute commands, you can change the passwords of other users;

For example, there is a user linuxsir in the system, we want to try to change the password of this user,

[beinan@localhost ~]$ passwd linuxsir

Run passwd directly without sudo to change the password of the linuxsir user;
passwd: Only root can specify a user name.

Failure, the prompt can only be changed by root;

[beinan@localhost ~]$ sudo passwd linuxsir

Through the definition of /etc/sudoers, we let Beinan switch to root and execute the passwd command to change the linuxsir password;