20180921 su and sudo commands, restrict root user to log in remotely through ssh

su command

User switching.

su  # Switch to root
su username   # Switch to username user
# When su is followed by - the various environments of the current user are initialized
su - username 

# Specifying users to execute certain commands  
su - -c "touch /tmp/testfile02.txt" test06 # As test06 user at / tmp
                                           # testfile02.txt is created under

[root@centos01 ~]# su - -c "touch /tmp/testfile02.txt" test06
[root@centos01 ~]# ls -lt /tmp
total 124
-rw-rw-r--. 1 test06 test06      0 Sep 21 09:04 testfile02.txt

# When the user to be switched does not have a home directory
[root@centos01 ~]# useradd -M test08  # Create user test08 without home directory
[root@centos01 ~]# su - test08  # When you switch to test08, you will be prompted as follows
su: warning: cannot change directory to /home/test08: No such file or directory
-bash-4.2$ pwd
-bash-4.2$ logout
[root@centos01 ~]# id test08
uid=1006(test08) gid=1007(test08) groups=1007(test08)
[root@centos01 ~]# mkdir /home/test08  # Create home directory for test08
[root@centos01 ~]# chown 1006:1007 /home/test08  #Change users and groups in home directory
[root@centos01 ~]# ls -l /home/test08 -d
drwxr-xr-x. 2 test08 test08 6 Sep 21 09:14 /home/test08
[root@centos01 ~]# su - test08 # Switch again, and you will be prompted because of the lack of shell configuration
Last login: Fri Sep 21 09:13:05 CST 2018 on pts/0
-bash-4.2$ pwd
-bash-4.2$ ls
-bash-4.2$ ls -a
.  ..
[root@centos01 ~]# ls /etc/skel/ -la  # View system shell configuration template
total 24
drwxr-xr-x.  2 root root   59 Sep  7 09:48 .
drwxr-xr-x. 73 root root 8192 Sep 21 09:22 ..
-rw-r--r--.  1 root root   18 Jun 10  2014 .bash_logout
-rw-r--r--.  1 root root  193 Jun 10  2014 .bash_profile
-rw-r--r--.  1 root root  231 Jun 10  2014 .bashrc
[root@centos01 ~]# cp /etc/skel/.bash* /home/test08/  # Copy the template to test08 directory
[root@centos01 ~]# id test08
uid=1006(test08) gid=1007(test08) groups=1007(test08)
[root@centos01 ~]# chown test08:test08 -R /home/test08/  #Change users and groups for these profiles
[root@centos01 ~]# su - test08  # Switch again, OK
Last login: Fri Sep 21 09:16:37 CST 2018 on pts/0
[test08@centos01 ~]$   # Ordinary users shell At the very beginning $,root User is#

sudo command

When you use the su command to switch between users with root, you need to enter the password of the root user. It's not safe, so there's the sudo command. Sudo allows ordinary users to execute a command temporarily as a specified user.
visudo opens sudo's configuration file (/ etc/sudoers). !! Do not use vi command to open directly, because it will not check syntax errors!!!
Open the configuration file and find root ALL=(ALL) ALL

root specifies which user has sudo permission ALL on the left refers to ALL hosts, and ALL on the right refers to which user's identity is obtained
The third paragraph refers to the commands that can use sudo, and ALL indicates ALL commands

Write a copy of another user below this line to give the user sudo permission.
test08 ALL=(ALL) /usr/bin/ls, /usr/bin/cat

[root@centos01 ~]# visudo #Add test08 ALL=(ALL) / usr/bin/ls, /usr/bin/cat
[root@centos01 ~]# su - test08 # Switch to test08
Last login: Sat Sep 22 05:27:12 CST 2018 on pts/1
[test08@centos01 ~]$ ls /root/  # No authority
ls: cannot open directory /root/: Permission denied
[test08@centos01 ~]$ sudo ls /root/  

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for test08:  # When using sudo for the first time after login, you need to enter your own password
anaconda-ks.cfg  a.txt  d0917  link_test  s_link0.log  test.txt
[test08@centos01 ~]$ sudo ls /root/  # You don't have to enter a password later
anaconda-ks.cfg  a.txt  d0917  link_test  s_link0.log  test.txt

No password required to set up sudo test07 ALL=(ALL) NOPASSWD: /usr/bin/ls, /usr/bin/cat

[root@centos01 ~]# visudo # Add test07 all = (all) nopasswd: / usr / bin / LS, / usr / bin / cat
[root@centos01 ~]# su - test07
[test07@centos01 ~]$ sudo ls /root
anaconda-ks.cfg  a.txt  d0917  link_test  s_link0.log  test.txt

Restrict the root user to log in remotely through ssh:

The corresponding configuration file is / etc / ssh / sshd? Config. Modify the PermitRootLogin yes in the configuration file to PermitRootLogin no, and then restart the ssh service systemctl restart sshd.service

Keywords: sudo shell Anaconda ssh

Added by fluteflute on Fri, 27 Dec 2019 22:47:54 +0200