Merge pull request #30637 from wxy/20231205-7-Sudo-Tips-and-Tweaks-for-Linux-Users

ATRP:published/20231205 7 Sudo Tips and Tweaks for Linux Users.md
This commit is contained in:
Xingyu.Wang 2023-12-15 14:08:53 +08:00 committed by GitHub
commit 8086b512d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 265 additions and 302 deletions

View File

@ -0,0 +1,265 @@
[#]: subject: "7 Sudo Tips and Tweaks for Linux Users"
[#]: via: "https://itsfoss.com/sudo-tips/"
[#]: author: "Abhishek Prakash https://itsfoss.com/author/abhishek/"
[#]: collector: "lujun9972/lctt-scripts-1700446145"
[#]: translator: "ChatGPT"
[#]: reviewer: "wxy"
[#]: publisher: "wxy"
[#]: url: "https://linux.cn/article-16472-1.html"
Linux 用户的 7 个 Sudo 技巧和改进
======
![][0]
> 用这些技巧释放 sudo 的力量 💪
你应该熟悉 sudo 吧?肯定有过使用的经验。
对多数 Linux 用户来说,`sudo` 就像一个神器,赋予了他们作为 root 用户执行任意命令或切换到 root 用户身份的能力。
其实这只掌握了一半的真相。`sudo` 绝非仅仅只是一条命令,**`sudo` 是一款你可以根据需求和偏好去定制的工具**。
Ubuntu、Debian 以及其他的发行版在默认的配置下,赋予了 `sudo` 以 root 用户的身份执行任意命令的权限。这让很多用户误以为 `sudo` 就像一个魔法开关,瞬间可以获取到 root 权限。
**比如说,系统管理员可以设置成只有属于特定的 `dev` 组的部分用户才能用 `sudo` 来执行 `nginx` 命令。这些用户将无法用 `sudo` 执行任何其他命令或切换到 root 用户。**
如果你对此感到惊讶,那很可能是你一直在使用 `sudo`,但对其底层的工作原理并没有太多了解。
在这个教程中,我并不会解释 `sudo` 是如何运作的,这个主题我会在另一天讲解。
在这篇文章中,你将看到 `sudo` 的不同特性可以如何被调试和改进。有些可能真的很有用,有些可能完全没什么帮助,但是挺有趣。
> 🚧 请不要随意去尝试所有提到的改进。如果处理不慎,你可能会遭遇无法运行 `sudo` 的混乱状态。在大多数情况下,平静阅读并知道这些就好。如果你决定尝试一些改进步骤,[请先备份你的系统设置][1],这样在需要的时候能把事情恢复到正常。
### 1、编辑 sudo 配置时,请始终使用 visudo
`sudo` 命令是通过 `/etc/sudoers` 文件进行配置的。
虽然你可以用你最喜欢的 [终端文本编辑器][2] 编辑这个文件,比如 Micro、NeoVim 等,但你**千万不要**这么做。
为什么这么说呢?因为该文件中的任何语法错误都会让你的系统出问题,导致 `sudo` 无法工作。这可能会使得你的 Linux 系统无法正常使用。
你只需要这样使用即可:
```
sudo visudo
```
传统上,`visudo` 命令会在 Vi 编辑器中打开 `/etc/sudoers` 文件。如果你用的是 Ubuntu那么会在 Nano 中打开。
![][3]
这么做的好处在于,**visudo 会在你试图保存更改时执行语法检查**。这能确保你不会因为语法错误而误改 `sudo` 配置。
![visudo 在保存到 sudoers 文件的变更前检查语法][4]
好了!现在你可以看看 `sudo` 配置的一些改变。
> 💡 我建议你备份 `/etc/sudoers` 文件(`sudo cp /etc/sudoers /etc/sudoers.bak`)。这样,如果你不确定你做了哪些更改,或者你想恢复到默认的 sudo 配置,那你可以从备份文件中复制。
### 2、输入 sudo 密码时显示星号
我们的这种输入行为是从 UNIX 系统中继承下来的。当你在终端输入 `sudo` 密码时,屏幕上不会有任何显示。这种缺乏反馈的现象,往往让新的 Linux 用户怀疑自己的系统已经卡住了。
人们常说,这是一项安全功能。或许在上个世纪是这样,但我个人觉得我们没有必要继续这样下去。
不过,一些发行版,如 Linux Mint已经对 `sudo` 进行了优化,当你输入密码时会显示星号。
这样的方式更符合我们的日常经验。
如果想让 `sudo` 输入密码时显示星号,运行 `sudo visudo` 并找到以下行:
```
Defaults env_reset
```
然后将其更改为:
```
Defaults env_reset,pwfeedback
```
![][5]
> 💡 在某些发行版中,比如 Arch你可能找不到 `Defaults env_reset` 这一行。如果这样的话,只需新增一行 `Defaults env_reset, pwfeedback` 就可以了。
现在,当 `sudo` 需要你输入密码时,你会看到输入的密码变成了星号。
![][6]
> ✋ 如果你注意到即使密码正确也无法通过一些图形化应用,如软件中心,那就该撤销这项更改。一些较旧的论坛帖子曾提到过此类问题,虽然我自己还未遇到过。
### 3、增加 sudo 密码超时时限
当你首次使用 `sudo` 时,它会要求输入密码。但在随后相当一段时间里,你使用 `sudo` 执行命令就无需再次输入密码。
我们将这个时间间隔称为 `sudo` 密码超时 (暂且称为 SPT这是我刚刚编的说法请不要真的这样称呼 😁)。
不同的发行版有不同的超时时间。可能是 5 分钟,也可能是 15 分钟。
你可以根据自己的喜好来改变这个设置,设定一个新的 `sudo` 密码超时时限。
像你之前看到的,编辑 `sudoers` 文件,找到含有 `Defaults env_reset` 的行,并在此行添加 `timestamp_timeout=XX`,使其变成如下形式:
```
Defaults env_reset, timestamp_timeout=XX
```
其中 `XX` 是以分钟为单位的超时时长。
如果你还有其他参数,例如你在上一节中看到的星号反馈,它们都可以在一行中组合起来:
```
Defaults env_reset, timestamp_timeout=XX, pwfeedback
```
> 💡 同样地,你还可以控制密码重试的次数上限。使用 `passwd_tries=N` 来修改用户可以输入错误密码的次数。
### 4、在不输入密码的情况下使用 sudo
行!你已经增加了 `sudo` 密码超时时限(或者称之为 SPT。哇塞你还在坚持这个叫法 😛)。
这样很好。我的意思是,毕竟没人愿意每几分钟就输入一次密码。
扩大超时时限是一方面,另一方面则是尽可能不去使用它。
是的,你没听错。你就是可以在无需输入密码的情况下使用 `sudo`
从安全角度来看,这听起来似乎很冒险,对吧?的确如此,但在某些实际情况下,你确实会更青睐无密码的 `sudo`
例如,如果你需要远程管理多台 Linux 服务器,并为了避免总是使用 root你在这些服务器上创建了一些 `sudo` 用户。辛酸的是,你会有太多的密码。而你又不想对所有的服务器使用同一的 `sudo` 密码。
在这种情况下,你可以仅设置基于密钥的 SSH 访问方式,并允许使用无需密码的 `sudo`。这样,只有获得授权的用户才能访问远程服务器,也不用再记住 `sudo` 密码。
我在 [DigitalOcean][7] 上部署的测试服务器上就采用了这种方法,用来测试开源工具和服务。
好处是这可以按用户进行设置。使用以下命令打开 `/etc/sudoers` 文件进行编辑:
```
sudo visudo
```
然后添加如下行:
```
user_name ALL=(ALL) NOPASSWD:ALL
```
当然,你需要将上面行中的 `user_name` 替换为实际的用户名。
保存文件后,你就可以享受无密码的 `sudo` 生活了。
### 5、配置独立的 sudo 日志文件
查阅 syslog 或 journal 日志,我们可以找到关于 `sudo` 的所有条目,但若需要单独针对 `sudo` 的记录,可以专门创建一个自定义的日志文件。例如,选择 `/var/sudo.log` 文件来存储日志。这个新的日志文件无需手动创建,如果不存在,系统会自动生成。
编辑 `/etc/sudoers` 文件,采用 `visudo` 命令,并在其中添加以下内容:
```
Defaults logfile="/var/log/sudo.log"
```
保存该文件后,便可以在其中查看哪些命令在何时、由哪位用户通过 `sudo` 运行了。
![][8]
### 6、限制特定用户组使用 sudo 执行特定命令
这是一种高级解决方案,系统管理员在需要跨部门共享服务器的多用户环境中会使用。
开发者可能会需要以 root 权限运行 Web 服务器或其他程序,但全权给予他们 `sudo` 权限会带来安全风险。我建议在群组级别进行此项操作。例如,创建命名为 `coders` 的群组,并允许它们运行在 `/var/www``/opt/bin/coders` 目录下的命令(或可执行文件),以及 [inxi 命令][9](路径是 `/usr/bin/inxi` 的二进制文件)。这是一个假想情景,实际操作请谨慎对待。
接下来,用 `sudo visudo` 编辑 sudoer 文件,再添加以下行:
```
%coders ALL=(ALL:ALL) /var/www,/opt/bin/coders,/usr/bin/inxi
```
如有需要,可以添加 `NOPASSWD` 参数,这样允许使用 `sudo` 运行的命令就不再需要密码了。
关于 `ALL=(ALL:ALL)` 的详细解读,我们将会在其他文章中进行讲解,毕竟这篇文章已经解释的内容足够多了。
### 7、检查用户的 sudo 权限
好吧,这是个小提示,而不是系统调优技巧。
如何确认一个用户是否具有 `sudo` 权限呢?可能有人会说,查看他们是否是 `sudo` 组的成员。但这并不一定准确,因为有些发行版用的是 `wheel` 代替 `sudo` 分组。
更佳的方法是利用 `sudo` 内建的功能,看看用户具有哪种 `sudo` 权限:
```
sudo -l -U user_name
```
这将显示出用户具有执行部分命令或所有命令的 `sudo` 权限。
![][10]
如你所见,我拥有自定义日志文件、密码反馈以及执行所有命令的 `sudo` 权限。
如果一个用户完全没有 `sudo` 权限,你将看到如下提示:
```
User prakash is not allowed to run sudo on this-that-server.
```
### 🎁 附加内容:输错 sudo 密码时,让系统“侮辱”你
这是个我在文章开头提到的“无用”小调整。
我想你在使用 `sudo` 时肯定曾误输过密码,对吧?
这个小技巧就是,在你每次输错密码时,[让 sudo 抛出随机的“侮辱”][11]。
`sudo visudo` 修改 `sudo` 配置文件,然后添加以下行:
```
Defaults insults
```
修改后,你可以故意输错密码,测试新的设置。
![][12]
你可能在想,谁会喜欢被侮辱呢?**只有粉丝**可以以直白的方式告诉你 😇
### 你是如何运用 sudo 的?
![][13]
我知道定制化的可能性无穷无尽,但其实,一般的 Linux 用户并不会去自定义 `sudo`
尽管如此,我还是热衷于与你分享这些因为你可能会发现一些新奇且实用的东西。
💬 那么,你有发现什么新的东西吗?请在评论区告诉我。你有一些秘密的 `sudo` 技巧欢迎和大家分享!
*题图DA/a12900e5-e197-455e-adfc-0b52e4305b91*
--------------------------------------------------------------------------------
via: https://itsfoss.com/sudo-tips/
作者:[Abhishek Prakash][a]
选题:[lujun9972][b]
译者:[ChatGPT](https://linux.cn/lctt/ChatGPT)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/abhishek/
[b]: https://github.com/lujun9972
[1]: https://itsfoss.com/backup-restore-linux-timeshift/
[2]: https://itsfoss.com/command-line-text-editors-linux/
[3]: https://itsfoss.com/content/images/2023/02/save-file-in-nano-editor.png
[4]: https://itsfoss.com/content/images/2023/12/visudo-syntax-validation.png
[5]: https://itsfoss.com/content/images/2023/12/sudo-password-feedback.png
[6]: https://itsfoss.com/content/images/2023/12/sudo-password-with-asterisk-display.png
[7]: https://digitalocean.pxf.io/JzK74r
[8]: https://itsfoss.com/content/images/2023/12/sudo-log-file.png
[9]: https://itsfoss.com/inxi-system-info-linux/
[10]: https://itsfoss.com/content/images/2023/12/check-sudo-access.png
[11]: https://itsfoss.com/sudo-insult-linux/
[12]: https://itsfoss.com/content/images/2023/12/sudo-insults.png
[13]: https://itsfoss.com/content/images/2023/12/sudo-meme.png
[0]: https://img.linux.net.cn/data/attachment/album/202312/14/232352wzxtu2pp6dxg4ou4.jpg

View File

@ -1,302 +0,0 @@
[#]: subject: "7 Sudo Tips and Tweaks for Linux Users"
[#]: via: "https://itsfoss.com/sudo-tips/"
[#]: author: "Abhishek Prakash https://itsfoss.com/author/abhishek/"
[#]: collector: "lujun9972/lctt-scripts-1700446145"
[#]: translator: " "
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
7 Sudo Tips and Tweaks for Linux Users
======
You know sudo, right? You must have used it at some point in the time.
For most Linux users, it is the magical tool that gives you the ability to run any command as root or switch to the root user.
But that's only half-truth. See, sudo is not an absolute command. **sudo is a tool that can be configured to your need and liking**.
Ubuntu, Debian and other distros come preconfigured with sudo in a way that allows to them to run any command as root. That makes many users believe that sudo is some kind of magical switch that instantly gives you the root access.
**For example, a sysadmin can configure it in a way that users that are part of a certain 'dev' group can run only nginx command with sudo. Those users won't be able to run any other command with sudo or switch to root.**
If that surprises you, it's because you might have used sudo forever but never gave much thought about its underlying mechanism.
I am not going to explain how sudo works in this tutorial. I'll keep that for some other day.
In this article, you'll see how different aspects of sudo can be tweaked. Some are useful and some are pretty useless but fun.
🚧
Please do not start following all the mentioned tweaks blindly. You do it wrong and you may end up with a messed up system that cannot run sudo. For most part, just read and enjoy. And if you decide to try some of the tweaks, [make a system settings backup][1] so that you can restore things back to normal.
### 1\. Always use visudo for editing sudo config
The sudo command is configured through the `/etc/sudoers` file.
While you may edit this file with your [favorite terminal-based text editor][2] like Micro, NeoVim etc, you **MUST NOT** do that.
Why? Because any incorrect syntax in this file will leave you with a screwed up system where sudo won't work. Which may render your Linux system useless.
Just use it like this:
```
sudo visudo
```
The `visudo` command traditionally opens the `/etc/sudoers` file in the Vi editor. Ubuntu will open it in Nano.
![][3]
The advantage here is that **visudo performs a syntax check when you try to save your changes**. This ensures that you don't mess up the sudo configuration due to incorrect syntax.
![visudo checks the syntax before saving the changes to the sudoers file][4]
Alright! Now you can see some sudo configuration changes.
💡
I would recommend making a backup of the /etc/sudoers file. So that if you are unsure what changes you made or if you want to revert to the default sudo configuration, you copy it from the backup.
sudo cp /etc/sudoers /etc/sudoers.bak
### 2\. Show asterisks while entering password with sudo
We have this behavior inherited from UNIX. When you enter your password for sudo in the terminal, it doesn't display anything. This lack of visual feedback makes new Linux users think that their system hanged.
Elders say that this is a security feature. This might have been the case in the last century but I don't think we should continue with it anymore. That's just my opinion.
Anyway, some distributions, like Linux Mint, have sudo tweaked in a way that it displays asterisks when you enter the password.
Now that's more in line with the behavior we see everywhere.
To show asterisks with sudo, run `sudo visudo` and look for the line:
```
Defaults env_reset
```
Change it to:
```
Defaults env_reset,pwfeedback
```
![][5]
💡
You may not find the Defaults env_reset line in some distributions like Arch. If that's the case, just add a new line with text Defaults env_reset, pwfeedback
Now, if you try using sudo and it asks for a password, you should see asterisks when you enter the password.
![][6]
If you notice any issues with password not being accepted even when correct with graphical applications like software center, revert this change. Some old forum posts mentioned it. I haven't encountered it though.
### 3\. Increase sudo password timeout
So, you use sudo for the first time and it asks for the password. But for the subsequent commands with sudo, you don't have to enter the password for a certain time.
Let's call it sudo password timeout (or SPT, I just made it up. Don't call it that 😁).
Different distributions have different timeout. It could be 5 minutes or 15 minutes.
You can change the behavior and set a sudo password timeout of your choice.
Edit the sudoer file as you have seen above and look for the line with `Defaults env_reset` and add `timestamp_timeout=XX` to the line so that it becomes this:
```
Defaults env_reset, timestamp_timeout=XX
```
Where XX is the timeout in minutes.
If you had other parameters like the asterisk feedback you saw in the previous section, they all can be combined:
```
Defaults env_reset, timestamp_timeout=XX, pwfeedback
```
💡
Similarly, you can control the password retries limit. Use the passwd_tries=N to change the number of times a user can enter incorrect passwords.
### 4\. Use sudo without password
Alright! So you increased the sudo password timeout (or the SPT. Wow! you are still calling it that 😛).
That's fine. I mean who likes to enter the password every few minutes.
Increasing the timeout is one thing. The other thing is to not use it all.
Yes, you read that right. You can use sudo without entering the password.
That sounds risky from security point of view, right? Well it is but there are genuine cases where you are (productively) better off using sudo without password.
For example, if you manage several Linux servers remotely and you have created sudo users on them to avoid using root all the time. The trouble is that you'll have too many passwords. You don't want to use the same sudo password for all the servers.
In such a case, you can set up only key-based SSH access to the servers and allow using sudo with password. This way, only the authorized user access the remote server and sudo password doesn't need to be remembered.
I do this on the test servers I deploy on [DigitalOcean][7] for testing open source tools and services.
The good thing is that this can be allowed per user basis. Open the `/etc/sudoer` file for editing with:
```
sudo visudo
```
And then add a line like this:
```
user_name ALL=(ALL) NOPASSWD:ALL
```
Of course, you need to replace the `user_name` with actual user name in the above line.
Save the file and enjoy sudo life without passwords.
### 5\. Create separate sudo log files
You can always read the syslog or the journal logs for sudo related entries.
However, if you want a separate entry for sudo, you can create a custom log file dedicated to sudo.
Let's say, you want to use `/var/sudo.log` file for this purpose. You don't need to create the new log file before hand. It will be created for you if it does not exist.
Edit the /etc/sudoers file using visudo and add the following line to it:
```
Defaults logfile="/var/log/sudo.log"
```
Save it and you can start seeing which commands were run by sudo at what time and by what user in this file:
![][8]
### 6\. Only allow a certain commands with sudo to a specific group of users
This is more of an advanced solution that sysadmin use in a multi-user environment where people across departments are working on the same server.
A developer may need to run web server or some other program with root permission but giving them complete sudo access will be a security issue.
While this can be done at user level, I recommend doing it at group level. Let's say you create a group called `coders` and you allow them to run the commands (or binaries) from the `/var/www` and `/opt/bin/coders` directories and the [inxi command][9] (binary `/usr/bin/inxi`).
This is a hypothetical scenario. Please don't take it verbatim.
Now, edit the sudoer file with `sudo visudo` (yeah, you know it by now). Add the following line to it:
```
%coders ALL=(ALL:ALL) /var/www,/opt/bin/coders,/usr/bin/inxi
```
You can add the NOPASSWD parameter if you want so that sudo for the above allowed commands can be run with sudo but without password.
More on ALL ALL ALL in some other article as this one is getting longer than usual anyway.
### 7\. Check the sudo access for a user
Alright! This one is more of a tip than a tweak.
How do you know if a user has sudo access? Check if they are member of the sudo group, you say. But that's not a guarantee. Some distros use wheel group name instead of sudo.
A better way is to use the built-in functionality of sudo and see what kind of sudo access a user has:
```
sudo -l -U user_name
```
It will show if the user has sudo access for some commands or for all commands.
![][10]
As you can see above, it shows that I have a custom log file and password feedback on apart from sudo access for all commands.
If the user doesn't have sudo access at all, you'll see an output like this:
```
User prakash is not allowed to run sudo on this-that-server.
```
### 🎁 Bonus: Let sudo insult you for incorrect password attempts
This one is the 'useless' tweak I mentioned at the beginning of this article.
I guess you must have mistyped the password while using sudo some time in the past, right?
This little [tweak let sudo throw a random insult at you][11] for entering incorrect passwords.
Use `sudo visudo` to edit the sudo config file and add the following line to it:
```
Defaults insults
```
And then you can test the changes by entering incorrect passwords:
![][12]
You may wonder who likes to be insulted? OnlyFans can answer that in a graphic manner 😇
### How do you sudo?
![][13]
I know there is no end to customization. Although, sudo is not something a regular Linux user customizes.
Still, I like to share such things with you because you may discover something new and useful.
💬 _So, did you discover something new? Tell me in the comments, please. And do you have some secret sudo trick up your sleeve? Why not share it with the rest of us?_
--------------------------------------------------------------------------------
via: https://itsfoss.com/sudo-tips/
作者:[Abhishek Prakash][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/abhishek/
[b]: https://github.com/lujun9972
[1]: https://itsfoss.com/backup-restore-linux-timeshift/
[2]: https://itsfoss.com/command-line-text-editors-linux/
[3]: https://itsfoss.com/content/images/2023/02/save-file-in-nano-editor.png
[4]: https://itsfoss.com/content/images/2023/12/visudo-syntax-validation.png
[5]: https://itsfoss.com/content/images/2023/12/sudo-password-feedback.png
[6]: https://itsfoss.com/content/images/2023/12/sudo-password-with-asterisk-display.png
[7]: https://digitalocean.pxf.io/JzK74r
[8]: https://itsfoss.com/content/images/2023/12/sudo-log-file.png
[9]: https://itsfoss.com/inxi-system-info-linux/
[10]: https://itsfoss.com/content/images/2023/12/check-sudo-access.png
[11]: https://itsfoss.com/sudo-insult-linux/
[12]: https://itsfoss.com/content/images/2023/12/sudo-insults.png
[13]: https://itsfoss.com/content/images/2023/12/sudo-meme.png