Sudo/ko

The sudo command provides a simple and secure way to configure privilege escalation, e.g. letting normal users to execute certain (or all) commands as root or some different user, possibly without giving a password.

When you want some people to perform certain administrative steps on your system without granting them total root access, using sudo is your best option. With sudo you can control who can do what. This guide offers you a small introduction to this wonderful tool.

권한 부여
The  package allows the system administrator to grant permission to other users to execute one or more applications they would normally have no right to. Unlike using the setuid bit on these applications  gives a more fine-grained control on who can execute a certain command and when.

With  you can make a clear list who can execute a certain application. If you would set the setuid bit, any user would be able to run this application (or any user of a certain group, depending on the permissions used). You can (and probably even should) require the user to provide a password when he wants to execute the application.

활동 기록
One additional advantage of  is that it can log any attempt (successful or not) to run an application. This is very useful if you want to track who made that one fatal mistake that took you 10 hours to fix :)

sudo 설정
The  configuration is managed by the  file. This file should never be edited through  or   or any other editor you might like. When you want to alter this file, you should use.

This tool makes sure that no two system administrators are editing this file at the same time, preserves the permissions on the file and performs some syntax checking to make sure you make no fatal mistakes in the file.

안내서 정보
This guide is meant as a quick introduction. The  package is a lot more powerful than what is described in this guide. It has special features for editing files as a different user, running from within a script (so it can background, read the password from standard in instead of the keyboard, ...), etc.

Please read the  and   manual pages for more information.

기본 문법
The most difficult part of  is the  syntax. The basic syntax is like so:

This syntax tells  that the user, identified by user and logged in on the system host can execute any of the commands listed in commands as the root user. A more real-life example might make this more clear: allow the user swift to execute  if he is logged in on localhost:

The user name can also be substituted with a group name - in this case you should start the group name with a  sign. For instance, to allow any one in the  group to execute   :

You can extend the line to allow for several commands (instead of making a single entry for each command). For instance, to allow the same user to not only run  but also   and   as root:

You can also specify a precise command and not only the tool itself. This is useful to restrict the use of a certain tool to a specified set of command options. The  tool allows shell-style wildcards (AKA meta or glob characters) to be used in pathnames as well as command line arguments in the sudoers file. Note that these are not regular expressions.

시험을 위해 다음 명령을 입력해보겠습니다:

The password that  requires is the user's own password. This is to make sure that no terminal that you accidentally left open to others is abused for malicious purposes.

You should know that  does not alter the   variable: any command you place after   is treated from your environment. If you want the user to run a tool in for instance he should provide the full path to  , like so:

LDAP 기본 문법
The following use flag is needed for the LDAP support.

When using sudo with LDAP, sudo will read configuration from LDAP Server as well. So you will need to edit two files.

{{FileBox|filename=/etc/ldap.conf.sudo|title=Please chmod 400 when done|1= host ldap.example.com port 389 base dc=example,dc=com uri ldap://ldap.example.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=example,dc=com bind_policy soft }}
 * 1) See ldap.conf(5) and README.LDAP for details
 * 2) This file should only be readable by root
 * 1) supported directives: host, port, ssl, ldap_version
 * 2) uri, binddn, bindpw, sudoers_base, sudoers_debug
 * 3) tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
 * 1) uri ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock
 * 1) ssl start_tls
 * 1) sudoers_debug 2

또한 sudo 에 다음 LDAP 항목을 추가해야 합니다.

sudoer LDAP 설정은 다른 설정을 하는 파일과 비슷합니다. 아래 링크에 있는 sudo LDAP 글을 더 읽어보십시오.

alias (to make a good distinction between aliases and non-aliases it is recommended to use capital letters for aliases). As you might undoubtedly have guessed, the  alias is an alias to all possible settings.

A sample use of the  alias to allow any user to execute the   command if he is logged on locally is:

Another example is to allow the user  to execute the   command as root, regardless of where he is logged in from:

More interesting is to define a set of users who can run software administrative applications (such as  and   ) on the system and a group of administrators who can change the password of any user, except root!

비 루트 실행
It is also possible to have a user run an application as a different, non-root user. This can be very interesting if you run applications as a different user (for instance  for the web server) and want to allow certain users to perform administrative steps as that user (like killing zombie processes).

Inside you list the user(s) in between   and   before the command listing:

For instance, to allow  to run the   tool as the   or   user:

With this set, the user can run  to select the user he wants to run the application as:

You can set an alias for the user to run an application as using the  directive. Its use is identical to the other  directives we have seen before.

암호 및 기본 설정
By default,  asks the user to identify himself using his own password. Once a password is entered,  remembers it for 5 minutes, allowing the user to focus on his tasks and not repeatedly re-entering his password.

Of course, this behavior can be changed: you can set the  directive in  to change the default behavior for a user.

기본 5분값을 0(기억하지 않음)으로 바꾸려면:

A setting of  would remember the password indefinitely (until the system reboots).

A different setting would be to require the password of the user that the command should be run as and not the users' personal password. This is accomplished using. In the following example we also set the number of retries (how many times the user can re-enter a password before  fails) to   instead of the default 3:

Another interesting feature is to keep the  variable set so that you can execute graphical tools:

You can change dozens of default settings using the  directive. Fire up the  manual page and search for.

If you however want to allow a user to run a certain set of commands without providing any password whatsoever, you need to start the commands with , like so:

권한 확인
자신의 권한을 알아보려면 를 실행하십시오:

If you have any command in that does not require you to enter a password, it will not require a password to list the entries either. Otherwise you might be asked for your password if it isn't remembered.

암호 입력 시간 초과 미리 기록
기본적으로 사용자가 로 자신의 암호로 진입하면 5초간 기억합니다. 사용자가 이 기간보다 더 길게 세션을 유지하길 바란다면 에서 암호를 다시 묻기 전에   명령을 실행하여 타임 스탬프를 다시 설정하고, 5분을 다시 세도록 할 수 있습니다.

반대로,  명령으로 타임스탬프를 없앨 수 있습니다.

Bash 명령 완성
sudo에 bash 명령 완성 기능을 사용하려는 사용자는 다음 명령을 한번 실행하십시오.

Z쉘 명령 완성
sudo에 zsh 명령 완성 기능을 사용하려는 사용자는 와 에 각각 다음 내용을 설정할 수 있습니다

위 내용으로 바꾸면,, , 위치에 있는 값은 'sudo' 다음에 놓은 명령에 대한 명령 완성 기능을 쉘에서 사용할 수 있습니다.