A user switch the privilege escalation
Most Linux servers do not recommend users to log in directly as the root user. On the one hand can greatly reduce the damage due to mistaken operations, it also reduces the risk of privileged passwords in an insecure network is compromised. For these reasons, it is necessary to provide a common identity for the user to switch or privilege escalation mechanisms to perform administrative tasks when necessary.
Linux system provides us with su, sudo two kinds of commands, which is mainly used the su command to switch users, while the sudo command to elevate privileges to perform, respectively, are described below.
By default, any user is allowed to use the su command, so that other users have the opportunity to try again and again (as root) login password, which brings security risks. In order to strengthen the su command using the control, by means pam_wheel
authentication modules, only very few users su command switch. Implementation process is as follows: the user authorized to use the su command to add to the wheel group, modify /etc/pam.d/su authentication configuration to enable pam_wheel certification.
2.PAM safety certification
PAM (Pluggable Authentication Modules), the system is Linux Pluggable Authentication Module, is a highly efficient and flexible and convenient user-level authentication, it is also the current authentication methods commonly used Linux servers.
PAM provides a central mechanism for authentication for all services for login, remote login (telnet, rlogin, fsh, ftp ), su and other applications. Certified System Administrator to develop different strategies for different applications by PAM configuration file.
Our PAM authentication profile there is our command SU
vim /etc/pam.d/su safety certification su Configuration
Lisi add users to the wheel group
Three .sudo mention the right
It can be very easily through the su command to switch to another user, but only if you must know the target user's
login password. For example, to switch from jerry user to root user, you must know the root password. For raw
production environments Linux servers, each one more person aware of privileged passwords, security risks will increase one point.
Is there a compromise, only allows ordinary users to have part of the management authority, and does not need to use the root
tell him what the user's password? The answer is yes, you can use the sudo command to elevate privileges to perform. However, the need by the tubes
were pre-authorized administrator to specify which users are allowed to superuser (or other ordinary users) identity which commands to execute
orders.
Cmnd_Alias alias command
User_Alias user aliases
Host_Alias host alias
vim / etc / sudoers