Linux servers in practice is not recommended to log in directly from the root, since the maximum root privileges, once the damage caused by mistakes is huge, so we have to restrict other users to easily switch to the root user. So we have to provide an identity for the average user to switch or privilege escalation mechanisms to need when the necessary work. Here Linux system provides us with two kinds of su and sudo command.
1, su command
before us is not set for each user can switch freely again know the password when you want to switch the subject.
But then all users can use the su command, repeated attempts another user's login password, including the root user. So there is a huge security risk, so we can use pam_wheel authentication module to increase efforts to restrict su command so that only the user of the wheel group can use the su command to switch.
After entering the file /etc/pam.d/su text editing mode, the authentication module pam_wheel open.
Use the command vim / etc / group to an existing group to view, at this time the wheel group has been in existence, and has the added fan default user into the wheel group.
To which the user belongs know that we can find at this time fan user is a wheel, and the wheel lisi user does not belong to the group, and then we let the two use the su command to switch users, the experimental results we can see that the user belongs to the wheel group su user can use the handover command, otherwise not switch.
2, sudo command
to see all the user can log terminal, where the fan wheel group the user belongs to, and then enter the file / etc / sudoers that a user can view the wheel group similar to root user has all permissions.
Our users do not belong to wheel user lisi, this time we use lisi users to modify the IP address of the system, but we found that the use lisi user and can not be modified.
After we make changes ip address user switching in the fan wheel belonging to the group, we found that fan the user has permission to modify the IP address and can modify it.
But if some of us do not belong to the wheel group but necessary work we need to have some of administrator privileges, which we need to use the command visudo enter the file manually configured.
Then our lisi users already have permission to modify the ip.