However, in the case that the SHELL environment variable is set in the invoking user's environment (which it usually is, and it is typically /bin/bash), and that the target user has a login shell which differs from this (such as /usr/sbin/nologin), there is then a difference between which shell gets executed by these two commands, and this is what you are seeing. sudo supports a plugin architecture for security policies, auditing, and input/output logging. The invoking users real ( not effective) user-ID is used to determine the user name with which to query the security policy. So the two commands look similar (largely coincidentally) and have a somewhat similar effect when the target user has the same login shell as that of the invoking user. Sudo (su do) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system. sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The su user command could be run without the use of sudo, but by running it as root it will not require the password of the target user. The su command will then invoke the login shell of the specified username. Sudo su user will use sudo to run the command su user as the root user. These options are documented under man sudo. The -u user option means to run the command as the specified user rather than root. The -s option means to run the shell specified in the environment variable SHELL if this has been set, or else the user's login shell. Last login: Fri Sep 22 22:07:45 2017 from .Sudo -su user is short for sudo -s -u user. If we change user dong’s login shell to /sbin/nologin, ssh will fail: $ ssh -l dong hydra sshĪs expected, ssh does honor /sbin/nologin in the password database. However, if we use the -i option to simulate initial login, sudo will run the shell specified by the password database entry of the target user as a login shell, in this case, /sbin/nologin: ~]# sudo -u adm -i id For example: ~]$ su -s /bin/bash -c pwd ~]$ su -s /bin/bash -c pwd admīy contrast, sudo doesn’t honor /sbin/nologin in /etc/passwd: ~]# sudo -u adm id If we give adm a password, we can even su to adm from an unprivileged user. Uid=3(adm) gid=4(adm) ~]# su -s /bin/bash -c pwd adm What is su In the Linux system, su will force you to share your root password with another user. Uid=3(adm) gid=4(adm) ~]# su -s /bin/bash -c pwd ~]# su -s /bin/bash -c id adm The primary difference between the two is the password they require: while sudo requires current users password, su requires you to enter the root user password. The su command requires that you provide the password of the user to. However, we can override the login shell in the password database, by supplying a shell (e.g., -s /bin/bash) in the CLI. Sometimes one user must assume the identity of another user. This account is currently not ~]# su -c id adm If we try to use su to run a command with adm, it will fail, as expected. Su apparently honors entries in /etc/passwd. Therefore, it is much safer to use sudo since it doesn’t include exchanging sensitive information. When called with no user specified, su defaults to running an interactive shell as root. The main difference between the two is that su requires the password of the target account, while sudo requires the password of the current user. DESCRIPTION top su allows commands to be run with a substitute user and group ID. On a typical CentOS 7 installation, the login shell of user adm is /sbin/nologin (see /etc/passwd): adm: x: 3: 4: adm:/ var/ adm:/ sbin/ nologin su Both su and sudo elevate privileges assigned to the current user. If a user’s login shell is /sbin/nologin, would su, sudo or ssh honor it? Let’s find it out.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |