System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the
root user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as su and sudo. These programs allow specific users to perform tasks which would normally be available only to the
root user while maintaining a higher level of control and system security.
관리 제어, 잠재적인 위험, 그리고 권한있는 접근의 부적절한 사용에서 나타는 자료 손실을 예방하는 방식에 대한 더 많은 정보를 위해 Red Hat Enterprise Linux 7 보안 안내를 참고하세요.
사용자가 su 명령을 실행 할 때에,
root 비밀번호를 위해 입력창에 표시되고, 인증 후에는 `root`으로 셸 입력기가 제공됩니다.
Once logged in using the su command, the user is the
root user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become
root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.
이와 같은 프로그램은 매우 강력하기 때문에, 조직내에 있는 관리자는 명령으로 접근하고자 하는 자를 제한하고자 합니다.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as
~]# usermod -a -G wheel 사용자이름
이전 명령에서, _사용자이름_을
wheel 그룹에 추가하고자 하면 사용자 이름으로 교체합니다.
You can also use the Users settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.
Press the Super key to enter the Activities Overview, type Users and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.
변경하기를 활성화 하려면, Unlock 누름단추를 누르고, 유효한 관리자 비밀번호를 입력하세요.
Click a user icon in the left column to display the user’s properties in the right-hand pane.
Change the Account Type from
Administrator. This will add the user to the
사용자 도구에 대한 더 많은 정보를 위해 그래픽 환경에서 사용자 관리하기를 참고하세요.
After you add the desired users to the
wheel group, it is advisable to only allow these specific users to use the su command. To do this, edit the PAM configuration file for su,
/etc/pam.d/su. Open this file in a text editor and uncomment the following line by removing the
#auth required pam_wheel.so use_uid
This change means that only members of the administrative group
wheel can switch to another user using the su command.
The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the
sudo 명령의 기본 형식은 다음과 같습니다:
위의 예제에서, _명령_은 [command]#mount#와 같은
root 사용자를 위해 정상적으로 예약되는 명령에 의해 대체됩니다.
The sudo command allows for a high degree of flexibility. For instance, only users listed in the
/etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user’s shell, not a
root shell. This means the
root shell can be completely disabled as shown in the Red Hat Enterprise Linux 7 Security Guide.
Each successful authentication using the sudo command is logged to the file
/var/log/messages and the command issued along with the issuer’s user name is logged to the file
/var/log/secure. If additional logging is required, use the
pam_tty_audit module to enable TTY auditing for specified users by adding the following line to your
세션은 pam_tty_audit.so disable=pattern enable=pattern이 필요합니다
where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the
root user and disable it for all other users:
세션은 pam_tty_audit.so disable=* enable=root가 필요합니다
sudo 명령의 다른 장점은 관리자가 이들 요구에 기반한 다른 사용자 접근을 특정 명령에 허용 할 수 있습니다.
`/etc/sudoers`와 같은 sudo 구성 파일을 편집하고자 하는 관리자는 visudo 명령을 사용 할 수 있습니다.
누구에게 전체 관리 권한을 제공하려면, [command]#visudo#를 입력하고 사용자 권한 상세 부분에서 다음과 유사한 행을 추가합니다:
juan ALL=(ALL) ALL
이와 같은 예제는 `juan`와 같은 사용자가 호스트에서 [command]#sudo#를 사용 할 수 있고 어떤 명령도 실행 할 수 있습니다.
The example below illustrates the granularity possible when configuring sudo:
%users localhost=/sbin/shutdown -h now
This example states that any member of the
users system group can issue the command /sbin/shutdown -h now as long as it is issued from the console.
The man page for
sudoers has a detailed listing of options for this file.
There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the
While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to the resources listed below for more information regarding security and privileged access.
su(1) — The manual page for su provides information regarding the options available with this command.
sudo(8) — The manual page for sudo includes a detailed description of this command and lists options available for customizing its behavior.
pam(8) — The manual page describing the use of Pluggable Authentication Modules (PAM) for Linux.
The Red Hat Enterprise Linux 7 Security Guide provides a more in-depth look at potential security issues pertaining to setuid programs as well as techniques used to alleviate these risks.
Managing Users and Groups documents how to manage system users and groups in the graphical user interface and on the command line.
Want to help? Learn how to contribute to Fedora Docs ›