Documentation for a newer release is available. View Latest

권한 얻기

System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the root user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as su and sudo. These programs allow specific users to perform tasks which would normally be available only to the root user while maintaining a higher level of control and system security.

관리 제어, 잠재적인 위험, 그리고 권한있는 접근의 부적절한 사용에서 나타는 자료 손실을 예방하는 방식에 대한 더 많은 정보를 위해 Red Hat Enterprise Linux 7 보안 안내를 참고하세요.

su 명령

사용자가 su 명령을 실행 할 때에, root 비밀번호를 위해 입력창에 표시되고, 인증 후에는 `root`으로 쉘 입력기가 제공됩니다.

Once logged in using the su command, the user is the root user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.

이와 같은 프로그램은 매우 강력하기 때문에, 조직내에 있는 관리자는 명령으로 접근하고자 하는 자를 제한하고자 합니다.

One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:

~]# usermod -a -G wheel 사용자이름

이전 명령에서, _username_을 wheel 그룹에 추가하고자 하는 사용자 이름으로 교체합니다.

You can also use the Users settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.

  1. Press the Super key to enter the Activities Overview, type Users and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.

  2. 변경하기를 활성화 하려면, Unlock 누름단추를 누르고, 유효한 관리자 비밀번호를 입력하세요.

  3. Click a user icon in the left column to display the user’s properties in the right-hand pane.

  4. Change the Account Type from Standard to Administrator. This will add the user to the wheel group.

사용자 도구에 대한 더 많은 정보를 위해 그래픽 환경에서 사용자 관리하기를 참고하세요.

After you add the desired users to the wheel group, it is advisable to only allow these specific users to use the su command. To do this, edit the PAM configuration file for su, /etc/pam.d/su. Open this file in a text editor and uncomment the following line by removing the # character:

#auth           required        pam_wheel.so use_uid

This change means that only members of the administrative group wheel can switch to another user using the su command.

기록

root 사용자는 기본값으로 wheel 그룹의 일부입니다.

sudo 명령

The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.

sudo 명령의 기본 형식은 다음과 같습니다:

sudo 명령

위의 예제에서, _명령_은 [command]#mount#와 같은 root 사용자를 위해 정상적으로 예약되는 명령에 의해 대체됩니다.

The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers configuration file are allowed to use the sudo command and the command is executed in the user’s shell, not a root shell. This means the root shell can be completely disabled as shown in the Red Hat Enterprise Linux 7 Security Guide.

Each successful authentication using the sudo command is logged to the file /var/log/messages and the command issued along with the issuer’s user name is logged to the file /var/log/secure. If additional logging is required, use the pam_tty_audit module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth file:

세션은 pam_tty_audit.so disable=pattern enable=pattern이 필요합니다

where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root user and disable it for all other users:

세션은 pam_tty_audit.so disable=* enable=root가 필요합니다

sudo 명령의 다른 장점은 관리자가 이들 요구에 기반한 다른 사용자 접근을 특정 명령에 허용 할 수 있습니다.

`/etc/sudoers`와 같은 sudo 구성 파일을 편집하고자 하는 관리자는 visudo 명령을 사용 할 수 있습니다.

누구에게 전체 관리 권한을 제공하려면, [command]#visudo#를 입력하고 사용자 권한 상세 부분에서 다음과 유사한 행을 추가합니다:

juan ALL=(ALL) ALL

이와 같은 예제는 `juan`와 같은 사용자가 호스트에서 [command]#sudo#를 사용 할 수 있고 어떤 명령도 실행 할 수 있습니다.

The example below illustrates the granularity possible when configuring sudo:

%users localhost=/sbin/shutdown -h now

This example states that any member of the users system group can issue the command /sbin/shutdown -h now as long as it is issued from the console.

The man page for sudoers has a detailed listing of options for this file.

중요함

There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the /etc/sudoers configuration file using visudo as described above. Leaving the /etc/sudoers file in its default state gives every user in the wheel group unlimited root access.

  • By default, sudo stores the sudoer’s password for a five minute timeout period. Any subsequent uses of the command during this period will not prompt the user for a password. This could be exploited by an attacker if the user leaves their workstation unattended and unlocked while still being logged in. This behavior can be changed by adding the following line to the /etc/sudoers file:

    Defaults    timestamp_timeout=value

    where value is the desired timeout length in minutes. Setting the value to 0 causes sudo to require a password every time.

  • If a sudoer’s account is compromised, an attacker can use sudo to open a new shell with administrative privileges:

    sudo /bin/bash

    Opening a new shell as root in this or similar fashion gives the attacker administrative access for a theoretically unlimited amount of time, bypassing the timeout period specified in the /etc/sudoers file and never requiring the attacker to input a password for sudo again until the newly opened session is closed.

추가 자원

While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to the resources listed below for more information regarding security and privileged access.

설치된 문서
  • su(1) — The manual page for su provides information regarding the options available with this command.

  • sudo(8) — The manual page for sudo includes a detailed description of this command and lists options available for customizing its behavior.

  • pam(8) — The manual page describing the use of Pluggable Authentication Modules (PAM) for Linux.

온라인 문서
또한 보세요
  • Managing Users and Groups documents how to manage system users and groups in the graphical user interface and on the command line.