권한 얻기
System administrators, and in some cases users, need to perform certain tasks with administrative access. Accessing the system as the root
user is potentially dangerous and can lead to widespread damage to the system and data. This chapter covers ways to gain administrative privileges using setuid programs such as su and sudo. These programs allow specific users to perform tasks which would normally be available only to the root
user while maintaining a higher level of control and system security.
관리 제어, 잠재적인 위험, 그리고 권한있는 접근의 부적절한 사용에서 나타는 자료 손실을 예방하는 방식에 대한 더 많은 정보를 위해 Red Hat Enterprise Linux 7 보안 안내를 참고하세요.
su 명령
사용자가 su 명령을 실행 할 때에, root
비밀번호를 위해 입력창에 표시되고, 인증 후에는 `root`으로 쉘 입력기가 제공됩니다.
Once logged in using the su command, the user is the root
user and has absolute administrative access to the system. Note that this access is still subject to the restrictions imposed by SELinux, if it is enabled. In addition, once a user has become root
, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.
이와 같은 프로그램은 매우 강력하기 때문에, 조직내에 있는 관리자는 명령으로 접근하고자 하는 자를 제한하고자 합니다.
One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root
:
~]# usermod -a -G wheel 사용자이름
이전 명령에서, _username_을 wheel
그룹에 추가하고자 하는 사용자 이름으로 교체합니다.
You can also use the Users settings tool to modify group memberships, as follows. Note that you need administrator privileges to perform this procedure.
-
Press the Super key to enter the Activities Overview, type Users and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.
-
변경하기를 활성화 하려면, Unlock 누름단추를 누르고, 유효한 관리자 비밀번호를 입력하세요.
-
Click a user icon in the left column to display the user’s properties in the right-hand pane.
-
Change the Account Type from
Standard
toAdministrator
. This will add the user to thewheel
group.
사용자 도구에 대한 더 많은 정보를 위해 그래픽 환경에서 사용자 관리하기를 참고하세요.
After you add the desired users to the wheel
group, it is advisable to only allow these specific users to use the su command. To do this, edit the PAM configuration file for su, /etc/pam.d/su
. Open this file in a text editor and uncomment the following line by removing the #
character:
#auth required pam_wheel.so use_uid
This change means that only members of the administrative group wheel
can switch to another user using the su command.
기록
The |
The sudo Command
The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root
user.
The basic format of the sudo command is as follows:
sudo command
In the above example, command would be replaced by a command normally reserved for the root
user, such as mount.
The sudo command allows for a high degree of flexibility. For instance, only users listed in the /etc/sudoers
configuration file are allowed to use the sudo command and the command is executed in the user’s shell, not a root
shell. This means the root
shell can be completely disabled as shown in the Red Hat Enterprise Linux 7 Security Guide.
Each successful authentication using the sudo command is logged to the file /var/log/messages
and the command issued along with the issuer’s user name is logged to the file /var/log/secure
. If additional logging is required, use the pam_tty_audit
module to enable TTY auditing for specified users by adding the following line to your /etc/pam.d/system-auth
file:
session required pam_tty_audit.so disable=pattern enable=pattern
where pattern represents a comma-separated listing of users with an optional use of globs. For example, the following configuration will enable TTY auditing for the root
user and disable it for all other users:
session required pam_tty_audit.so disable=* enable=root
Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs.
Administrators wanting to edit the sudo configuration file, /etc/sudoers
, should use the visudo command.
To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:
juan ALL=(ALL) ALL
This example states that the user, juan
, can use sudo from any host and execute any command.
The example below illustrates the granularity possible when configuring sudo:
%users localhost=/sbin/shutdown -h now
This example states that any member of the users
system group can issue the command /sbin/shutdown -h now as long as it is issued from the console.
The man page for sudoers
has a detailed listing of options for this file.
Important
There are several potential risks to keep in mind when using the sudo command. You can avoid them by editing the
|
추가 자원
While programs allowing users to gain administrative privileges are a potential security risk, security itself is beyond the scope of this particular book. You should therefore refer to the resources listed below for more information regarding security and privileged access.
-
su
(1) — The manual page for su provides information regarding the options available with this command. -
sudo
(8) — The manual page for sudo includes a detailed description of this command and lists options available for customizing its behavior. -
pam
(8) — The manual page describing the use of Pluggable Authentication Modules (PAM) for Linux.
-
The Red Hat Enterprise Linux 7 Security Guide provides a more in-depth look at potential security issues pertaining to setuid programs as well as techniques used to alleviate these risks.
-
Managing Users and Groups documents how to manage system users and groups in the graphical user interface and on the command line.
Want to help? Learn how to contribute to Fedora Docs ›