ubuntu配置sudo

Like most things on Linux, the sudo command is very configurable. You can have sudo run specific commands without asking for a password, restrict specific users to only approved commands, log commands run with sudo, and more.

像Linux上的大多数东西一样，sudo命令是非常可配置的。 您可以让sudo运行特定命令而无需输入密码，将特定用户限制为仅允许使用的命令，使用sudo运行日志命令等等。

The sudo command’s behavior is controlled by the /etc/sudoers file on your system. This command must be edited with the visudo command, which performs syntax-checking to ensure you don’t accidentally break the file.

sudo命令的行为由系统上的/ etc / sudoers文件控制。 必须使用visudo命令编辑该命令，该命令执行语法检查以确保您不会意外破坏文件。

指定具有Sudo权限的用户 (Specify Users With Sudo Permissions)

The user account you create while installing Ubuntu is marked as an Administrator account, which means it can use sudo. Any additional user accounts you create after installation can be either Administrator or Standard user accounts – Standard user accounts don’t have sudo permissions.

您在安装Ubuntu时创建的用户帐户被标记为管理员帐户，这意味着它可以使用sudo。 安装后创建的任何其他用户帐户都可以是管理员帐户或标准用户帐户–标准用户帐户没有sudo权限。

You can control user account types graphically from Ubuntu’s User Accounts tool. To open it, click your user name on the panel and select User Accounts or search for User Accounts in the dash.

您可以从Ubuntu的“用户帐户”工具以图形方式控制用户帐户类型。 要打开它，请在面板上单击您的用户名，然后选择“用户帐户”或在破折号中搜索“用户帐户”。

使Sudo忘记密码 (Make Sudo Forget Your Password)

By default, sudo remembers your password for 15 minutes after you type it. This is why you only have to type your password once when executing multiple commands with sudo in quick succession. If you’re about to let someone else use your computer and you want sudo to ask for the password when it runs next, execute the following command and sudo will forget your password:

默认情况下，sudo在您输入密码后会记住15分钟。 这就是为什么在快速连续使用sudo执行多个命令时，只需键入一次密码的原因。 如果您要让其他人使用您的计算机，并且想让sudo在下次运行时要求输入密码，请执行以下命令，sudo会忘​​记您的密码：

sudo –k

须藤–k

总是要求输入密码 (Always Ask For a Password)

If you’d rather be prompted each time you use sudo – for example, if other people regularly have access to your computer — you can disable the password-remembering behavior entirely.

如果希望每次使用sudo时都提示您(例如，如果其他人定期访问您的计算机)，则可以完全禁用密码记住行为。

This setting, like other sudo settings, is contained in the /etc/sudoers file. Run the visudo command in a terminal to open the file for editing:

与其他sudo设置一样，此设置包含在/ etc / sudoers文件中。 在终端中运行visudo命令以打开文件进行编辑：

sudo visudo

苏多维苏多

In spite of its name, this command defaults to the new-user-friendly nano editor instead of the traditional vi editor on Ubuntu.

尽管使用了该命令的名称，但该命令默认使用对新用户友好的nano编辑器，而不是Ubuntu上的传统vi编辑器。

Add the following line below the other Defaults lines in the file:

在文件的其他“默认值”行下面添加以下行：

Defaults timestamp_timeout=0

默认值timestamp_timeout = 0

Press Ctrl+O to save the file, and then press Ctrl+X to close Nano. Sudo will now always prompt you for a password.

按Ctrl + O保存文件，然后按Ctrl + X关闭Nano。 Sudo现在将始终提示您输入密码。

更改密码超时 (Change the Password Timeout)

To set a different password timeout – either a longer one like 30 minutes or a shorter one like 5 minutes – follow the steps above but use a different value for timestamp_timeout. The number corresponds to the number of minutes sudo will remember your password for. To have sudo remember your password for 5 minutes, add the following line:

要设置不同的密码超时时间(较长的密码，例如30分钟，较短的密码，例如5分钟)，请按照上述步骤操作，但对timestamp_timeout使用不同的值。 该数字对应sudo将记住您的密码的分钟数。 要让sudo记住您的密码5分钟，请添加以下行：

Defaults timestamp_timeout=5

默认值为timestamp_timeout = 5

从不要求输入密码 (Never Ask for a Password)

You can also have sudo never ask for a password – as long as you’re logged in, every command you prefix with sudo will run with root permissions. To do this, add the following line to your sudoers file, where username is your username:

您还可以使sudo从不要求输入密码-只要登录，用sudo前缀的每个命令都将以root权限运行。 为此，将以下行添加到您的sudoers文件中，其中username是您的用户名：

username ALL=(ALL) NOPASSWD: ALL

用户名ALL =(ALL)NOPASSWD：全部

You can also change the %sudo line – that is, the line that allows all users in the sudo group (also known as Administrator users) to use sudo – to have all Administrator users not require passwords:

您还可以更改％sudo行(即允许sudo组中的所有用户(也称为管理员用户)使用sudo的行)，以使所有Administrator用户不需要密码：

%sudo ALL=(ALL:ALL) NOPASSWD:ALL

％sudo ALL =(全部：全部)NOPASSWD：全部

在没有密码的情况下运行特定命令 (Run Specific Commands Without a Password)

You can also specify specific commands that will never require a password when run with sudo. Instead of using “ALL” after NOPASSWD above, specify the location of the commands. For example, the following line will allow your user account to run the apt-get and shutdown commands without a password.

您还可以指定使用sudo运行时将不需要密码的特定命令。 请指定命令的位置，而不是在上面的NOPASSWD之后使用“ ALL”。 例如，以下行将允许您的用户帐户运行不带密码的apt-get和shutdown命令。

username ALL=(ALL) NOPASSWD: /usr/bin/apt-get,/sbin/shutdown

用户名ALL =(ALL)NOPASSWD：/ usr / bin / apt-get，/ sbin / shutdown

This can be particularly useful when running specific commands with sudo in a script.

当在脚本中使用sudo运行特定命令时，这特别有用。

允许用户仅运行特定命令 (Allow a User to Run Only Specific Commands)

While you can blacklist specific commands and prevent users from running them with sudo, this isn’t very effective. For example, you could specify that a user account not be able to run the shutdown command with sudo. But that user account could run the cp command with sudo, create a copy of the shutdown command, and shut down the system using the copy.

虽然您可以将特定命令列入黑名单并阻止用户使用sudo运行它们，但这并不是很有效。 例如，您可以指定用户帐户无法使用sudo运行shutdown命令。 但是该用户帐户可以使用sudo运行cp命令，创建shutdown命令的副本，然后使用该副本关闭系统。

A more effective way is to whitelist specific commands. For example, you could give a Standard user account permission to use the apt-get and shutdown commands, but no more. To do so, add the following line, where standarduser is the user’s username:

一种更有效的方法是将特定命令列入白名单。 例如，您可以授予标准用户帐户使用apt-get和shutdown命令的权限，但不能再使用其他权限。 为此，添加以下行，其中standarduser是用户的用户名：

standarduser ALL=/usr/bin/apt-get,/sbin/shutdown

standarduser ALL = / usr / bin / apt-get，/ sbin / shutdown

The following command will tell us what commands the user can run with sudo:

以下命令将告诉我们用户可以使用sudo运行哪些命令：

sudo -U standarduser –l

sudo -U standarduser –l

记录Sudo访问 (Logging Sudo Access)

You can log all sudo access by adding the following line. /var/log/sudo is just an example; you can use any log file location you like.

您可以通过添加以下行来记录所有sudo访问。 / var / log / sudo只是一个例子； 您可以使用任何喜欢的日志文件位置。

Defaults logfile=/var/log/sudo

默认日志文件= / var / log / sudo

View the contents of the log file with a command like this one:

使用以下命令查看日志文件的内容：

sudo cat /var/log/sudo

须藤猫/ var / log / sudo

Bear in mind that, if a user has unrestricted sudo access, that user has the ability to delete or modify the contents of this file. A user could also access a root prompt with sudo and run commands that wouldn’t be logged. The logging feature is most useful when coupled with user accounts that have restricted access to a subset of system commands.

请记住，如果用户具有不受限制的sudo访问权限，则该用户可以删除或修改此文件的内容。 用户还可以使用sudo访问根提示符，并运行不会记录的命令。 与限制访问系统命令子集的用户帐户结合使用时，日志记录功能最有用。

翻译自: https://www.howtogeek.com/116757/8-ways-to-tweak-and-configure-sudo-on-ubuntu/

ubuntu配置sudo