Published Book on Amazon
|All of IOT Starting with the Latest Raspberry Pi from Beginner to Advanced – Volume 1|
|All of IOT Starting with the Latest Raspberry Pi from Beginner to Advanced – Volume 2|
출판된 한글판 도서
|최신 라즈베리파이(Raspberry Pi)로 시작하는 사물인터넷(IOT)의 모든 것 – 초보에서 고급까지 (상)|
|최신 라즈베리파이(Raspberry Pi)로 시작하는 사물인터넷(IOT)의 모든 것 – 초보에서 고급까지 (하)|
Original Book Contents
A super user is a user who is authorized to do all the work on the system. This user can access all the data on the system, run all the programs, modify the behavior and contents of the system, and even have the right to destroy the system.
The Raspberry Pi system provides a super user account named "root" by default when the system is installed at first. Basically, it has the following features:
■ It has the privileges to do all the work on the system.
■ This user is granted all privileges from the beginning even if the system does not grant special privileges, and the privilege can not be restricted afterwards.
■ Normally, it is not used as a logon user, but if necessary, it can be used for logon purposes by specifying a password for the user account to activate it.
Among the commands used in Raspberry Pi, there are many commands that the normal user can not execute and the super user must execute. These commands are usually commands related to system management, and the execution of the commands has a great effect on the system. If they are executed incorrectly, they may cause a serious danger to the system.
The following are examples of commands that must be run by the name of the super user:
■ User management
adduser -- Add/Create user
deluser -- Delete user
addgroup -- Add/Create user group
■ File privilege management
chown -- Change file owner
chmod -- Change file privilege
■ Program management
apt-get install -- Install program
apt-get update -- Update repository of program package
apt-get upgrade -- Upgrade installed program to a new version
These commands must be runned by the name of the super user, not the normal user.
188.8.131.52 Working as the Super User by "sudo" Command
Among ways of executing commands with the super user's privileges, there is one ways to execute commands by adding the "sudo" command. "sudo" stands for "super user do". This method uses the name of the super user only when executing the command, and does not affect subsequent commands.
sudo [option] [command]
■ This executes the command with super user privileges. It can be used with commands that require super user privileges.
■ User privilege -- Super user.
The "sudo" command allows the specified user to execute commands as a superuser or other user in accordance with the security policy specified in advance. The actual applied User Id and Group Id are set to match that of the target user as specified in the password database.
display help message and exit
Normally, sudo runs a command with the primary group set to the one specified by the password database for the user the command is being run as (by default, root). The -g (group) option causes sudo to run the command with the primary group set to group instead. To specify a gid instead of a group name, use #gid. When running commands as a gid, many shells require that the '#' be escaped with a backslash ('\'). If no -u option is specified, the command will be run as the invoking user (not root). In either case, the primary group will be set to group.
The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a user name, use #uid. When running commands as a uid, many shells require that the '#' be escaped with a backslash ('\'). Security policies may restrict uids to those listed in the password database. The sudoers policy allows uids that are not in the password database as long as the target pw option is not set. Other security policies may not support this.
The -U (other user) option is used in conjunction with the -l option to specify the user whose privileges should be listed. The security policy may restrict listing other users' privileges. The sudoers policy only allows root or a user with the ALL privilege on the current host to use this option.
If the command that should be executed with the name of a super user is execute with a normal user, the command will not be executed and various errors will occur.
pi@raspberrypi ~ $ chown root ./testdata/manual02
chown: changing ownership of `./testdata/manual02': Operation not permitted
If you add the "sudo" command like the following, you can see that the error does not occur and processing is done normally.
pi@raspberrypi ~ $ sudo chown root ./testdata/manual02
184.108.40.206 Working as the Super User by "su" Command
The "su" command changes the working user to another user account. "su" stands for "substitute user". You can use this command to change the working user to super user. If you do not specify a specific user when you run the "su" command, the super user is assumed to be specified and makes the super user the working user. This has the effect of always running under the super user name, even if there are no special instructions for every command that will be executed in the future.
To return to the original logon user later, use "exit" command.
For more information on this, refer to the description of [220.127.116.11 Changing Working user with "su" Command].
The following is an example of running the "su" command without adding "sudo" command. Then, it is forced to input the password of the current user as follows to check the confirmation procedure. This is to prevent the careless execution in advance.
pi@raspberrypi ~ $ su
pi@raspberrypi ~ $
When you run the "su" command by adding "sudo" command, you will see the following processing.
pi@raspberrypi ~ $ sudo su
pi@raspberrypi ~ $
18.104.22.168 "visudo" Command - Control Super User Privilege
Since "sudo" command has a large impact on the system, it can cause a lot of problems when used without limitations by anyone, so you need to give the privilege that can execute these commands to only a limited number of system administrators.
To control the privileges to execute "sudo" commands on the system, the system manages the list of users who can execute "sudo" commands and the list of commands they can execute. The detailed inforamtions are being managed in "/etc/sudoers" file. If an user unspecified here uses "sudo" command, or if a command that is not allowed here is execute with "sudo" command, it is controlled so that the command is not executed.
You need to adjust these privileges on a per-user basis. To do this, you can use the "visudo" command to adjust the control data.
visudo [-chqsV] [-f sudoers]
■ This adjusts the system information that manages the list of users who can execute "sudo" commands and the list of commands that can be executed by "sudo" commands.
■ User privilege -- Super user.
■ The "visudo" command allows you to safely edit the "sudoers" file. The "visudo" command locks the "sudoers" file so that multiple people can not modify it at the same time, and checks the basic accuracy of the input.
■ The default security policy is "sudoers" in the "/etc/sudoers" file.
■ This command functions to edits the specified file by using "vi" command.
Enable check-only mode. The existing sudoers file will be checked for syntax errors, owner and mode. A message will be printed to the standard output describing the status of sudoers unless the -q option was specified. If the check completes successfully, visudo will exit with a value of 0. If an error is encountered, visudo will exit with a value of 1.
Enable strict checking of the sudoers file. If an alias is used before it is defined, visudo will consider this a parse error. Note that it is not possible to differentiate between an alias and a host name or user name that consists solely of uppercase letters, digits, and the underscore ('_') character.
Specify and alternate sudoers file location. With this option visudo will edit (or check) the sudoers file of your choice, instead of the default, /etc/sudoers. The lock file used is the specified sudoers file with ".tmp" appended to it. In check-only mode only, the argument to -f may be "-", indicating that sudoers will be read from the standard input.
sudo front end configuration
The default security policy
To adjust the sudo privilege, run the "visudo" command as shown below. Then a separate screen appears as shown below, which shows the contents of "/etc/sudoers" file. When this command is executed, you can see that it is working in "/etc/sudoers.tmp" file instead of "/etc/sudoers" file.
pi@raspberrypi ~ $ sudo visudo
GNU nano 2.2.6 File: /etc/sudoers.tmp
# This file MUST be edited with the 'visudo' command as root.
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
# See the man page for details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
pi ALL=(ALL) NOPASSWD: ALL
[ line 1/29 (3%), col 1/2 (50%), char 0/696 (0%) ]
^G Get Help ^O WriteOut ^R Read File ^Y Prev Page ^K Cut Text ^C Cur Pos
^X Exit ^J Justify ^W Where Is ^V Next Page ^U UnCut Text ^T To Spell
The format for setting the appropriate privilege s for "sudoers" is as follows
<user/group> <terminal> =< (work user : work group) > [No Password :] <command>
You can use an alias defined in advance to easily define the content. The alias must be defined before use. When you define an alias, the format of definition depends on its type. It will be definead as follows:
■ User/group executing the command
It means a user or a user group that is granted privilege. The allowed values are as follows
■ user -- When you specify a particular individual user.
■ %user group -- When you specify a user group.
■ Defined alias -- When you specify user defined by alias
To define an alias for a user, use "User_Alias" command.
Ex) User_Alias OPERATORS = joe, mike, jude
■ Terminal where the command is executed
It specifies the terminal on which you can issue the command with the sudo privilege. The allowed values are as follows
■ ALL -- All terminal
■ Defiend alias -- Terminal defined by alias
Use "Host_Alias" command to define the alias for the host terminal
Ex) Host_Alias OFNET = 10.1.2.0/255.255.255.0
■ Working user or working group to use when running
It means the working user or group to use when executing the command. The allowed values are as follows.
■ ALL -- All user or group
■ Defiend alias -- User or group defined by alias
Use "Runas_Alias" command to define an alias for the working user.
Ex) Runas_Alias OP = root, operator
■ Allow No Password
When a command is executed, you are prompted to enter and check a password to confirm the correctness of the execution. It specifies whether you can do the job immediately without going through this verification step.
■ NOPASSWD --No password required
■ Blank -- You must enter your own password.
■ Commands to execute
This means the command actually executed by "sudo" command. The allowed values are as follows
■ ALL -- All command
■ Defined alias -- Command defined with alias
Use "Cmnd_Alias" command to define an alias for the execution command
Ex) Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
We will define and use alias in advance as follows.
User_Alias OPERATORS = joe, mike, jude
Runas_Alias OP = root, operator
Host_Alias OFNET = 10.1.2.0/255.255.255.0
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
The followings are examples of the contents defined in the "sudoers" file.
In the following example, the "root" user can execute the ALL command with the ALL owner, ALL group name, in the ALL terminal.
root ALL=(ALL:ALL) ALL
In the following example, the "sudo" group can execute the ALL command with the ALL owner, ALL group name, in the ALL terminal.
%sudo ALL=(ALL:ALL) ALL
In the following example, "pi" user can execute the ALL command with the ALL owner, ALL group name in the ALL terminal, without entering password.
pi ALL=(ALL) NOPASSWD: ALL
In the following example, a user defined in alias "OPERATORS" can issue the command "/sbin/poweroff" from the ALL terminal.
In the following example, a user defined in alias "OPERATORS" can execute the command ALL in terminal ALL.
In the following example, the user "linus" can execute the command ALL in the name of the user alias "OP" in terminal ALL.
In the following example, user "user2" can execute the command ALL in the name ALL of the user in the terminal alias "OFNET".
In the following example, user "user3" can execute command alias "PRINTING" in terminal ALL.