个人工具

“UbuntuHelp:RootSudo/zh”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
使用sudo的好处
 
(未显示2个用户的12个中间版本)
第1行: 第1行:
 
{{From|https://help.ubuntu.com/community/RootSudo}}
 
{{From|https://help.ubuntu.com/community/RootSudo}}
 
{{Languages|UbuntuHelp:RootSudo}}
 
{{Languages|UbuntuHelp:RootSudo}}
In Linux (and Unix in general), there is a superuser named rootThe Windows analog of root is Administrator. The superuser can do anything and everything, and thus doing daily work as the superuser can be dangerousYou could type a command incorrectly and destroy the systemIdeally, you run as a user that has only the privileges needed for the task at handIn some cases, this is necessarily root, but most of the time it is a regular user.
+
{{Translation}}
'''By default, the root account password is locked in Ubuntu.''' This means that you cannot login as root directly or use the su command to become the root user, however, since the root account physically exists it is still possible to run programs with root-level privileges. This is where '''sudo''' comes in; it allows authorized users (normally "Administrative" users; for further information please refer to [[UbuntuHelp:AddUsersHowto|AddUsersHowto]]) to run certain programs as root without having to know the root password.
+
在linux中(和大部分unix系统), 有一个超级用户叫做root类似于window系统的 Administrator. 这个超级用户可以作任何事情, 但是使用这个超级用户做日常的工作是很危险的你可以输入一个错误的命令,摧毁系统理想的方式,你使用的帐户仅有处理手边任务的权限在一些情况下, 需要使用 root, 但是在大多数时候仅仅普通用户就够了.
This means that in the terminal you should use sudo for commands that require root privileges; simply prepend "sudo" to all the commands you would normally run as root. For more extensive usage examples, please see below. Similarly, when you run GUI programs that require root privileges (e.g. the network configuration applet), you will also be prompted for a password. Just remember, when sudo asks for a password, it needs '''YOUR USER Password''', and not the root account password.
+
'''默认情况下, root帐户的密码是被锁定的在ubuntu中.''' 这就意味着你不能直接使用root帐户登陆 或者使用su名名成为 root 用户, 但是, 既然root帐户是实际存在的,任然可以以root权限来运行程序.这就是 '''sudo''' 由来; 它允许授权的用户 (通常是管理员用户组; 更多的信息参考[[UbuntuHelp:AddUsersHowto|AddUsersHowto]]) 运行程序而不用知道root帐户的密码.
 +
这就意味着你的使用 sudo 在那些需要root权限的命令; 仅仅是在那些命令前加"sudo". 更多广泛的使用范例, 请看下面. 同样的, 当你运行那些需要root权限的图形界面程序  (例如网络配置小程序), 你也将被提示输入密码. 记住, 当sudo 要求输入密码, 它要的是 '''你的用户密码''', 而不是root的密码.
 
=== 使用sudo的好处 ===
 
=== 使用sudo的好处 ===
  
The benefits of leaving '''root''' logins disabled by default include the following:
+
默认禁用root登录的好处如下:
  
* The installer has to ask fewer questions.
+
* 安装程序能够作出提示.
* Users don't have to remember an extra password (i.e. the root password), which they are likely to forget.
+
*用户不必记住额外的很容易被遗忘的密码 (例如  root 密码).
* It avoids the "I can do ''anything''" interactive login by default (e.g. the tendency by users to login as an "Administrator" user in Microsoft Windows systems), you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing.
+
* 避免了 默认的交互式登陆中"可以做任何事情''" (例如:在window操作系统中用户趋向于使用管理员帐户登陆), 而且在你作出重大改变之前,你将被提示输入密码, 这将使你考虑你这样做的后果.
* Sudo adds a log entry of the command(s) run (In <code><nowiki>/var/log/auth.log</nowiki></code>). If you mess up, you can always go back and see what commands were run. It is also nice for auditing.
+
* Sudo会将运行的命令添加一个条目到日志 (<code><nowiki>/var/log/auth.log</nowiki></code>). 如果你陷入困境,你可以随时回去看看你执行过哪些命令. 这也是不错的审计.
* Every cracker trying to ''brute-force'' their way into your box will know it has an account named ''root'' and will try that first. What they don't know is what the usernames of your other users are. Since the root account password is locked, this attack becomes essentially meaningless, since there is no password to crack or guess in the first place.
+
*每个试图使用蛮力的方式进入你的电脑的cracker 只知道你的电脑有个root帐户,将会首先尝试使用它 .他们并不知道电脑其他用户的用户名称. 由于root帐户的密码默认是被锁定的, 将会使攻击毫无意义 ,也没有可以破解的密码.
* Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the ''root'' account.
+
* 允许简单的管理权限移交, i在短期或者长期内添加或者删除用户并不会危及'root'帐户.
* sudo can be setup with a much more fine-grained security policy.
+
* sudo 可以提供一个更细粒度的安全策略.
* The authentication automatically expires after a short time (which can be set to as little as desired or 0); so if you walk away from the terminal after running commands as root using sudo, you will not be leaving a root terminal open indefinitely.
+
* 身份认证在短时期后会自动过期 (过期时间可以按需要设置的尽可能的短,甚至为零); 所以当你使用sudo在终端运行完命令离开后,不会使具有root权限的终端无限期打开着 .
  
=== Notes ===
+
=== 提示 ===
* To use <code><nowiki>sudo</nowiki></code> on the command line, preface the command with <code><nowiki>sudo</nowiki></code>, as below:
+
* 要使用 <code><nowiki>sudo</nowiki></code> 在命令行, 在命令的前面加上 <code><nowiki>sudo</nowiki></code>, 像下面一样:
''Example #1''
+
''示例 #1''
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo chown bob:bob /home/bob/*
 
sudo chown bob:bob /home/bob/*
 
</nowiki></pre>
 
</nowiki></pre>
''Example #2''
+
''示例 #2''
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo /etc/init.d/networking restart
 
sudo /etc/init.d/networking restart
 
</nowiki></pre>
 
</nowiki></pre>
* The password is stored by default for 15 minutes. After that time, you will need to enter your password again.
+
*密码默认会保存十五分钟. 在那之后, 你需要重新输入密码(在需要的情况下).
* Your password will '''not''' be shown on the screen as you type it, not even as a row of stars (******). It is being entered with each keystroke!
+
* 你的密码l '''不会''' 在屏幕上显示当你输入的时候, 甚至不会显示一行星号(******). 它将被输入在按下按键时!
* <code><nowiki>sudo !!</nowiki></code> will repeat the last command entered, except with sudo prepended to it.
+
* <code><nowiki>sudo !!</nowiki></code> 将会最后一次输入的命令, 除非在它前面使用sudo.
* You should '''never''' use sudo to start graphical applications as root. You should use <code><nowiki>gksudo</nowiki></code>  to run such programs (eg. '''ALT+F2''' gksudo gedit).
+
* 你应该 '''从不''' 使用sudo以root启动图形界面应用程序. 应该i使用 <code><nowiki>gksudo</nowiki></code>  来运行这些程序 (例如 '''ALT+F2''' gksudo gedit).
** For users of ''Kubuntu'', use <code><nowiki>kdesu</nowiki></code> instead of <code><nowiki>gksudo</nowiki></code>.
+
** ''Kubuntu''的用户,使用 <code><nowiki>kdesu</nowiki></code>而不是<code><nowiki>gksudo</nowiki></code>.
* To run the graphical configuration utilities, simply launch the application via the menu.
+
* 要运行图形配置工具, 之需要通过菜单启动即可.
=== Allowing other users to run sudo  ===
+
 
 +
=== 允许其他用户使用 sudo  ===
 
To add a new user to sudo, open the '''Users and Groups''' tool from <code><nowiki>System --> Administration</nowiki></code> menu. Then click on the user and then on properties. Choose the '''User Privileges''' tab. In the tab, find '''Executing system administration tasks''' and check that.
 
To add a new user to sudo, open the '''Users and Groups''' tool from <code><nowiki>System --> Administration</nowiki></code> menu. Then click on the user and then on properties. Choose the '''User Privileges''' tab. In the tab, find '''Executing system administration tasks''' and check that.
 
/!\ In the terminal this would be: <code><nowiki>sudo adduser $user admin</nowiki></code>, where you replace $user with the name of the user.
 
/!\ In the terminal this would be: <code><nowiki>sudo adduser $user admin</nowiki></code>, where you replace $user with the name of the user.
=== Logging in as another user ===
+
 
 +
=== 使用其他用户登录 ===
 
* To login as another user.
 
* To login as another user.
 
NB Please don't use this to become root, please see the bottom of the page for some more information.
 
NB Please don't use this to become root, please see the bottom of the page for some more information.
第47行: 第50行:
 
</nowiki></pre>
 
</nowiki></pre>
 
The password being asked for is your own.
 
The password being asked for is your own.
=== Downsides of using sudo ===
+
 
 +
=== 使用sudo缺点 ===
 
Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:
 
Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:
 
* Redirecting the output of commands run with sudo requires a different approach. For instance consider <code><nowiki>sudo ls > /root/somefile</nowiki></code> will not work since it is the shell that tries to write to that file. You can use `ls | sudo tee -a /root/somefile` to append, or `ls | sudo tee /root/somefile` to overwrite contents. You could also pass the whole command to a shell process run under sudo to have the file written to with root permissions, such as `sudo bash -c "ls > /root/somefile"`.
 
* Redirecting the output of commands run with sudo requires a different approach. For instance consider <code><nowiki>sudo ls > /root/somefile</nowiki></code> will not work since it is the shell that tries to write to that file. You can use `ls | sudo tee -a /root/somefile` to append, or `ls | sudo tee /root/somefile` to overwrite contents. You could also pass the whole command to a shell process run under sudo to have the file written to with root permissions, such as `sudo bash -c "ls > /root/somefile"`.
 
* In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled root password is needed here.
 
* In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled root password is needed here.
=== Misconceptions ===
+
 
 +
=== 误区 ===
 
* ''Isn't sudo less secure than su?''
 
* ''Isn't sudo less secure than su?''
 
The basic security model is the same, and therefore these two systems share their primary weaknesses.  Any user who uses `su` '''or''' `sudo` must be considered to be a privileged user.  If that user's account is compromised by an attacker, the attacker can also gain root privileges the next time the user does so. The user account is the weak link in this chain, and so must be protected with the same care as root.
 
The basic security model is the same, and therefore these two systems share their primary weaknesses.  Any user who uses `su` '''or''' `sudo` must be considered to be a privileged user.  If that user's account is compromised by an attacker, the attacker can also gain root privileges the next time the user does so. The user account is the weak link in this chain, and so must be protected with the same care as root.
第60行: 第65行:
 
You have to enter your password.
 
You have to enter your password.
 
Console users have access to the boot loader, and can gain administrative privileges in various ways during the boot process.  For example, by specifying an alternate `init(8)` program.  Linux systems are not typically configured to be secure at the console, and additional steps (for example, setting a root password, a boot loader password and a BIOS password) are necessary in order to make them so.  Note that console users usually have physical access to the machine and so can manipulate it in other ways as well.
 
Console users have access to the boot loader, and can gain administrative privileges in various ways during the boot process.  For example, by specifying an alternate `init(8)` program.  Linux systems are not typically configured to be secure at the console, and additional steps (for example, setting a root password, a boot loader password and a BIOS password) are necessary in order to make them so.  Note that console users usually have physical access to the machine and so can manipulate it in other ways as well.
=== Re-disabling your root account ===
+
 
 +
=== 重新禁用root帐户 ===
 
If for some reason you have enabled your root account and wish to disable it again, open a terminal and issue the following command:
 
If for some reason you have enabled your root account and wish to disable it again, open a terminal and issue the following command:
 
<pre><nowiki>
 
<pre><nowiki>
 
sudo passwd -l root
 
sudo passwd -l root
 
</nowiki></pre>
 
</nowiki></pre>
 +
 
=== Enabling the root account ===
 
=== Enabling the root account ===
 
<!> '''Enabling the root account is neither supported nor necessary.'''<br>
 
<!> '''Enabling the root account is neither supported nor necessary.'''<br>
 
Anything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent root login, use <code><nowiki>sudo -i</nowiki></code>. Logging in to X as root is most likely to cause very serious trouble. If you believe you need a root account to perform a certain action, please consult the official support channels first, to make sure there is not a better alternative.
 
Anything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent root login, use <code><nowiki>sudo -i</nowiki></code>. Logging in to X as root is most likely to cause very serious trouble. If you believe you need a root account to perform a certain action, please consult the official support channels first, to make sure there is not a better alternative.
=== Drag & Drop Sudo ===
+
=== & 托Sudo ===
 
This is a trick from the [http://www.ubuntuforums.org/showthread.php?t=24008 forums].
 
This is a trick from the [http://www.ubuntuforums.org/showthread.php?t=24008 forums].
 
Create a [[UbuntuHelp:HowToAddaLauncher|launcher]] with the following command:
 
Create a [[UbuntuHelp:HowToAddaLauncher|launcher]] with the following command:
第75行: 第82行:
 
</nowiki></pre>
 
</nowiki></pre>
 
When you drag and drop any file on this launcher (it's useful to put it on the desktop or on a panel), it will be opened as root with its own associated application. This is helpful especially when you're editing config files owned by root, since they will be opened as read only by default with gedit, etc.
 
When you drag and drop any file on this launcher (it's useful to put it on the desktop or on a panel), it will be opened as root with its own associated application. This is helpful especially when you're editing config files owned by root, since they will be opened as read only by default with gedit, etc.
=== Special notes on sudo and shells ===
+
 
 +
=== sudo 和shells特别注意的项 ===
 
* '''None of the methods below are suggested or supported by the designers of Ubuntu.'''
 
* '''None of the methods below are suggested or supported by the designers of Ubuntu.'''
 
* Please do not suggest this to others unless you personally are available 24/7 to support the user  if they have issues as a result of running a shell as root.
 
* Please do not suggest this to others unless you personally are available 24/7 to support the user  if they have issues as a result of running a shell as root.

2012年4月13日 (五) 17:01的最新版本

在linux中(和大部分unix系统), 有一个超级用户叫做root. 类似于window系统的 Administrator. 这个超级用户可以作任何事情, 但是使用这个超级用户做日常的工作是很危险的. 你可以输入一个错误的命令,摧毁系统. 理想的方式,你使用的帐户仅有处理手边任务的权限. 在一些情况下, 需要使用 root, 但是在大多数时候仅仅普通用户就够了. 默认情况下, root帐户的密码是被锁定的在ubuntu中. 这就意味着你不能直接使用root帐户登陆 或者使用su名名成为 root 用户, 但是, 既然root帐户是实际存在的,任然可以以root权限来运行程序.这就是 sudo 由来; 它允许授权的用户 (通常是管理员用户组; 更多的信息参考AddUsersHowto) 运行程序而不用知道root帐户的密码. 这就意味着你的使用 sudo 在那些需要root权限的命令; 仅仅是在那些命令前加"sudo". 更多广泛的使用范例, 请看下面. 同样的, 当你运行那些需要root权限的图形界面程序 (例如网络配置小程序), 你也将被提示输入密码. 记住, 当sudo 要求输入密码, 它要的是 你的用户密码, 而不是root的密码.

使用sudo的好处

默认禁用root登录的好处如下:

  • 安装程序能够作出提示.
  • 用户不必记住额外的很容易被遗忘的密码 (例如 root 密码).
  • 避免了 默认的交互式登陆中"可以做任何事情" (例如:在window操作系统中用户趋向于使用管理员帐户登陆), 而且在你作出重大改变之前,你将被提示输入密码, 这将使你考虑你这样做的后果.
  • Sudo会将运行的命令添加一个条目到日志 (在 /var/log/auth.log). 如果你陷入困境,你可以随时回去看看你执行过哪些命令. 这也是不错的审计.
  • 每个试图使用蛮力的方式进入你的电脑的cracker 只知道你的电脑有个root帐户,将会首先尝试使用它 .他们并不知道电脑其他用户的用户名称. 由于root帐户的密码默认是被锁定的, 将会使攻击毫无意义 ,也没有可以破解的密码.
  • 允许简单的管理权限移交, i在短期或者长期内添加或者删除用户并不会危及'root'帐户.
  • sudo 可以提供一个更细粒度的安全策略.
  • 身份认证在短时期后会自动过期 (过期时间可以按需要设置的尽可能的短,甚至为零); 所以当你使用sudo在终端运行完命令离开后,不会使具有root权限的终端无限期打开着 .

提示

  • 要使用 sudo 在命令行, 在命令的前面加上 sudo, 像下面一样:

示例 #1

sudo chown bob:bob /home/bob/*

示例 #2

sudo /etc/init.d/networking restart
  • 密码默认会保存十五分钟. 在那之后, 你需要重新输入密码(在需要的情况下).
  • 你的密码l 不会 在屏幕上显示当你输入的时候, 甚至不会显示一行星号(******). 它将被输入在按下按键时!
  • sudo !! 将会最后一次输入的命令, 除非在它前面使用sudo.
  • 你应该 从不 使用sudo以root启动图形界面应用程序. 应该i使用 gksudo 来运行这些程序 (例如 ALT+F2 gksudo gedit).
    • Kubuntu的用户,使用 kdesu而不是gksudo.
  • 要运行图形配置工具, 之需要通过菜单启动即可.

允许其他用户使用 sudo

To add a new user to sudo, open the Users and Groups tool from System --> Administration menu. Then click on the user and then on properties. Choose the User Privileges tab. In the tab, find Executing system administration tasks and check that. /!\ In the terminal this would be: sudo adduser $user admin, where you replace $user with the name of the user.

使用其他用户登录

  • To login as another user.

NB Please don't use this to become root, please see the bottom of the page for some more information.

sudo -i -u username

For example to become amanda for tape management purposes.

sudo -i -u amanda

The password being asked for is your own.

使用sudo缺点

Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:

  • Redirecting the output of commands run with sudo requires a different approach. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use `ls | sudo tee -a /root/somefile` to append, or `ls | sudo tee /root/somefile` to overwrite contents. You could also pass the whole command to a shell process run under sudo to have the file written to with root permissions, such as `sudo bash -c "ls > /root/somefile"`.
  • In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled root password is needed here.

误区

  • Isn't sudo less secure than su?

The basic security model is the same, and therefore these two systems share their primary weaknesses. Any user who uses `su` or `sudo` must be considered to be a privileged user. If that user's account is compromised by an attacker, the attacker can also gain root privileges the next time the user does so. The user account is the weak link in this chain, and so must be protected with the same care as root. On a more esoteric level, `sudo` provides some features which encourage different work habits, which can positively impact the security of the system. `sudo` is commonly used to execute only a single command, while `su` is generally used to open a shell and execute multiple commands. The `sudo` approach reduces the likelihood of a root shell being left open indefinitely, and encourages the user to minimize their use of root privileges.

  • I won't be able to enter single-user mode!

The sulogin program in Ubuntu is patched to handle the default case of a locked root password.

  • I can get a root shell from the console without entering a password!

You have to enter your password. Console users have access to the boot loader, and can gain administrative privileges in various ways during the boot process. For example, by specifying an alternate `init(8)` program. Linux systems are not typically configured to be secure at the console, and additional steps (for example, setting a root password, a boot loader password and a BIOS password) are necessary in order to make them so. Note that console users usually have physical access to the machine and so can manipulate it in other ways as well.

重新禁用root帐户

If for some reason you have enabled your root account and wish to disable it again, open a terminal and issue the following command:

sudo passwd -l root

Enabling the root account

<!> Enabling the root account is neither supported nor necessary.
Anything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent root login, use sudo -i. Logging in to X as root is most likely to cause very serious trouble. If you believe you need a root account to perform a certain action, please consult the official support channels first, to make sure there is not a better alternative.

拉 & 托Sudo

This is a trick from the forums. Create a launcher with the following command:

gksudo "gnome-open %u"

When you drag and drop any file on this launcher (it's useful to put it on the desktop or on a panel), it will be opened as root with its own associated application. This is helpful especially when you're editing config files owned by root, since they will be opened as read only by default with gedit, etc.

sudo 和shells特别注意的项

  • None of the methods below are suggested or supported by the designers of Ubuntu.
  • Please do not suggest this to others unless you personally are available 24/7 to support the user if they have issues as a result of running a shell as root.
  • To start a root shell (i.e. a command window where you can run root commands), starting root's environment and login scripts, use:
sudo -i     (equivalent to sudo su - , gives you roots environment configuration)
  • To start a root shell, but keep the current shell's environment, use:
sudo -s     (equivalent to sudo su)