Responsible use of sudo 負責任地使用 sudo
Previously, you explored authorization, authentication, and Linux commands with sudo, useradd, and userdel. The sudo command is important for security analysts because it allows users to have elevated permissions without risking the system by running commands as the root user. You’ll continue exploring authorization, authentication, and Linux commands in this reading and learn two more commands that can be used with sudo: usermod and chown.
之前,你已經探索過授權、身份驗證以及使用 sudo、useradd 和 userdel 的 Linux 命令。sudo 命令對於安全分析師來說很重要,因為它允許用戶在不冒著以 root 用戶運行命令的系統風險的情況下擁有提升的權限。在這篇閱讀中,你將繼續探索授權、身份驗證和 Linux 命令,並學習兩個可以與 sudo 一起使用的命令:usermod 和 chown。
Responsible use of sudo 負責任地使用 sudo
To manage authorization and authentication, you need to be a root user, or a user with elevated privileges to modify the system. The root user can also be called the “super user.” You become a root user by logging in as the root user. However, running commands as the root user is not recommended in Linux because it can create security risks if malicious actors compromise that account. It’s also easy to make irreversible mistakes, and the system can’t track who ran a command. For these reasons, rather than logging in as the root user, it’s recommended you use sudo in Linux when you need elevated privileges.
要管理授權和身份驗證,你需要成為 root 用戶或擁有提升權限的用戶來修改系統。root 用戶也可以被稱為「超級用戶」。你可以通過以 root 用戶身份登入來成為 root 用戶。然而,在 Linux 中以 root 用戶身份運行命令並不建議,因為如果惡意行為者入侵該帳戶,可能會造成安全風險。此外,也很容易犯下不可逆的錯誤,系統無法追蹤誰運行了命令。基於這些原因,當你需要提升權限時,建議在 Linux 中使用 sudo,而不是以 root 用戶身份登入。
The sudo command temporarily grants elevated permissions to specific users. The name of this command comes from “super user do.” Users must be given access in a configuration file to use sudo. This file is called the “sudoers file.” Although using sudo is preferable to logging in as the root user, it's important to be aware that users with the elevated permissions to use sudo might be more at risk in the event of an attack.
sudo 命令暫時賦予特定用戶提升的權限。這個命令的名稱來自「super user do」。用戶必須在一個配置文件中被授予訪問權限才能使用 sudo。這個文件被稱為「sudoers 文件」。雖然使用 sudo 比以 root 用戶身份登入更可取,但需要注意的是,擁有使用 sudo 提升權限的用戶在遭受攻擊時可能面臨更大的風險。
You can compare this to a hotel with a master key. The master key can be used to access any room in the hotel. There are some workers at the hotel who need this key to perform their work. For example, to clean all the rooms, the janitor would scan their ID badge and then use this master key. However, if someone outside the hotel’s network gained access to the janitor’s ID badge and master key, they could access any room in the hotel. In this example, the janitor with the master key represents a user using sudo for elevated privileges. Because of the dangers of sudo, only users who really need to use it should have these permissions.
你可以將這比作一間擁有萬能鑰匙的飯店。萬能鑰匙可以用來進入飯店的任何房間。有些飯店的工作人員需要這把鑰匙來執行他們的工作。例如,清潔工需要掃描他們的身份識別證,然後使用這把萬能鑰匙來清潔所有房間。然而,如果飯店外部的人獲得了清潔工的身份識別證和萬能鑰匙,他們就可以進入飯店的任何房間。在這個例子中,持有萬能鑰匙的清潔工代表使用 sudo 獲取提升權限的用戶。由於 sudo 的危險性,只有真正需要使用它的用戶才應該擁有這些權限。
Additionally, even if you need access to sudo, you should be careful about using it with only the commands you need and nothing more. Running commands with sudo allows users to bypass the typical security controls that are in place to prevent elevated access to an attacker.
此外,即使您需要使用 sudo,也應謹慎僅使用所需的命令,不要多餘。使用 sudo 執行命令允許用戶繞過通常的安全控制,這些控制旨在防止攻擊者獲得提升的訪問權限。
Note: Be aware of sudo if copying commands from an online source. It’s important you don’t use sudo accidentally.
注意:如果從線上來源複製命令,請注意 sudo。重要的是不要不小心使用 sudo。
Authentication and authorization with sudo
使用 sudo 進行身份驗證和授權
You can use sudo with many authentication and authorization management tasks. As a reminder, authentication is the process of verifying who someone is, and authorization is the concept of granting access to specific resources in a system. Some of the key commands used for these tasks include the following:
您可以使用 sudo 來執行許多身份驗證和授權管理任務。提醒一下,身份驗證是確認某人身份的過程,而授權是授予系統中特定資源訪問權限的概念。用於這些任務的一些關鍵命令包括以下內容:
useradd
The useradd command adds a user to the system. To add a user with the username of fgarcia with sudo, enter sudo useradd fgarcia. There are additional options you can use with useradd
useradd 命令用於將使用者新增到系統中。要使用 sudo 新增一個用戶名為 fgarcia 的使用者,請輸入 sudo useradd fgarcia。useradd 還有其他可用的選項:
-g: Sets the user’s default group, also called their primary group
-g: 設定使用者的預設群組,也稱為他們的主要群組-G: Adds the user to additional groups, also called supplemental or secondary groups
-G:將使用者新增到其他群組,也稱為補充群組或次要群組
To use the -g option, the primary group must be specified after -g. For example, entering sudo useradd -g security fgarcia adds fgarcia as a new user and assigns their primary group to be security
要使用 -g 選項,必須在 -g 之後指定主要群組。例如,輸入 sudo useradd -g security fgarcia 將 fgarcia 新增為新使用者,並將其主要群組設為 security.
To use the -G option, the supplemental group must be passed into the command after -G. You can add more than one supplemental group at a time with the -G option. Entering sudo useradd -G finance,admin fgarcia adds fgarcia as a new user and adds them to the existing finance and admin groups.
要使用 -G 選項,必須在 -G 之後將補充群組傳入命令。您可以使用 -G 選項一次新增多個補充群組。輸入 sudo useradd -G finance,admin fgarcia 將 fgarcia 新增為新使用者,並將其新增到現有的 finance 和 admin 群組中。
usermod
The usermod command modifies existing user accounts. The same -g and -G options from the useradd command can be used with usermod if a user already exists.
usermod 命令用於修改現有的使用者帳戶。如果使用者已經存在,可以使用 useradd 命令中的相同 -g 和 -G 選項與 usermod 一起使用。
To change the primary group of an existing user, you need the -g option. For example, entering sudo usermod -g executive fgarcia would change fgarcia’s primary group to the executive group.
要更改現有使用者的主要群組,您需要使用 -g 選項。例如,輸入 sudo usermod -g executive fgarcia 將會把 fgarcia 的主要群組更改為 executive 群組。
To add a supplemental group for an existing user, you need the -G option. You also need a -a option, which appends the user to an existing group and is only used with the -G option. For example, entering sudo usermod -a -G marketing fgarcia would add the existing fgarcia user to the supplemental marketing group.
要為現有使用者添加補充群組,您需要使用 -G 選項。您還需要一個 -a 選項,該選項將使用者附加到現有群組,並且僅與 -G 選項一起使用。例如,輸入 sudo usermod -a -G marketing fgarcia 將會把現有的 fgarcia 使用者添加到補充的 marketing 群組中。
Note: When changing the supplemental group of an existing user, if you don't include the -a option, -G will replace any existing supplemental groups with the groups specified after usermod. Using -a with -G ensures that the new groups are added but existing groups are not replaced.
注意:當更改現有使用者的補充群組時,如果您不包含 -a 選項,-G 將會用 usermod 之後指定的群組替換任何現有的補充群組。使用 -a 與 -G 確保新群組被添加,但現有群組不會被替換。
There are other options you can use with usermod to specify how you want to modify the user, including:
您可以使用其他選項與 usermod 搭配,以指定您希望如何修改使用者,包括:
-d: Changes the user’s home directory.
-d:更改使用者的主目錄。-l: Changes the user’s login name.
-l:更改使用者的登入名稱。-L: Locks the account so the user can’t log in.
-L:鎖定帳戶,使使用者無法登入。
The option always goes after the usermod command. For example, to change fgarcia’s home directory to /home/garcia_f, enter sudo usermod -d /home/garcia_f fgarcia. The option -d directly follows the command usermod before the other two needed arguments.
選項總是放在 usermod 命令之後。例如,要將 fgarcia 的主目錄更改為/home/garcia_f,請輸入 sudo usermod -d /home/garcia_f fgarcia。選項-d 直接跟在 usermod 命令之後,然後是其他兩個所需的參數。
userdel
The userdel command deletes a user from the system. For example, entering sudo userdel fgarcia deletes fgarcia as a user. Be careful before you delete a user using this command.
userdel 命令用於從系統中刪除使用者。例如,輸入 sudo userdel fgarcia 會刪除 fgarcia 作為使用者。在使用此命令刪除使用者之前請小心。
The userdel command doesn’t delete the files in the user’s home directory unless you use the -r option. Entering sudo userdel -r fgarcia would delete fgarcia as a user and delete all files in their home directory. Before deleting any user files, you should ensure you have backups in case you need them later.
userdel 命令不會刪除使用者主目錄中的檔案,除非您使用 -r 選項。輸入 sudo userdel -r fgarcia 會刪除 fgarcia 作為使用者,並刪除其主目錄中的所有檔案。在刪除任何使用者檔案之前,您應確保有備份,以防日後需要。
Note: Instead of deleting the user, you could consider deactivating their account with usermod -L. This prevents the user from logging in while still giving you access to their account and associated permissions. For example, if a user left an organization, this option would allow you to identify which files they have ownership over, so you could move this ownership to other users.
注意:與其刪除使用者,您可以考慮使用 usermod -L 停用其帳戶。這樣可以防止使用者登入,同時仍然允許您訪問其帳戶及相關權限。例如,如果某位使用者離開組織,此選項可以讓您識別他們擁有的檔案,以便將這些檔案的擁有權轉移給其他使用者。
chown
The chown command changes ownership of a file or directory. You can use chown to change user or group ownership. To change the user owner of the access.txt file to fgarcia, enter sudo chown fgarcia access.txt. To change the group owner of access.txt to security, enter sudo chown :security access.txt. You must enter a colon (:) before security to designate it as a group name.
chown 命令用於更改檔案或目錄的擁有者。你可以使用 chown 來更改使用者或群組的擁有權。要將 access.txt 檔案的使用者擁有者更改為 fgarcia,輸入 sudo chown fgarcia access.txt。要將 access.txt 的群組擁有者更改為 security,輸入 sudo chown :security access.txt。你必須在 security 前輸入冒號 (:) 以指定它為群組名稱。
Similar to useradd, usermod, and userdel, there are additional options that can be used with chown.
類似於 useradd、usermod 和 userdel,chown 也有其他可用的選項。
Key takeaways 關鍵要點
Authentication is the process of a user verifying their identity, and authorization is the process of determining what they have access to. You can use the sudo command to temporarily run commands with elevated privileges to complete authentication and authorization management tasks. Specifically, useradd, userdel, usermod, and chown can be used to manage users and file ownership.
身份驗證是使用者驗證其身份的過程,而授權是確定他們可以訪問什麼的過程。你可以使用 sudo 命令暫時以提升的權限運行命令,以完成身份驗證和授權管理任務。具體來說,useradd、userdel、usermod 和 chown 可以用來管理使用者和檔案擁有權。