sudo是linux下常用的允許普通使用者使用超級使用者權限的工具。預設Ubuntu關閉root登陸,使用者可以通過sudo -i切換到root 。如果隻允許www使用者重新開機apache服務,那麼可以通過配置/etc/sudoers實作。下面一起修改後就可以實作這個要求。
修改/etc/sudoers可以使用visudo編輯,好處是如果規則寫的不符合要求他能提示你,壞處是調出的是nano編輯器,甚為不順手。這個看個人喜好,我用visudo -f /etc/sudoers 打開配置。
首先看下Ubuntu預設sudoers配置,内容如下所示。
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
�min ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d 然後添加幾個alias,這樣在下面配置權限時,會友善一些,不用寫大段大段的配置。
# Host alias specification
Host_Alias SERVER = 192.168.188.115
# User alias specification
User_Alias USER_FLAG = www,tomcat
# Cmnd alias specification
Cmnd_Alias RESTARTAPACHE = service apache2 restart
Cmnd_Alias STOPAPACHE = service apache2 stop
Cmnd_Alias STARTAPACHE = service apache2 start 接着配置執行的權限。
# User privilege specification
root ALL=(ALL:ALL) ALL
USER_FLAG SERVER=RESTARTAPACHE,STOPAPACHE,STARTAPACHE 最後添加log日志記錄,可以記錄每個使用者sudo執行日志。
Defaults@SERVER log_host, logfile=/var/log/sudo.log root@ubuntu:~# su - tomcat
tomcat@ubuntu:~$ sudo service apache2 stop
[sudo] password for tomcat:
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
tomcat@ubuntu:~$ ps -ef|grep apache
tomcat 26247 1 0 07:53 ? 00:01:38 /usr/lib/jvm/jdk1.7.0_45//bin/java -Djava.util.logging.config.file=/usr/local/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -Xms800M -Xmx1024M -XX:MaxPermSize=512M -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/local/tomcat7/endorsed -classpath /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat7 -Dcatalina.home=/usr/local/tomcat7 -Djava.io.tmpdir=/usr/local/tomcat7/temp org.apache.catalina.startup.Bootstrap start
tomcat 27905 27848 0 11:35 pts/0 00:00:00 grep apache
tomcat@ubuntu:~$ sudo service apache2 start
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
tomcat@ubuntu:~$ ps -ef|grep apache
tomcat 26247 1 0 07:53 ? 00:01:38 /usr/lib/jvm/jdk1.7.0_45//bin/java -Djava.util.logging.config.file=/usr/local/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -Xms800M -Xmx1024M -XX:MaxPermSize=512M -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/local/tomcat7/endorsed -classpath /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat7 -Dcatalina.home=/usr/local/tomcat7 -Djava.io.tmpdir=/usr/local/tomcat7/temp org.apache.catalina.startup.Bootstrap start
root 27910 1 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27911 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27912 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27913 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27914 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27915 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
tomcat 27917 27848 0 11:35 pts/0 00:00:00 grep apache
tomcat@ubuntu:~$ sudo -i
Sorry, user tomcat is not allowed to execute '/bin/bash' as root on ubuntu.
tomcat@ubuntu:~$ logout
root@ubuntu:~# more /var/log/sudo.log
May 11 11:35:42 : tomcat : HOST=ubuntu : TTY=pts/0 ; PWD=/home/tomcat ;
USER=root ; COMMAND=service apache2 stop
May 11 11:35:49 : tomcat : HOST=ubuntu : TTY=pts/0 ; PWD=/home/tomcat ;
USER=root ; COMMAND=service apache2 start
May 11 11:35:54 : tomcat : HOST=ubuntu : command not allowed ; TTY=pts/0 ;
PWD=/home/tomcat ; USER=root ; COMMAND=/bin/bash ![Apache靜态檔案通路配置(書封伺服器)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)