系統運維-23-3-Sudo基礎知識

SUDO的基礎知識

su： Switch User

sudo

可以讓某個使用者不用擁有另外一個賬戶的賬号和密碼，就可以執行操作

授權之後，能夠讓某使用者以另外一個使用者的身份運作指令

注意：ubuntu等有時會限制 su - 為管理者，但 sudo su - 依然可以切換

配置檔案：sudoers

root ALL=(ALL) ALL

%wheel ALL=(ALL) ALL

who 運作指令者的身份 user

where 通過哪些主機 host

(whom) 以哪個使用者的身份 runas

which 運作哪些指令 command

配置項

user hosts=(runas) commands

users:

username

#uid

user_alias

%group_name

%#gid

hosts：

hostname

netaddr

command：

command name

directory

sudoedit

Alias_Type NAME = item1, item2, ...

NAME必須使用全大寫字母

Alias_Type

User_Alias

Runas_Alias

Host_Alias

Cmnd_Alias

sudo COMMAND

-u user 預設為root

-k 清除此前記錄的登入密碼

檢視預設的配置檔案

[[email protected] ~]# ll /etc | grep sudoers

-r--r-----. 1 root root 3938 Jun 7 2017 sudoers

drwxr-x---. 2 root root 6 Aug 4 2017 sudoers.d

[[email protected] ~]# grep -v ^# /etc/sudoers | grep -v ^$

Defaults !visiblepw

Defaults always_set_home

Defaults match_group_by_gid

Defaults env_reset

Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"

Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults secure_path = /sbin:/bin:/usr/sb[[email protected] ~]# sudo -u user001 whoami

user001

in:/usr/bin

root ALL=(ALL) ALL

%wheel ALL=(ALL) ALL

[[email protected] ~]# sudo -u user001 whoami

user001

[[email protected] ~]# whoami

root

測試預設權限

[[email protected] ~]$ fdisk -l

fdisk: cannot open /dev/sda: Permission denied

fdisk: cannot open /dev/sr0: Permission denied

fdisk: cannot open /dev/mapper/centos-root: Permission denied

fdisk: cannot open /dev/mapper/centos-swap: Permission denied

[[email protected] ~]$ sudo fdisk -l

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for user001:

user001 is not in the sudoers file. This incident will be reported.

[[email protected] ~]# usermod -a -G wheel user001

You have new mail in /var/spool/mail/root

[[email protected] ~]# id user001

uid=1025(user001) gid=1025(user001) groups=1025(user001),10(wheel)

[[email protected] ~]$ fdisk -l

fdisk: cannot open /dev/sda: Permission denied

fdisk: cannot open /dev/sr0: Permission denied

fdisk: cannot open /dev/mapper/centos-root: Permission denied

fdisk: cannot open /dev/mapper/centos-swap: Permission denied

[[email protected] ~]$ sudo fdisk -l

[sudo] password for user001:

Disk /dev/sda: 21.5 GB, 21474836480 bytes, 41943040 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x000a2c70

Device Boot Start End Blocks Id System

/dev/sda1 * 2048 2099199 1048576 83 Linux

/dev/sda2 2099200 41943039 19921920 8e Linux LVM

Disk /dev/mapper/centos-root: 18.2 GB, 18249416704 bytes, 35643392 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/mapper/centos-swap: 2147 MB, 2147483648 bytes, 4194304 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

編輯配置檔案

[[email protected] ~]# tail -4 /etc/sudoers

User_Alias NETADMIN = netuser1,netuser2

Cmnd_Alias NETADMINCMND = /usr/sbin/ip

NETADMIN ALL=(root) NETADMINCMND

建立使用者賬号

[[email protected] ~]# useradd netuser1

[[email protected] ~]# useradd netuser2

[[email protected] ~]# echo "redhat" | passwd --stdin netuser1

Changing password for user netuser1.

passwd: all authentication tokens updated successfully.

[[email protected] ~]# echo "redhat" | passwd --stdin netuser2

Changing password for user netuser2.

passwd: all authentication tokens updated successfully.

切換使用者檢視授權

[[email protected] ~]# su - netuser1

[[email protected] ~]$ sudo -l

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for netuser1:

Matching Defaults entries for netuser1 on lab1:

!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS

DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR

USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION

LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC

LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS

_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User netuser1 may run the following commands on lab1:

(root) /usr/sbin/ip

指定使用者的權限測試

[[email protected] ~]$ sudo ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:b0:6e:59 brd ff:ff:ff:ff:ff:ff

inet 172.20.0.131/24 brd 172.20.0.255 scope global dynamic ens33

valid_lft 1264sec preferred_lft 1264sec

inet6 fe80::3e66:b2a:5133:93d1/64 scope link

valid_lft forever preferred_lft forever

[[email protected] ~]$ sudo route -n

Sorry, user netuser1 is not allowed to execute '/sbin/route -n' as root on lab1.example.com.

清除檢票

[[email protected] ~]$ sudo -k

特殊權限（限制改管理者密碼）

[[email protected] ~]# tail -5 /etc/sudoers

User_Alias USERADMIN = poweruser1,poweruser2

Cmnd_Alias USERADMINCMND = /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd

USERADMIN ALL=(root) NOPASSWD:USERADMINCMND

[[email protected] ~]# useradd poweruser1

[[email protected] ~]# su - poweruser1

[[email protected] ~]$ sudo -l

Matching Defaults entries for poweruser1 on lab1:

!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS

DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR

USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION

LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC

LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS

_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User poweruser1 may run the following commands on lab1:

(root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd

[[email protected] ~]$ useradd testuser

-bash: /usr/sbin/useradd: Permission denied

[[email protected] ~]$ sudo useradd testuser

[email protected] ~]# tail -4 /etc/sudoers

Cmnd_Alias USERADMINCMND = /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd [a-z]*, !/usr/bin/passwd root

USERADMIN ALL=(root) NOPASSWD:USERADMINCMND

[[email protected] ~]# su - poweruser1

Last login: Wed May 8 07:25:35 EDT 2019 on pts/0

[[email protected] ~]$ sudo passwd root

Sorry, user poweruser1 is not allowed to execute '/bin/passwd root' as root on lab1.example.com.

[[email protected] ~]$ sudo passwd netuser1

Changing password for user netuser1.

New password:

BAD PASSWORD: The password is shorter than 8 characters

Retype new password:

passwd: all authentication tokens updated successfully.

系統運維-23-3-Sudo基礎知識

繼續閱讀

[轉]android開發新浪微部落格戶端完整攻略 [新手必讀]

美團彈性伸縮系統的技術演進與落地實踐

雲原生技術系列：業務引領的DevOps持續傳遞體系

Android新浪微網誌OAuth授權認證

EASYOPS系列｜謹慎！勿讓持續傳遞變成bug自動化釋出

/etc/snmp/snmpd.conf

Linux 核心可用的字元串分割函數 strsep (String Split Function strsep in Linux Kernel)

error C2143: syntax error : missing ';' before 'type' in Visual C++

docker插件之docker-plugin實作slave的動态擴容與縮容

jbpm的Token,node

JBPM的實作原理

jbpm的流程模型

jbpm學習筆記(2)_DB

全球案例 | 一家财富500強公司利用 Jira 和 Jira Align 将萬人級團隊的生産力提高了 30%

puppet基礎學習(二)puppet基礎學習(二)

最小化DevOps自動化流程(Golang)