SUDO的基礎知識
su: Switch User
sudo
可以讓某個使用者不用擁有另外一個賬戶的賬号和密碼,就可以執行操作
授權之後,能夠讓某使用者以另外一個使用者的身份運作指令
注意:ubuntu等有時會限制 su - 為管理者,但 sudo su - 依然可以切換
配置檔案:sudoers
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
who 運作指令者的身份 user
where 通過哪些主機 host
(whom) 以哪個使用者的身份 runas
which 運作哪些指令 command
配置項
user hosts=(runas) commands
users:
username
#uid
user_alias
%group_name
%#gid
hosts:
ip
hostname
netaddr
command:
command name
directory
sudoedit
Alias_Type NAME = item1, item2, ...
NAME必須使用全大寫字母
Alias_Type
User_Alias
Runas_Alias
Host_Alias
Cmnd_Alias
sudo COMMAND
-u user 預設為root
-k 清除此前記錄的登入密碼
檢視預設的配置檔案
[[email protected] ~]# ll /etc | grep sudoers
-r--r-----. 1 root root 3938 Jun 7 2017 sudoers
drwxr-x---. 2 root root 6 Aug 4 2017 sudoers.d
[[email protected] ~]# grep -v ^# /etc/sudoers | grep -v ^$
Defaults !visiblepw
Defaults always_set_home
Defaults match_group_by_gid
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sb[[email protected] ~]# sudo -u user001 whoami
user001
in:/usr/bin
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
[[email protected] ~]# sudo -u user001 whoami
user001
[[email protected] ~]# whoami
root
測試預設權限
[[email protected] ~]$ fdisk -l
fdisk: cannot open /dev/sda: Permission denied
fdisk: cannot open /dev/sr0: Permission denied
fdisk: cannot open /dev/mapper/centos-root: Permission denied
fdisk: cannot open /dev/mapper/centos-swap: Permission denied
[[email protected] ~]$ sudo fdisk -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user001:
user001 is not in the sudoers file. This incident will be reported.
[[email protected] ~]# usermod -a -G wheel user001
You have new mail in /var/spool/mail/root
[[email protected] ~]# id user001
uid=1025(user001) gid=1025(user001) groups=1025(user001),10(wheel)
[[email protected] ~]$ fdisk -l
fdisk: cannot open /dev/sda: Permission denied
fdisk: cannot open /dev/sr0: Permission denied
fdisk: cannot open /dev/mapper/centos-root: Permission denied
fdisk: cannot open /dev/mapper/centos-swap: Permission denied
[[email protected] ~]$ sudo fdisk -l
[sudo] password for user001:
Disk /dev/sda: 21.5 GB, 21474836480 bytes, 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000a2c70
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 2099199 1048576 83 Linux
/dev/sda2 2099200 41943039 19921920 8e Linux LVM
Disk /dev/mapper/centos-root: 18.2 GB, 18249416704 bytes, 35643392 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mapper/centos-swap: 2147 MB, 2147483648 bytes, 4194304 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
編輯配置檔案
[[email protected] ~]# tail -4 /etc/sudoers
User_Alias NETADMIN = netuser1,netuser2
Cmnd_Alias NETADMINCMND = /usr/sbin/ip
NETADMIN ALL=(root) NETADMINCMND
建立使用者賬号
[[email protected] ~]# useradd netuser1
[[email protected] ~]# useradd netuser2
[[email protected] ~]# echo "redhat" | passwd --stdin netuser1
Changing password for user netuser1.
passwd: all authentication tokens updated successfully.
[[email protected] ~]# echo "redhat" | passwd --stdin netuser2
Changing password for user netuser2.
passwd: all authentication tokens updated successfully.
切換使用者檢視授權
[[email protected] ~]# su - netuser1
[[email protected] ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for netuser1:
Matching Defaults entries for netuser1 on lab1:
!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User netuser1 may run the following commands on lab1:
(root) /usr/sbin/ip
指定使用者的權限測試
[[email protected] ~]$ sudo ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b0:6e:59 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.131/24 brd 172.20.0.255 scope global dynamic ens33
valid_lft 1264sec preferred_lft 1264sec
inet6 fe80::3e66:b2a:5133:93d1/64 scope link
valid_lft forever preferred_lft forever
[[email protected] ~]$ sudo route -n
Sorry, user netuser1 is not allowed to execute '/sbin/route -n' as root on lab1.example.com.
清除檢票
[[email protected] ~]$ sudo -k
特殊權限(限制改管理者密碼)
[[email protected] ~]# tail -5 /etc/sudoers
User_Alias USERADMIN = poweruser1,poweruser2
Cmnd_Alias USERADMINCMND = /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd
USERADMIN ALL=(root) NOPASSWD:USERADMINCMND
[[email protected] ~]# useradd poweruser1
[[email protected] ~]# su - poweruser1
[[email protected] ~]$ sudo -l
Matching Defaults entries for poweruser1 on lab1:
!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User poweruser1 may run the following commands on lab1:
(root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd
[[email protected] ~]$ useradd testuser
-bash: /usr/sbin/useradd: Permission denied
[[email protected] ~]$ sudo useradd testuser
[email protected] ~]# tail -4 /etc/sudoers
Cmnd_Alias USERADMINCMND = /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd [a-z]*, !/usr/bin/passwd root
USERADMIN ALL=(root) NOPASSWD:USERADMINCMND
[[email protected] ~]# su - poweruser1
Last login: Wed May 8 07:25:35 EDT 2019 on pts/0
[[email protected] ~]$ sudo passwd root
Sorry, user poweruser1 is not allowed to execute '/bin/passwd root' as root on lab1.example.com.
[[email protected] ~]$ sudo passwd netuser1
Changing password for user netuser1.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.