su命令、sudo命令、限制root遠程登陸

3.7 su命令

• su切換用戶但不切換當前工做目錄以及 HOME,SHELL,USER,LOGNAME;僅僅擁有了root的權限

[root@24centos7-01 ~]# su vitus
[vitus@24centos7-01 root]$ pwd
/root

• su -，su -l或su --login 命令改變身份時，也同時變動工做目錄，以及HOME，SHELL，USER，LOGNAME。此外，也會變動PATH變量

[root@24centos7-01 ~]# su - vitus
上一次登陸：四 10月 26 20:09:48 CST 2017pts/0 上
[vitus@24centos7-01 ~]$ pwd
/home/vitus

• su - -c 指定用戶的身份去執行命令

[root@24centos7-01 ~]# su - -c "touch /tmp/vitus.txt" vitus
[root@24centos7-01 ~]# ls -l /tmp/
總用量 1
-rw-rw-r-- 1 vitus vitus  0 10月 26 21:31 vitus.txt

• root切換至其它普通用戶時無需密碼，普通用戶切換至用戶時須要輸入目標用戶的密碼

3.8 sudo命令 讓普通用戶臨時擁有root用戶的身份，方便執行某些操做，避免將root用戶的密碼分發給過多員工

• visudo打開sudoer的配置文件

[root@24centos7-01 ~]# visudo

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases		--主機別名受權
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases		--用戶別名受權
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL											--容許root用戶在任何地方運行全部的命令
vitus   ALL=(ALL)       /usr/bin/ls, /usr/bin/mv, /usr/bin/cat		--爲普通用戶添加ls，mv，cat權限

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL											--爲group成員添加權限

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

• 測試普通用戶vitus下ls,mv,cat的是否能夠使用

[root@24centos7-01 ~]# su - vitus
上一次登陸：四 10月 26 21:50:40 CST 2017pts/0 上
[vitus@24centos7-01 ~]$ ls /root/
ls: 沒法打開目錄/root/: 權限不夠
[vitus@24centos7-01 ~]$ sudo ls /root/
[sudo] password for vitus: 
anaconda-ks.cfg  showtime.txt  test
[vitus@24centos7-01 ~]$ mv /root/showtime.txt /root/showtime_1.txt
mv: failed to access "/root/showtime_1.txt": 權限不夠
[vitus@24centos7-01 ~]$ sudo mv /root/showtime.txt /root/showtime_1.txt
[vitus@24centos7-01 ~]$ sudo ls /root/
anaconda-ks.cfg  showtime_1.txt  test
[vitus@24centos7-01 ~]$ sudo mv /root/showtime_1.txt /root/showtime.txt
[vitus@24centos7-01 ~]$ cat /root/showtime.txt
cat: /root/showtime.txt: 權限不夠
[vitus@24centos7-01 ~]$ sudo cat /root/showtime.txt
linux
learning linux

3.9 限制root遠程登陸

1.修改/etc/ssh/sshd_config配置文件，將#PermitRootLogin yes改成PermitRootLogin no

[root@24centos7-01 ~]# vim /etc/ssh/sshd_config 
#PermitRootLogin yes	--將其修改,去掉註釋#，將yes改成no，保存退出

[root@24centos7-01 ~]# systemctl restart sshd.service	--重啓ssh服務

login as: root
root@10.0.0.26's password:
Access denied
root@10.0.0.26's password:
Access denied
root@10.0.0.26's password:				--這時使用密碼沒法登陸root

2.修改visudo,添加

vitus   ALL=(ALL)       NOPASSWD: /bin/su, /bin/sudo

3.使用普通用戶登陸而後經過sudo su - root切換至root用戶下

[vitus@24centos7-01 ~]$ sudo su - root
上一次登陸：四 10月 26 22:37:43 CST 2017pts/0 上
[root@24centos7-01 ~]# whoami
root