sudo配置臨時取得root權限
系統中的普通用戶有時須要root權限執行某種操做,要是使用su - root的話必需要知道root的密碼,這是不安全的,因此有了sudo,root能夠對/etc/sudoers作必定的配置,讓普通用戶
在不切換到root的狀況下,執行一些只有root才能執行的操做。這個文件只能root去修改,建議使用visudo這個命令修改,而不是直接vim /etc/sudoers。
緣由有二:
◦ 一是它可以防止兩個用戶同時修改它;
◦ 二是它也能進行有限的語法檢查。
當編輯這個文件有錯誤時,使用visudo會給出錯誤提示,此時能夠按e從新編輯,x不保存退出,Q保存退出,若是選擇Q,sudo就不能正常工做了。vim
實驗過程完成了給指定用戶sudo權限和用別名指定一組用戶的能夠執行的sudo指令安全
過程以下:測試
- [root@mail ~]# visudo
-
- #chen爲普通用戶,ALL能夠從任何的主機登錄,(root)能夠以root身份,後面是能夠執行的命令,最好寫全路徑
- 88 ## Allow root to run any commands anywhere
- 89 root ALL=(ALL) ALL
- 90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
- 91 ## Allows members of the 'sys' group to run networking, software,
-
-
- [root@mail ~]# exit
- logout
- [chen@mail 桌面]$ sudo -l #查看本身能夠執行的sudo命令
- [sudo] password for chen: #輸入本身的密碼
- Matching Defaults entries for chen on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
-
- User chen may run the following commands on this host:
- (root) /usr/sbin/useradd, (root) /usr/bin/passwd #這裏看到能夠執行的sudo命令
- [chen@mail 桌面]$ sudo useradd user3 #測試
- [chen@mail 桌面]$ sudo passwd user3
- 更改用戶 user3 的密碼 。
- 新的 密碼:
- 無效的密碼: 太短
- 無效的密碼: 過於簡單
- 從新輸入新的 密碼:
- passwd: 全部的身份驗證令牌已經成功更新。
- [chen@mail 桌面]$ id user3 #添加user3成功
- uid=503(user3) gid=503(user3) 組=503(user3)
- [chen@mail 桌面]$ visudo #普通用戶不容許編輯
- visudo: /etc/sudoers: Permission denied
- visudo: /etc/sudoers: Permission denied
- [chen@mail 桌面]$ su - root
- 密碼:
- [root@mail ~]# visudo
- [root@mail ~]# cat /etc/sudoers |grep user1 #編輯增長了下面一行
- user1 ALL=(user2) /bin/ls
- [root@mail ~]# su - user1
- [user1@mail ~]$ sudo -l
-
- We trust you have received the usual lecture from the local System
- Administrator. It usually boils down to these three things:
-
- #1) Respect the privacy of others.
- #2) Think before you type.
- #3) With great power comes great responsibility.
-
- [sudo] password for user1:
- Matching Defaults entries for user1 on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
-
- User user1 may run the following commands on this host:
- (user2) /bin/ls
- [user1@mail ~]$ ls /home/user2 #user1直接查看user2的家目錄確定是不容許的
- ls: 沒法打開目錄/home/user2: 權限不夠
- [user1@mail ~]$ sudo -u user2 ls /home/user2 #可是sudo以user2的身份查看就能夠
- a
-
- #這裏不能以user2的身份添加用戶,由於user2自己尚未useradd的權限
- #事實上,即便給user2 sudo的添加用戶權限這樣也是不行的,由於user2添加的時候也要sudo的啊
- #直接以user2確定不行,看演示。
- [user1@mail ~]$ sudo -u user2 useradd user4 #這時候不能添加
- Sorry, user user1 is not allowed to execute '/usr/sbin/useradd user4' as user2 on mail.example.com.
- [user1@mail ~]$ exit
- logout
- [root@mail ~]# visudo
- #添加了這行,給user2 sudo添加用戶的權限,這時候sudo -u user2 useradd user4是否能夠呢?不行的!
- user2 ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
- [root@mail ~]# su - user2
- [user2@mail ~]$ sudo -l
-
- We trust you have received the usual lecture from the local System
- Administrator. It usually boils down to these three things:
-
- #1) Respect the privacy of others.
- #2) Think before you type.
- #3) With great power comes great responsibility.
-
- [sudo] password for user2:
- Matching Defaults entries for user2 on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
-
- User user2 may run the following commands on this host:
- (root) /usr/sbin/useradd, (root) /usr/bin/passwd
- [user2@mail ~]$ su - user1
- 密碼:
- [user1@mail ~]$ sudo -u user2 useradd user4 #答案在此,不行的!
- Sorry, user user1 is not allowed to execute '/usr/sbin/useradd user4' as user2 on mail.example.com.
- [user1@mail ~]$
- #總結下,sudo -u 用戶名 命令 ,當前用戶以某個用戶的身份執行某個命令的時候,必須這個用戶自己不加sudo的狀況
- #直接能執行的命令,才能夠這種方式執行。另外,sudo不加-u,默認以root身份執行
-
- [user1@mail ~]$ exit
- logout
- [user2@mail ~]$ exit
- logout
- [root@mail ~]# visudo
- #改動以下:刪除了91,92行,
- 88 ## Allow root to run any commands anywhere
- 89 root ALL=(ALL) ALL
- 90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
- 91 user1 ALL=(user2) /bin/ls #刪除
- 92 user2 ALL=(root) /usr/sbin/useradd,/usr/bin/passwd #刪除
-
- 88 ## Allow root to run any commands anywhere
- 89 root ALL=(ALL) ALL
- 90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
- 91 ADMIN ALL=(root) /usr/sbin/useradd,/usr/bin/passwd #新添加
-
- 20 # User_Alias ADMINS = jsmith, mikem
- 21 User_Alias ADMIN = user1, user2 #新添加
- 22
- #這裏至關於ADMIN爲user1,user2的別名,這個別名具備添加用戶的權限,user1和user2也具備這個權限
- [root@mail ~]# su - user1
- [user1@mail ~]$ sudo -l
- [sudo] password for user1:
- Matching Defaults entries for user1 on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
-
- User user1 may run the following commands on this host:
- (root) /usr/sbin/useradd, (root) /usr/bin/passwd #能夠看到user1有useradd權限
- [user1@mail ~]$ su - user2
- 密碼:
- [user2@mail ~]$ sudo -l
- [sudo] password for user2:
- Matching Defaults entries for user2 on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
-
- User user2 may run the following commands on this host:
- (root) /usr/sbin/useradd, (root) /usr/bin/passwd #user2也有
- [user2@mail ~]$