linux 下sudo命令的使用

時間 2021-02-13

標籤 linux shell 安全 bash dom ide 測試 rest 日誌欄目 Linux 简体版

原文原文鏈接

類別：原創系統linux

一、軟件安裝
[root@jedy ~]# yum install sudo shell

二、修改配置文件
[root@jedy ~]# visudo \\更改配置文件
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
tt localhost=(root) ALL \\增長用戶tt使用sudo的權限，以root身份在本地主機上執行全部命令。安全

三、測試
[root@localhost ~]# su tt
[tt@localhost root]$ sudo ls
anaconda-ks.cfg Desktop Documents Downloads install.log install.log.syslog Music Pictures Public Templates Videos vmware-tools-distrib
[tt@localhost root]$ sudo pwd
/root
[tt@localhost root]$
[tt@localhost root]$ sudo ls -l
total 56
-rw-------. 1 root root 1243 Mar 18 11:10 anaconda-ks.cfg
drwxr-xr-x. 2 root root 4096 Mar 18 14:42 Desktop
drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Documents
drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Downloads
-rw-r--r--. 1 root root 8815 Mar 18 11:10 install.log
-rw-r--r--. 1 root root 3384 Mar 18 11:08 install.log.syslog
drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Music
drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Pictures
drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Public
drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Templates
drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Videos
drwxr-xr-x. 7 root root 4096 Oct 18 09:26 vmware-tools-distrib
[tt@localhost root]$ bash

四、關於linux內置命令的sudo使用
[tt@localhost root]$ sudo cd
sudo: cd: command not found \\因爲cd 等命令是linux shell 內置命令，sudo沒法調用，不過咱們能夠經過sudo bash來調用。具體方法以下
[tt@localhost root]$
[tt@localhost root]$ sudo sh \\以root身份開一個shell
sh-4.1# pwd
/root
sh-4.1# cd
sh-4.1# pwd
/root \\以root身份運行
sh-4.1# cd /
sh-4.1# pwd
/
sh-4.1# exit
exit
[tt@localhost root]$ dom

五、sudo安全
因爲使用sudo命令運行一個新的shell 並不安全，一般不建議這麼作。 ide

[root@jedy ~]# visudo \\更改配置文件
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
tt localhost=(root) ALL,!/*/*sh,!/*/cp /*/*sh \\增長用戶tt使用sudo的權限，以root身份在本地主機上執行（除bash sh外，並禁止將sh複製到其它地方）全部命令。測試

[root@localhost ~]# su tt
[tt@localhost root]$ sudo sh
[sudo] password for tt:
Sorry, user tt is not allowed to execute '/bin/sh' as root on localhost.localdomain.
[tt@localhost root]$ sudo bash
[sudo] password for tt:
Sorry, user tt is not allowed to execute '/bin/bash' as root on localhost.localdomain.
[tt@localhost root]$ sudo ls -l rest

六、sudo 日誌日誌

[root@jedy ~]# vi /etc/rsyslog.conf \\增長以下內容
# Save sudo messages also to sudo.log
local2.* /var/log/sudo.log it

[root@jedy ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@jedy ~]# [root@jedy ~]# su tt [tt@localhost root]$ sudo date Wed Apr 2 14:16:56 CST 2014 [tt@localhost root]$ sudo ls -l total 56 -rw-------. 1 root root 1243 Mar 18 11:10 anaconda-ks.cfg drwxr-xr-x. 2 root root 4096 Mar 18 14:42 Desktop drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Documents drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Downloads -rw-r--r--. 1 root root 8815 Mar 18 11:10 install.log -rw-r--r--. 1 root root 3384 Mar 18 11:08 install.log.syslog drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Music drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Pictures drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Public drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Templates drwxr-xr-x. 2 root root 4096 Mar 18 12:22 Videos drwxr-xr-x. 7 root root 4096 Oct 18 09:26 vmware-tools-distrib [tt@localhost root]$ sudo pwd /root [tt@localhost root]$ sudo tail -f /var/log/sudo.log Apr 2 14:12:23 : tt : command not allowed ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/sh Apr 2 14:12:30 : tt : command not allowed ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/bash Apr 2 14:12:58 : tt : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/bash Apr 2 14:16:56 : tt : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/date Apr 2 14:17:01 : tt : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls -l Apr 2 14:17:06 : tt : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/pwd Apr 2 14:17:21 : tt : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/tail [tt@localhost root]$ exit exit [root@jedy ~]#