su命令、sudo命令、限制root遠程登陸

3.7 su命令

·        su切換用戶但不切換當前工做目錄以及 HOME,SHELL,USER,LOGNAME;僅僅擁有了root的權限

[root@24centos7-01~]# su vitus

[vitus@24centos7-01root]$ pwd

/root

·        su-，su-l或su--login 命令改變身份時，也同時變動工做目錄，以及HOME，SHELL，USER，LOGNAME。此外，也會變動PATH變量

[root@24centos7-01~]# su - vitus

上一次登陸：四 10月 26 20:09:48 CST 2689pxs/0 上

[vitus@24centos7-01~]$ pwd

/home/vitus

·        su- -c 指定用戶的身份去執行命令

[root@24centos7-01~]# su - -c "touch /tmp/vitus.txt" vitus

[root@24centos7-01~]# ls -l /tmp/

總用量 1

-rw-rw-r--1 vitus vitus  0 10月 26 21:31 vitus.txt

 

·        root切換至其它普通用戶時無需密碼，普通用戶切換至用戶時須要輸入目標用戶的密碼

3.8 sudo命令讓普通用戶臨時擁有root用戶的身份，方便執行某些操做，避免將root用戶的密碼分發給過多員工

·        visudo打開sudoer的配置文件

[root@24centos7-01~]# visudo

 

##Sudoers allows particular users to run various commands as

## theroot user, without needing the root password.

##

##Examples are provided at the bottom of the file for collections

## ofrelated commands, which can then be delegated out to particular

## usersor groups.

##

## Thisfile must be edited with the 'visudo' command.

 

## HostAliases     --主機別名受權

## Groupsof machines. You may prefer to use hostnames (perhaps using

##wildcards for entire domains) or IP addresses instead.

#Host_Alias     FILESERVERS = fs1, fs2

#Host_Alias     MAILSERVERS = smtp, smtp2

 

## UserAliases     --用戶別名受權

## Thesearen't often necessary, as you can use regular groups

## (ie,from files, LDAP, NIS, etc) in this file - just use %groupname

## ratherthan USERALIAS

#User_Alias ADMINS = jsmith, mikem

 

 

##Command Aliases

## Theseare groups of related commands...

 

##Networking

 

##Installation and management of software

#Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

 

##Services

 

##Updating the locate database

#Cmnd_Alias LOCATE = /usr/bin/updatedb

 

##Storage

#Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe,/bin/mount, /bin/umount

 

##Delegating permissions

#Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

 

##Processes

#Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

 

##Drivers

#Cmnd_Alias DRIVERS = /sbin/modprobe

 

#Defaults specification

 

#

# Refuseto run if unable to disable echo on the tty.

#

Defaults   !visiblepw

 

#

#Preserving HOME has security implications since many programs

# use itwhen searching for configuration files. Note that HOME

# isalready set when the the env_reset option is enabled, so

# thisoption is only effective for configurations where either

#env_reset is disabled or HOME is present in the env_keep list.

#

Defaults    always_set_home

 

Defaults    env_reset

Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"

Defaults    env_keep += "MAIL PS1 PS2 QTDIRUSERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults    env_keep += "LC_COLLATELC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults    env_keep += "LC_MONETARY LC_NAMELC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults    env_keep += "LC_TIME LC_ALL LANGUAGELINGUAS _XKB_CHARSET XAUTHORITY"

 

#

# AddingHOME to env_keep may enable a user to run unrestricted

#commands via sudo.

#

#Defaults   env_keep += "HOME"

 

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

 

## Next comesthe main part: which users can run what software on

## whichmachines (the sudoers file can be shared between multiple

##systems).

##Syntax:

##

##      user   MACHINE=COMMANDS

##

## TheCOMMANDS section may have other options added to it.

##

## Allowroot to run any commands anywhere

root    ALL=(ALL)       ALL                                         --容許root用戶在任何地方運行全部的命令

vitus   ALL=(ALL)       /usr/bin/ls, /usr/bin/mv,/usr/bin/cat      --爲普通用戶添加ls，mv，cat權限

 

## Allowsmembers of the 'sys' group to run networking, software,

##service management apps and more.

# %sysALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE,DRIVERS

 

## Allowspeople in group wheel to run all commands

%wheel  ALL=(ALL)       ALL                                         --爲group成員添加權限

 

## Samething without a password

#%wheel        ALL=(ALL)       NOPASSWD: ALL

 

## Allowsmembers of the users group to mount and unmount the

## cdromas root

#%users  ALL=/sbin/mount /mnt/cdrom,/sbin/umount /mnt/cdrom

 

## Allowsmembers of the users group to shutdown this system

#%users  localhost=/sbin/shutdown -h now

 

## Readdrop-in files from /etc/sudoers.d (the # here does not mean a comment)

#includedir/etc/sudoers.d

 

·        測試普通用戶vitus下ls,mv,cat的是否能夠使用

[root@24centos7-01~]# su - vitus

上一次登陸：四 10月 26 21:50:40 CST 2689pxs/0 上

[vitus@24centos7-01~]$ ls /root/

ls: 沒法打開目錄/root/: 權限不夠

[vitus@24centos7-01~]$ sudo ls /root/

[sudo]password for vitus:

anaconda-ks.cfg  showtime.txt test

[vitus@24centos7-01~]$ mv /root/showtime.txt /root/showtime_1.txt

mv:failed to access "/root/showtime_1.txt": 權限不夠

[vitus@24centos7-01~]$ sudo mv /root/showtime.txt /root/showtime_1.txt

[vitus@24centos7-01~]$ sudo ls /root/

anaconda-ks.cfg  showtime_1.txt  test

[vitus@24centos7-01~]$ sudo mv /root/showtime_1.txt /root/showtime.txt

[vitus@24centos7-01~]$ cat /root/showtime.txt

cat:/root/showtime.txt: 權限不夠

[vitus@24centos7-01~]$ sudo cat /root/showtime.txt

linux

learninglinux

 

3.9 限制root遠程登陸

1.修改/etc/ssh/sshd_config配置文件，將#PermitRootLogin yes改成PermitRootLogin no

[root@24centos7-01~]# vim /etc/ssh/sshd_config

#PermitRootLoginyes    --將其修改,去掉註釋#，將yes改成no，保存退出

 

[root@24centos7-01~]# systemctl restart sshd.service   --重啓ssh服務

 

login as:root

root@10.0.0.26'spassword:

Accessdenied

root@10.0.0.26'spassword:

Accessdenied

root@10.0.0.26'spassword:              --這時使用密碼沒法登陸root

 

2.修改visudo,添加

vitus   ALL=(ALL)       NOPASSWD: /bin/su, /bin/sudo

3.使用普通用戶登陸而後經過sudo su - root切換至root用戶下

[vitus@24centos7-01~]$ sudo su - root

上一次登陸：四 10月 26 22:37:43 CST 2689pxs/0 上

[root@24centos7-01~]# whoami

root