Linux學習筆記:sudo、tcp_wrapper、pam
1、sudo受權工具python
受權工具;可以實現把有限的管理操做受權給某普通用戶;且還能限定其僅可以在某些主機上執行此類的命令;操做過程還會被記錄與日誌中;以便於往後審計。linux
一、定義sudo受權;保存/etc/sudoersshell
visudo:編輯sudoers命令vim
格式:who which_host=(whom) commandcentos
添加刪除用戶數組
[root@localhost ~]# visudo jerry ALL=(root) /usr/sbin/useradd, /usr/sbin/userdel [root@localhost ~]# su - jerry [jerry@localhost ~]$ sudo useradd tom [sudo] password for jerry: [jerry@localhost ~]$ tail -1 /etc/passwd tom:x:503:503::/home/tom:/bin/bash [jerry@localhost ~]$ sudo userdel tom [jerry@localhost ~]$ tail -1 /etc/passwd jerry:x:502:502::/home/jerry:/bin/bash [jerry@localhost ~]$ #測試能夠刪除添加帳戶
別名:安全
Host_Alias FILESERVERS = fs1, fs2 #主機別名
User_Alias ADMINS = jsmith, mikem #用戶別名
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig...#命令別名
[root@localhost ~]# visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel
USERADMIN ALL=(root) USERCMND
[root@localhost ~]# su - jerry
[sudo] password for jerry:
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[jerry@localhost ~]$
[root@localhost ~]# su - tom
[tom@localhost ~]$ sudo userdel -r jerry
[sudo] password for tom:
[tom@localhost ~]$ tail -3 /etc/passwd
mockbuild:x:500:500::/home/mockbuild:/bin/bash
soul:x:501:501::/home/soul:/bin/bash
tom:x:503:503::/home/tom:/bin/bash
[tom@localhost ~]$
命令取反bash
[root@localhost ~]# visudo
#includedir /etc/sudoers.d
User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/
usr/bin/passwd root #命令取反
USERADMIN ALL=(root) USERCMND
[root@localhost ~]# su - jerry
[jerry@localhost ~]$ sudo passwd tom
[sudo] password for jerry:
Changing password for user tom.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[jerry@localhost ~]$ sudo passwd root
Sorry, user jerry is not allowed to execute '/usr/bin/passwd root' as root on localhost.localdomain.
[jerry@localhost ~]$
以哪些身份執行以及密碼控制session
[root@localhost ~]# visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/usr/bin/passwd root
Runas_Alias ADMIN = root #已哪些身份運行
soul ALL=(ALL) ALL
USERADMIN ALL=(ADMIN) NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,#前面的不須要輸入密碼
PASSWD: /usr/bin/passwd,!/usr/bin/passwd root #這幾個須要輸入密碼
[root@localhost ~]# su - jerry
[jerry@localhost ~]$ sudo useradd tom2
[jerry@localhost ~]$ sudo passwd tom2
[sudo] password for jerry:
Changing password for user tom2.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[jerry@localhost ~]$
讓普通用戶執行管理員全部的命令app
[root@localhost ~]# useradd -g wheel soul
[root@localhost ~]# id soul
uid=501(soul) gid=501(soul) groups=501(soul),10(wheel)
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
%wheel ALL=(ALL) ALL #該組用戶能夠執行全部權限
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
%wheel ALL=(ALL) NOPASSWD: ALL #執行時無需輸入密碼
[soul@localhost ~]$ sudo useradd tom
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[soul@localhost ~]$ sudo userdel tom
[soul@localhost ~]$
二、經常使用選項
| -V | 顯示版本編號 |
| -h | 會顯示版本編號及指令的使用方式說明 |
| -l | 顯示出本身(執行sudo的使用者)的權限 |
| -v | 由於sudo在第一次執行時或是在N分鐘內沒有執行(N預設爲五)會詢問密碼;這個參數是從新作一次確認;若是超過N分鐘;也會問密碼 |
| -k |
強迫使用者在下一次執行sudo時詢問密碼(不論有沒有超過N分鐘) |
| -b | 將要執行的指令放在後臺執行 |
2、tcp_wrapper(tcp包裝器)基於主機的訪問控制
tcp工做於tcp/ip協議棧中的tcp的協議上;守護進程tcpd。
配置文件:/etc/hosts.allow; /etc/hosts.deny
一、並不是全部服務均能由tcp_wrapper控制
二、判斷某服務程序是否可以由tcp_wrapper控制
動態編譯:
ldd命令檢測其是否連接至libwrap庫上便可
libwrap.so.0 => /lib64/libwrap.so.0
靜態編譯:
strings /path/to/program若是有如下內容
hosts.allow
hosts.deny
配置文件語法格式:daemon_list:client_list [:options]
deamon_list:
應用程序名稱;
應用程序列表;多個以逗號分隔;
ALL:匹配全部進程
一、hosts.allow;若是被容許;直接放行
二、hosts.deny;若是被匹配;則禁止訪問
三、兩者都無匹配;則默認放行
[:options]
在allow文件中使用deny選項:在allow文件中定義拒絕規則
在deny文件中使用allow選項:在deny文件中定義容許規則
[root@localhost ~]# vim /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
#詳細能夠man See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
vsftpd : 172.16.254.28 #放行這臺機器;
[root@localhost ~]# vim /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# 詳細能夠man See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
vsftpd: ALL : spawn echo `date` login attempts from %c to %s >> /var/log/deny.log
#拒絕未Allow的全部主機;並對訪問服務的機器記入日誌
#spawn:發起一條命令
[root@dns ~]# lftp 172.16.251.85/pub
Interrupt
[root@dns ~]# lftp 172.16.251.85/pub
Interrupt
[root@dns ~]#
[root@localhost ~]# tail /var/log/deny.log
Mon Mar 31 22:50:18 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 22:50:48 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 22:57:58 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 22:58:43 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 22:59:50 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 23:00:31 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 23:00:44 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 23:01:14 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
內置的Macro
client_list
ALL
KNOWN
UNKOWN
PARANOID
daemon_list:ALL
EXCEPT:能夠用於client和daemon之中;起到排除功能
3、pam模塊
一、認證模塊和配置文件存放位置
[root@localhost ~]# ls /lib64/security/
pam_access.so pam_faillock.so pam_localuser.so pam_rootok.so pam_tty_audit.so
pam_cap.so pam_filter pam_loginuid.so pam_securetty.so pam_umask.so
pam_chroot.so pam_filter.so pam_mail.so pam_selinux_permit.so pam_unix_acct.so
pam_ck_connector.so pam_fprintd.so pam_mkhomedir.so pam_selinux.so pam_unix_auth.so
pam_console.so pam_ftp.so pam_motd.so pam_sepermit.so pam_unix_passwd.so
pam_cracklib.so pam_gnome_keyring.so pam_namespace.so pam_shells.so pam_unix_session.so
pam_debug.so pam_group.so pam_nologin.so pam_smbpass.so pam_unix.so
pam_deny.so pam_issue.so pam_passwdqc.so pam_stress.so pam_userdb.so
pam_echo.so pam_keyinit.so pam_permit.so pam_succeed_if.so pam_warn.so
pam_env.so pam_lastlog.so pam_postgresok.so pam_tally2.so pam_wheel.so
pam_exec.so pam_limits.so pam_pwhistory.so pam_time.so pam_winbind.so
pam_faildelay.so pam_listfile.so pam_rhosts.so pam_timestamp.so pam_xauth.so
[root@localhost ~]#
[root@localhost ~]# ls /etc/pam.d/
atd fingerprint-auth passwd setup system-auth
authconfig fingerprint-auth-ac password-auth smartcard-auth system-auth-ac
authconfig-gtk gdm password-auth-ac smartcard-auth-ac system-config-authentication
authconfig-tui gdm-autologin polkit-1 smtp system-config-date
chfn gdm-fingerprint poweroff smtp.postfix system-config-kdump
chsh gdm-password ppp sshd system-config-keyboard
config-util gnome-screensaver reboot ssh-keycat system-config-network
crond halt remote su system-config-network-cmd
cups login run_init sudo system-config-users
cvs newrole runuser sudo-i xserver
eject other runuser-l su-l
[root@localhost ~]#
格式:/etc/pam.d/service
type control module-path [module-arguments]
| TYPE: 棧;每項能夠有多條 |
|
| account | 跟認證無關的帳號檢測機制;例如帳號是否過時等 |
| auth | 認證和受權 |
| password | 用戶在修改密碼是要完成的檢測 |
| session | 創建會話前/後須要作一些偵測機制;例若有沒有足夠的內存等 |
control:在某個模塊認證成功或失敗時應該採起的行爲;分爲簡單類型的control和複雜類型control
| 簡單類型的control |
|
| substack | 與include相同,也是調用一個新的配置文件進行驗證; |
| required | 過濾不經過;仍需檢測同一個棧中的其餘模塊;最後返回failure;認證失敗;擁有參考其餘模塊意見基礎之上的一票否決權 |
| requisite | 一票否決;過濾不經過;當即返回failure;後續的不用再檢查; |
| sufficient | 一票經過;過濾條件經過;當即返回OK;後續無需檢查 |
| optional | 可選模塊; |
| include | 包含其餘指定的配置文件中同名棧中的規則;並對此進行檢測; |
二、模塊
模塊是由模塊路徑和模塊的參數組成的。可使用絕對路徑和相對路徑;參數是用來定義和調整模塊的工做行爲的。/etc/pam.d/*
| pam_unix | 傳統意義上的帳號密碼的認證方式{nullok|shadow|md5} |
| pam_permit | 容許訪問 |
| pam_deny | 拒絕訪問;other文件爲其餘每個服務中棧提供默認策略 |
| pam_cracklib |
在用戶更改密碼是限定密碼策略的; |
| pam_shells | 檢查用戶登陸時的安全shells;遠程是須要更改的是sshd配置文件 |
| pam_securetty | 限定管理員只能經過安全tty登陸;/etc/securetty文件中包含的 |
| pam_listfile | 限定listfile文件中的用戶能夠登陸; |
| pam_rootok | 若是是root;su到其餘用戶不須要輸入密碼;wheel組中的也能夠無需密碼 |
| pam_succeed_if | 指定條件的符合;su到其餘用戶也無需密碼 |
| pam_limits | /etc/security/limits.conf|limits.d/*;{hard|soft}/{nofile|nproc} |
三、例子
pam_shells
[Linux85]#useradd -s /bin/cshgentoo
[Linux85]#passwd gentoo
[Linux85]#vim /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/bin/tcsh
#暫時去掉csh
[Linux85]#vim sshd
#%PAM-1.0
auth required pam_shells.so #添加一行
auth required pam_sepermit.so
#測試
[Linux86]#ssh gentoo@172.16.251.85
gentoo@172.16.251.85's password:
Permission denied, please try again.
pam_securetty
[Linux85]#cat /etc/securetty
console
tty1
tty2
tty3....
[Linux85]#cp /etc/securetty /etc/securetty.bak
[Linux85]#vim /etc/securetty
#僅留下面兩項
console
tty1
tty2
[Linux85]#vim sshd
#%PAM-1.0
auth required pam_shells.so
auth required pam_securetty.so #啓用這項ssh沒法登錄
[Linux86]#ssh root@172.16.251.85
root@172.16.251.85's password:
Permission denied, please try again.
#此時測試只有tty1/tty2能夠在終端登錄
pam_listfile
itme={tty|user|rhost|ruser|group|shell} sense={allow|deny} file=/path/to/filename onerr={succeed|fail} [apply=[user|@group]] [quiet]
[Linux85]#groupadd soul
[Linux85]#vim sshd
#%PAM-1.0
auth required pam_listfile.so item=group sense=allow file=/etc/allowgroup
#測試
[Linux85]#useradd -G soul centos
[Linux85]#passwd centos
[Linux86]#ssh gentoo@172.16.251.85
gentoo@172.16.251.85's password:
Permission denied, please try again
[Linux86]#ssh centos@172.16.251.85
centos@172.16.251.85's password:
Permission denied, please try again.
centos@172.16.251.85's password:
Last login: Sun Apr 6 10:15:46 2014 from 172.16.254.28
[centos@soul ~]$
pam_rootok
[Linux85]#vim su
#%PAM-1.0
#auth sufficient pam_rootok.so 註釋這項
[Linux85]#su - gentoo
Password:
[gentoo@soul ~]$
[Linux85]#vim su
#%PAM-1.0
auth sufficient pam_rootok.so #定義root用戶su到其餘用戶是否須要密碼
auth sufficient pam_succeed_if.so uid = 500 use_uid quiet #定義uid=500的用戶能夠不用密碼su到其餘用戶
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid #組中的用戶能夠執行root權限
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet #uid = N的用戶su到其餘用戶也是無需密碼的;前面的type須要更改成認證auth
#
#
#[Linux85]#vim su
#%PAM-1.0
#auth sufficient pam_rootok.so #註釋後root也須要密碼
auth sufficient pam_succeed_if.so uid = 500 use_uid quiet #uid=500的用戶不須要密碼
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
#
#測試
[Linux85]#id gentoo
uid=500(gentoo) gid=500(gentoo) groups=500(gentoo)
[Linux85]#su - gentoo #root用戶su到gentoo
Password:
[gentoo@soul ~]$ su - root #gentoo用戶su到root
[root@soul ~]# whoami
root
#測試正常
pam_limits
/etc/security/limits.d/* | /etc/security/limits.conf
[Linux85]#vim /etc/security/limits.conf
# /etc/security/limits.conf
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#<item> can be one of the following: 經常使用幾項
# - core - limits the core file size (KB) **核心文件大小
# - data - max data size (KB) 數據大小;進程訪問內存數據段
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files ***所能打開的文件個數
# - rss - max resident set size (KB) 常駐內存集大小
# - stack - max stack size (KB) 進程棧空間大小
# - cpu - max CPU time (MIN)
# - nproc - max number of processes ***所能打開的進程數
# - as - address space limit (KB) 線性物理空間
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
相關文章
- 1. linux學習筆記之sudo
- 2. 36tcp_wrapper、sudo、nsswitch、pam
- 3. Linux自學筆記——nsswitch and pam
- 4. 迴文樹 PAM 學習筆記
- 5. 2.3 sudo與PAM認證
- 6. Linux學習筆記(15)——su命令與sudo服務
- 7. Linux學習筆記之——普通用戶使用sudo命令
- 8. Linux學習筆記之——su、sudo命令使用及區別
- 9. RH124學習筆記---linux用戶權限su和sudo
- 10. Linux學習之sudo命令
- 更多相關文章...
- • 您已經學習了 XML Schema,下一步學習什麼呢? - XML Schema 教程
- • 我們已經學習了 SQL,下一步學習什麼呢? - SQL 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • 適用於PHP初學者的學習線路和建議
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
