系统运维-23-3-Sudo基础知识

理解Sudo:授权、配置与权限管理
本文介绍了Sudo的基础知识,包括其用于允许用户以其他用户身份运行命令的功能,重点讨论了`sudoers`配置文件的结构和权限设置。内容涵盖用户、主机、命令和别名配置项,以及如何编辑配置文件以授权特定用户执行特定命令。示例中展示了如何为用户分配权限,以及如何使用NOPASSWD选项进行无密码执行。

SUDO的基础知识

    su: Switch User

sudo
    可以让某个用户不用拥有另外一个账户的账号和密码,就可以执行操作
    授权之后,能够让某用户以另外一个用户的身份运行命令

注意:ubuntu等有时会限制 su - 为管理员,但 sudo su - 依然可以切换

配置文件:sudoers
    root      ALL=(ALL)       ALL
    %wheel    ALL=(ALL)       ALL

    who 运行命令者的身份 user
    where 通过哪些主机 host
    (whom) 以哪个用户的身份 runas
    which 运行哪些命令 command

    配置项
        user hosts=(runas) commands

        users:
            username
            #uid
            user_alias
            %group_name
            %#gid

        hosts:
            ip
            hostname
            netaddr

        command:
            command name
            directory
            sudoedit

            Alias_Type NAME = item1, item2, ...
                NAME必须使用全大写字母
                Alias_Type
                    User_Alias
                    Runas_Alias
                    Host_Alias
                    Cmnd_Alias

        sudo COMMAND
            -u user 默认为root
            -k 清除此前记录的登录密码

查看默认的配置文件

    [root@lab1 ~]# ll /etc | grep sudoers
    -r--r-----.  1 root root     3938 Jun  7  2017 sudoers
    drwxr-x---.  2 root root        6 Aug  4  2017 sudoers.d
    [root@lab1 ~]# grep -v ^# /etc/sudoers | grep -v ^$
    Defaults   !visiblepw
    Defaults    always_set_home
    Defaults    match_group_by_gid
    Defaults    env_reset
    Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
    Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
    Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
    Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
    Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
    Defaults    secure_path = /sbin:/bin:/usr/sb[root@lab1 ~]# sudo -u user001 whoami
    user001
    in:/usr/bin
    root    ALL=(ALL)     ALL
    %wheel    ALL=(ALL)    ALL
    [root@lab1 ~]# sudo -u user001 whoami
    user001
    [root@lab1 ~]# whoami
    root

测试默认权限

    [user001@lab1 ~]$ fdisk -l
    fdisk: cannot open /dev/sda: Permission denied
    fdisk: cannot open /dev/sr0: Permission denied
    fdisk: cannot open /dev/mapper/centos-root: Permission denied
    fdisk: cannot open /dev/mapper/centos-swap: Permission denied
    [user001@lab1 ~]$ sudo fdisk -l

    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:

        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    [sudo] password for user001: 
    user001 is not in the sudoers file.  This incident will be reported.


    [root@lab1 ~]# usermod -a -G wheel user001
    You have new mail in /var/spool/mail/root
    [root@lab1 ~]# id user001
    uid=1025(user001) gid=1025(user001) groups=1025(user001),10(wheel)


    [user001@lab1 ~]$ fdisk -l
    fdisk: cannot open /dev/sda: Permission denied
    fdisk: cannot open /dev/sr0: Permission denied
    fdisk: cannot open /dev/mapper/centos-root: Permission denied
    fdisk: cannot open /dev/mapper/centos-swap: Permission denied
    [user001@lab1 ~]$ sudo fdisk -l
    [sudo] password for user001: 

    Disk /dev/sda: 21.5 GB, 21474836480 bytes, 41943040 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk label type: dos
    Disk identifier: 0x000a2c70

       Device Boot      Start         End      Blocks   Id  System
    /dev/sda1   *        2048     2099199     1048576   83  Linux
    /dev/sda2         2099200    41943039    19921920   8e  Linux LVM

    Disk /dev/mapper/centos-root: 18.2 GB, 18249416704 bytes, 35643392 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes


    Disk /dev/mapper/centos-swap: 2147 MB, 2147483648 bytes, 4194304 sectors
    Units = sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes

编辑配置文件

    [root@lab1 ~]# tail -4 /etc/sudoers
    User_Alias NETADMIN = netuser1,netuser2
    Cmnd_Alias NETADMINCMND = /usr/sbin/ip

    NETADMIN    ALL=(root)    NETADMINCMND

创建用户账号

    [root@lab1 ~]# useradd netuser1
    [root@lab1 ~]# useradd netuser2
    [root@lab1 ~]# echo "redhat" | passwd --stdin netuser1
    Changing password for user netuser1.
    passwd: all authentication tokens updated successfully.
    [root@lab1 ~]# echo "redhat" | passwd --stdin netuser2
    Changing password for user netuser2.
    passwd: all authentication tokens updated successfully.

切换用户查看授权

    [root@lab1 ~]# su - netuser1
    [netuser1@lab1 ~]$ sudo -l

    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:

        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.

    [sudo] password for netuser1: 
    Matching Defaults entries for netuser1 on lab1:
        !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS
        DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
        USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
        LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
        LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
        _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

    User netuser1 may run the following commands on lab1:
        (root) /usr/sbin/ip

指定用户的权限测试

    [netuser1@lab1 ~]$ sudo ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/ether 00:0c:29:b0:6e:59 brd ff:ff:ff:ff:ff:ff
        inet 172.20.0.131/24 brd 172.20.0.255 scope global dynamic ens33
           valid_lft 1264sec preferred_lft 1264sec
        inet6 fe80::3e66:b2a:5133:93d1/64 scope link 
           valid_lft forever preferred_lft forever
    [netuser1@lab1 ~]$ sudo route -n
    Sorry, user netuser1 is not allowed to execute '/sbin/route -n' as root on lab1.example.com.

清除检票

    [netuser1@lab1 ~]$ sudo -k

特殊权限(限制改管理员密码)

    [root@lab1 ~]# tail -5 /etc/sudoers
    User_Alias USERADMIN = poweruser1,poweruser2
    Cmnd_Alias USERADMINCMND = /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd

    USERADMIN    ALL=(root)    NOPASSWD:USERADMINCMND

    [root@lab1 ~]# useradd poweruser1
    [root@lab1 ~]# su - poweruser1
    [poweruser1@lab1 ~]$ sudo -l
    Matching Defaults entries for poweruser1 on lab1:
        !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS
        DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
        USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
        LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
        LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
        _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

    User poweruser1 may run the following commands on lab1:
        (root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd
    [poweruser1@lab1 ~]$ useradd testuser
    -bash: /usr/sbin/useradd: Permission denied
    [poweruser1@lab1 ~]$ sudo useradd testuser
    oot@lab1 ~]# tail -4 /etc/sudoers
    Cmnd_Alias USERADMINCMND = /usr/sbin/useradd, /usr/sbin/usermod, /usr/bin/passwd [a-z]*, !/usr/bin/passwd root

    USERADMIN    ALL=(root)    NOPASSWD:USERADMINCMND

    [root@lab1 ~]# su - poweruser1
    Last login: Wed May  8 07:25:35 EDT 2019 on pts/0
    [poweruser1@lab1 ~]$ sudo passwd root
    Sorry, user poweruser1 is not allowed to execute '/bin/passwd root' as root on lab1.example.com.
    [poweruser1@lab1 ~]$ sudo passwd netuser1
    Changing password for user netuser1.
    New password: 
    BAD PASSWORD: The password is shorter than 8 characters
    Retype new password: 
    passwd: all authentication tokens updated successfully.

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值