一、通过sudo管理权限的两种配置方法:
1.执行visudo命令自动编辑/etc/sudoers文件(推荐)
自动检查语法
2.直接修改/etc/sudoers文件方法(不推荐)
如多台服务器进行配置,可以使用此管理办法
但不会自动检查语法,要执行visudo -c检查语法
在命用visudo或者使用vi /etc/sudoers配置sudoers时:
root ALL=(ALL) ALL
授权用户 主机=(指定的可切换的用户) 可以执行的命令
相对应别名的使用:
root ALL=(ALL) ALL
root是别名应用位置
第一个ALL是主机别名的应用位置
第二个小括号中的ALL就是Runas_Alias别名的应用位置
第三个ALL是命令别名的应用位置
二、使用用户组的方式产现sudo授权
通过授权一个用户组的方式来配置/etc/sudoers,如:授权sa组具备以上所有主机的管理权限,这样以后有增加用户相同的授权时,直接将用户加入到sa组就可以享受sa组的sudo授权了。
## Allows people in group wheel to run allcommands
# %sa ALL=(ALL) ALL
#--> 注意用户组授权和普通用户的区别,开头为“%”百分号,sa组同用户一样必须是己经存在的。
实例:
tom用户在aa组中,享有root全部权限
bobo用户在bb组中,享有root全部权限,在执行命令时不用输入密码
方法:
★分别创建用户tom和bobo并赋于其密码
[[email protected] /]# useradd tom <===创建新用户tom [[email protected] /]# passwd tom <===修改tom密码 Changing password for user tom. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updatedsuccessfully. [[email protected] /]# useradd bobo <===创建新用户bobo [[email protected] /]# passwd bobo <===修改bobo密码 Changing password for user bobo. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updatedsuccessfully.
★新建并指定其gid来创建新组sa和bb
[[email protected] /]# groupadd -g 8888 aa <===新建组aa 并指定gid为8888 [[email protected]/]# groupadd -g 9999 bb <=== 新建组bb 并指定gid为9999 [[email protected] /]# gpasswd -a tom aa <=== 把用户tom加入到sa组 Adding user tom to group aa [[email protected] /]# gpasswd -a bobo bb <=== 把用户bobo加入到bb组 Adding user bobo to group bb [[email protected] /]# tail -n 2 /etc/group aa:x:8888:tom bb:x:9999:bobo
★通过visudo或vi /etc/sudoers来编辑sudo权限
[[email protected] ~]# vi /etc/sudoers <===直接编辑/etc/sudoers配置sudo权限 ## Allows people in group wheel to run allcommands <===配置组权限 # %wheel ALL=(ALL) ALL %aa ALL=(ALL) ALL %bb ALL=(ALL) NOPASSWD: ALL 保存退出 [[email protected] ~]# visudo -c <===通过visudo -c来进行语法的检查 /etc/sudoers: parsed OK
★测试
[[email protected] ~]$ sudo ifconfig <===tom用户通过sudo使用ifconfg [sudo] password for tom: <===输入tom的用户密码 eth0 Link encap:Ethernet HWaddr00:0C:29:57:8C:E0 inet addr:192.168.1.150 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:92685 errors:0 dropped:0 overruns:0 frame:0 TX packets:11341 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:8176975 (7.7 MiB) TXbytes:1021021 (997.0 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:200 errors:0 dropped:0 overruns:0 frame:0 TX packets:200 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:28106 (27.4 KiB) TXbytes:28106 (27.4 KiB) [[email protected] ~]$ sudo useradd mary <===通过sudo使用useradd命令,提示没有这命令 sudo: useradd: command not found [[email protected] ~]# which useradd <===查找useradd命令的绝对路径 /usr/sbin/useradd [[email protected] ~]$ sudo/usr/sbin/useradd mary <==通过sudo命用绝对路径useradd创建用户mary useradd: user mary exists [[email protected] ~]$ id mary uid=502(mary) gid=503(mary)groups=503(mary) [[email protected] ~]$ sudo su - <===通过sudo使用su –命令切到root用户,不用输入密码 [[email protected] ~]# su - bobo [[email protected] ~]$ sudo ifconfig <===通过sudo使用ifconfig命令,并不用输入密码 eth0 Link encap:Ethernet HWaddr00:0C:29:57:8C:E0 inet addr:192.168.1.150 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:93550 errors:0 dropped:0 overruns:0 frame:0 TX packets:11968 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:8257617 (7.8 MiB) TXbytes:1088399 (1.0 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:200 errors:0 dropped:0 overruns:0 frame:0 TX packets:200 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:28106 (27.4 KiB) TXbytes:28106 (27.4 KiB) [[email protected] ~]$ sudo /usr/sbin/useraddgirl <===通过sudo使用全路径命令useradd创建用户girl,并不用输入密码 [[email protected] ~]$ id girl uid=2004(girl) gid=2004(girl)groups=2004(girl)
总结:
1)通过visudo或者vi/etc/sudoers配置sudo权限来对用户组进行授权,可以使对应的组中2)所有用户都可以通过sudo命令来使用相应的权限
3)通过sudo来执行某个命令,如useradd时,必需输入其命令的绝对路径/usr/sbin/useradd
4)whereis 命令可以查找命令的全路径 如:which useradd
5)通过sudo执行命令时如需输入密码,如密码正确,可以在5分钟内执行命令不用输入密码
6) vi /etc/sudoers 但不会自动检查语法,要执行visudo-c检查语法
sudo配置文件/etc/sudoers注意事项:
sudo命令的配置文件是/etc/sudoers,我们可以用专用工具visudo来完成sudo的授权配置,使用visudo工具的好处是在添加规则后,保存退出时会自动检查授权配置的语法(这一点很重要,有很多人直接用vi编辑/etc/sudoers,最后配置错误了,造成所有普通用户无法切换到root的问题)。
当授权配置好后,可以切换到被授权的用户下,通过sudo -l 来查看哪些超级权限命令是可以执行或禁止的。
/etc/sudoers配置文件中的每一行就是一个规则,前面带有#号的为注释说明的内容,当规则超过一行的长度时,可以用“\”号来续号。
/etc/sudoers的规则大致可分为两类:一类是别名定义,另一类是授权规则;别名定义并不是必须的,只是在授权规则多的时候更方便授权,但授权规则是必须的。
三、sudo配置中的别名知识
在使用sudo授权中,可以使用1.Host_Alias定义主机别名 2. User_Alias用户别名
3. Runas_Alias用户身份别名 4. Cmnd_Alias命令别名
1)Host_Alias主机别名
实际语法为:
## Host Aliases
## Groups of machines. You may prefer touse hostnames (perhap using
## wildcards for entire domains) or IPaddresses instead.
# Host_Alias FILESERVERS = fs1, fs2 #-->请注意定义规范,”=”号两别有空格# Host_Alias MAILSERVERS = smtp, smtp2 #-->请注意定义规范,每个成员用逗号分隔,逗号后面有空格
说明:
1、在生产场景中,一般情况不需要设置主机别名,在定义授权规则时可以通过ALL来匹配所有的主机。
2、请注意上面定义的规范,有些规范虽然不是必须的,但我们还是要求能否按照系统的标准来配置,这样可以避免意外的问题发生。
3、以上Host_Alias内容截取自/etc/sudoers文件,最后两行取消了注释。
提示:其实主机别名就是一个主机组,如果一个/etc/sudoers文件几十台上百台服务器一起使用时,就使用到主机别名。
2)User_Alias 用户别名
实验:通过命令visudo 或vi /etc/sudoers配置 sudo授权限给用户mary、xiaoli和用户组%aa赋予root权限
★分别创建用户mary和xiaoli,并赋于其密码
[[email protected] ~]# useradd mary [[email protected] ~]# passwd mary Changing password for user mary. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updatedsuccessfully. [[email protected] ~]# useradd xiaoli [[email protected] ~]# passwd xiaoli Changing password for user xiaoli. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updatedsuccessfully.
★新建用户组aa,并把用户tom加入到aa组
[[email protected] ~]# groupadd aa [[email protected] ~]# gpasswd -a tom aa Adding user tom to group aa
★查看aa组里有哪些用户
[[email protected] ~]# grep aa /etc/group aa:x:505:tom
★通过vi /etc/sudoers 或visudo 配置用户别名
[[email protected] ~]# visudo ## User Aliases ## These aren‘t often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem User_Alias JUNIOS = mary, xiaoli, %aa <===设置用户别名为JUNIOS,一定要大写 别名里包含用户mary,xiaoli和%aa组 用户组必须在组名前面加%百分号 ## Allow root to run anycommands anywhere root ALL=(ALL) ALL JUNIOS ALL=(ALL) ALL <=====设置别名相对的权限别名为大写 :wq! <====保存并退出 如果使用vi /etc/sudoers直接编辑来对sudo授权,必须使用命令visudo -c进行语法检查 [[email protected] ~]# visudo -c <===检查其语法 /etc/sudoers: parsed OK
★测试
使用sudo –l命令分别查看mary,xiaoli和用户组里的tom用户授有哪些sudo授权权限
[[email protected] ~]$ sudo -l We trust you have received the usuallecture from the local System Administrator. It usually boils down tothese three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for mary: Matching Defaults entries for mary on thishost: requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Runas and Command-specific defaults formary: User mary may run the following commands onthis host: (ALL) ALL [[email protected] ~]$ sudo -l [sudo] password for xiaoli: Matching Defaults entries for xiaoli onthis host: requiretty, !visiblepw, env_reset,env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Runas and Command-specific defaults forxiaoli: User xiaoli may run the following commandson this host: (ALL) ALL [[email protected] ~]$ sudo -l Matching Defaults entries for tom on thishost: requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Runas and Command-specific defaults fortom: User tom may run the following commands onthis host: (ALL) ALL
注意:用户别名必须是大写,不然会报错,
所包含的用户必须是系统中存在的用户
3)Runas_Alias定义runas别名
这个别名指的是“用户身份”,即sudo允许切换到的用户。
Runas_Alias定义的是用户可以执行sudo切换身份到Runas_Alias下包含的成员身份
实际语法为:
Runas_Alias OP = root
Runas别名不常用,了解即可
4) Cmnd_Alias命令别名
实验:使用别名配置sudo配置文件,让xiaoli拥用root的/bin/mount, /bin/umount, /usr/bin/yum命令使用权限
★mary现在是没有yum安装软件包的权限的
[[email protected] ~]$ yum install tree–y Loaded plugins: fastestmirror,security You need to be root to perform this command.
★通过vi /etc/sudoers 或visudo 配置命令别名
[[email protected] ~]# visudo## Command Aliases ## These are groups of related commands... ## Networking #Cmnd_Alias NETWORKING = /sbin/route,/sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables,/usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software #Cmnd_Alias SOFTWARE = /bin/rpm,/usr/bin/up2date, /usr/bin/yum Cmnd_Alias XX = /bin/mount,/bin/umount, /usr/bin/yum <===这里可以编辑命令别名,命令别名必须是大写,=号跟着是所授权的命令 命令必须是全路径 ## Allow root to run any commands anywhere root ALL=(ALL) ALL xiaoli ALL=(ALL) XX <===命令别名必须对应以上的别名设置,一定要大写
★通过sudo -l查看xiaoli所授权的权限
[[email protected] ~]$ sudo -l Matching Defaults entries for xiaoli onthis host: requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAYHOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENTLC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Runas and Command-specific defaults forxiaoli: User xiaoli may run the following commandson this host: (ALL)/bin/mount, /bin/umount, /usr/bin/yum
★测试
[[email protected] ~]$ sudo yum installmysql* -y Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile *base: centos.ustc.edu.cn *extras: centos.ustc.edu.cn *updates: mirrors.grandcloud.cn Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mysql.i386 0:5.0.95-5.el5_9set to be updated --> Processing Dependency: perl(DBI) forpackage: mysql ---> Package mysql.x86_640:5.0.95-5.el5_9 set to be updated ---> Package mysql-bench.x86_640:5.0.95-5.el5_9 set to be updated [[email protected] ~]$ sudo /bin/mount/dev/cdrom /mnt mount: block device /dev/cdrom iswrite-protected, mounting read-only [[email protected] ~]$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda3 19094332 2125748 15983000 12% / /dev/sda1 194442 12218 172185 7% /boot tmpfs 511932 0 511932 0% /dev/shm /dev/hdc 4477020 4477020 0 100% /mnt [[email protected] ~]$ sudo /bin/umount /mnt umount: /mnt: not mounted [[email protected] ~]$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda3 19094332 2125748 15983000 12% / /dev/sda1 194442 12218 172185 7% /boot tmpfs 511932 0 511932 0% /dev/shm
特别说明:
所有的命令别名下的成员必须是文件或目录的绝对路径
命令别名超过一行时,可以通过“\”号换行
在定义时,可以使用正则表达式,如/etc/bin/passwd [A-Za-z]*
例子:用户tom ,ett和%sa组里的用户是管理员用户,用户leo和maya是网络管理员
zuma是用户名管理员,
管理员拥有usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [A-Za-z]*,/bin/chown, /bin/chmod、/sbin/fdisk, /sbin/parted、/sbin/ifconfig,/etc/init.d/network、/usr/sbin/reboot, /usr/sbin/halt命令权限,
网络管理员拥有ifconfig 和 /etc/init.d/network命令权限,
用户管理员拥有useradd userdel,passwd,chown,chmod用户命令管理权限,
现在为这些用户分配sudo管理权限。
答:首先定义用户别名:
User_Alias ADMINS = tom,ett, %sa
User_Alias NETADMINS= leo, maya
User_Alias USERADMINS= zuma
说明:要尽可能使用有意义的名称作为别名,所有包含成员都必须是系统中存在的用户
定义命令别名:
Cmnd_Alias USERCMD = /usr/sbin/useradd,/usr/sbin/userdel, /usr/bin/passwd [A-Za-z]*, \ /bin/chown, /bin/chmod
Cmnd_Alias DISKCMD = /sbin/fdisk, /sbin/parted
Cmnd_Alias NETMAGCMD = /sbin/ifconfig, /etc/init.d/network
Cmnd_Alias CTRLCMD = /usr/sbin/reboot, /usr/sbin/halt
说明:所有命令别名下的成员必须是文件或目录的绝对路径
命令别名超过一行时,可以通过“/”号换行
在定义时,可以使用正测表达式,如/usr/bin/passwd [A-Za-z]
定义Runas别名
Runas_Alias OP = root
操作如下:
[[email protected] ~]# visudo ## User Aliases ## These aren‘t often necessary, as you canuse regular groups ## (ie, from files, LDAP, NIS, etc) in thisfile - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem #User_Alias by dingjian at 2013/11/30 User_Alias ADMINS = tom, ett, %sa User_Alias NETADMINS = leo, maya User_Alias USERADMINS = zuma ## Command Aliases ## These are groups of related commands... ## Networking #Cmnd_Alias NETWORKING = /sbin/route,/sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables,/usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software #Cmnd_Alias SOFTWARE = /bin/rpm,/usr/bin/up2date, /usr/bin/yum #Cmnd__Alias by dingjian at 2013/11/30 Cmnd_Alias USERCMD = /usr/sbin/useradd,/usr/sbin/userdel, /usr/bin/passwd [A-Za-z]*, /bin/chown, /bin/chmod Cmnd_Alias DISKCMD = /sbin/fdisk,/sbin/parted Cmnd_Alias CTRLCMD = /usr/sbin/reboot,/usr/sbin/halt Cmnd_Alias NETMAGCMD = /sbin/ifconfig,/etc/init.d/network Runas_Alias OP = root ## The COMMANDS section may have otheroptions added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL #the COMMANDS section may have otheroptions added to is ADMINS ALL=(ALL) USERCMD, NETMAGCMD, CTRLCMD, DISKCMD NETADMINS ALL=(OP) NOPASSWD: NETMAGCMD USERADMINS ALL=(OP) NOPASSWD: USERCMD
测试:
[[email protected] ~]$ sudo -l <==查看tom用户的sudo 权限 [sudo] password for tom: Matching Defaults entries for tom on thishost: requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAYHOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENTLC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Runas and Command-specific defaults fortom: User tom may run the following commands onthis host: (ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [A-Za-z]*, /bin/chown, /bin/chmod, (ALL) /sbin/ifconfig, /etc/init.d/network, (ALL) /usr/sbin/reboot,/usr/sbin/halt, (ALL) /sbin/fdisk, /sbin/parted [[email protected]~]$ sudo /etc/init.d/network restart Shutting downinterface eth0: [ OK ] Shutting downloopback interface: [ OK ] Bringing uploopback interface: [ OK ] Bringing upinterface eth0: [ OK ] [[email protected]~]$ sudo /usr/sbin/useradd brother [[email protected]~]$ sudo passwd brother Changingpassword for user brother. New UNIXpassword: Retype new UNIXpassword: passwd: allauthentication tokens updated successfully. [[email protected]~]$ id brother uid=2012(brother)gid=2012(brother) groups=2012(brother)
内容总结如下:
#User_Alias by dingjian at 2013/11/30 User_Alias ADMINS = tom, ett, %sa User_Alias NETADMINS = leo, maya User_Alias USERADMINS = zuma #Cmnd__Alias by dingjian at 2013/11/30 Cmnd_Alias USERCMD = /usr/sbin/useradd,/usr/sbin/userdel, /usr/bin/passwd [A-Za-z]*, /bin/chown, /bin/chmod Cmnd_Alias DISKCMD = /sbin/fdisk,/sbin/parted Cmnd_Alias CTRLCMD = /usr/sbin/reboot,/usr/sbin/halt Cmnd_Alias NETMAGCMD = /sbin/ifconfig,/etc/init.d/network Runas_Alias OP = root #the COMMANDS section may have otheroptions added to is ADMINS ALL=(ALL) USERCMD, NETMAGCMD, CTRLCMD, DISKCMD NETADMINS ALL=(OP) NOPASSWD: NETMAGCMD USERADMINS ALL=(OP) NOPASSWD: USERCMD
四、centos5.8添加环境变量
在tom用户家目录下编辑vi隐藏文件.bash_profile文件,修改成如下内容后保存:
[[email protected] ~]$ ls -a
. .bash_logout .bashrc .mozilla
.. .bash_profile .emacs .zshrc
[[email protected] ~]$ vi .bash_profile
# User specific environment and startupprograms
PATH=$PATH:$HOME/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
export PATH
#-->红色为我们修改的内容
#-->这个PATH变量内容就是root下的PATH路径,很多root有权执行的系统命令在/sbin,/usr/sbin下,从安全性考虑,在普通用户下默认的PATH环境变量中,默认情况并未加入/sbin,/usr/sbin的路径配置。
五、禁止某个命令的执行
禁止某个命令的执行,要在命令动作前面加上!号,本例中也使用了通配符的*的用法:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
tom ALL=/usr/sbin/*,/sbin/*,!/sbin/fdisk
这个规则表示tom用户在所有主机上可运行/usr/sbin和/sbin下所有的命令,但fdisk命令除外
提示:
命令的顺序是从后向前,即把禁止执行的命令放在允许命令的后面
在实际工作中,要对用户给只授权的命令,不能给全命令在除非不给的命令,这样会带来很大的安全隐患