sudo配置临时取得root权限
系统中的普通用户有时需要root权限执行某种操作,要是使用su - root的话必须要知道root的密码,这是不安全的,所以有了sudo,root可以对/etc/sudoers做一定的配置,让普通用户
在不切换到root的情况下,执行一些只有root才能执行的操作。这个文件只能root去修改,建议使用visudo这个命令修改,而不是直接vim /etc/sudoers。
原因有二:
? 一是它能够防止两个用户同时修改它;
? 二是它也能进行有限的语法检查。
当编辑这个文件有错误时,使用visudo会给出错误提示,此时可以按e重新编辑,x不保存退出,Q保存退出,如果选择Q,sudo就不能正常工作了。
实验过程完成了给指定用户sudo权限和用别名指定一组用户的可以执行的sudo指令
过程如下:
[plain] view plain copy
- [[email protected] ~]# visudo
- #chen为普通用户,ALL可以从任何的主机登陆,(root)可以以root身份,后面是可以执行的命令,最好写全路径
- 88 ## Allow root to run any commands anywhere
- 89 root ALL=(ALL) ALL
- 90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
- 91 ## Allows members of the ‘sys‘ group to run networking, software,
- [[email protected] ~]# exit
- logout
- [[email protected] 桌面]$ sudo -l #查看自己可以执行的sudo命令
- [sudo] password for chen: #输入自己的密码
- Matching Defaults entries for chen on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
- User chen may run the following commands on this host:
- (root) /usr/sbin/useradd, (root) /usr/bin/passwd #这里看到可以执行的sudo命令
- [[email protected] 桌面]$ sudo useradd user3 #测试
- [[email protected] 桌面]$ sudo passwd user3
- 更改用户 user3 的密码 。
- 新的 密码:
- 无效的密码: 过短
- 无效的密码: 过于简单
- 重新输入新的 密码:
- passwd: 所有的身份验证令牌已经成功更新。
- [[email protected] 桌面]$ id user3 #添加user3成功
- uid=503(user3) gid=503(user3) 组=503(user3)
- [[email protected]l 桌面]$ visudo #普通用户不允许编辑
- visudo: /etc/sudoers: Permission denied
- visudo: /etc/sudoers: Permission denied
- [[email protected] 桌面]$ su - root
- 密码:
- [[email protected] ~]# visudo
- [[email protected] ~]# cat /etc/sudoers |grep user1 #编辑增加了下面一行
- user1 ALL=(user2) /bin/ls
- [[email protected] ~]# su - user1
- [[email protected] ~]$ sudo -l
- We trust you have received the usual lecture from the local System
- Administrator. It usually boils down to these three things:
- #1) Respect the privacy of others.
- #2) Think before you type.
- #3) With great power comes great responsibility.
- [sudo] password for user1:
- Matching Defaults entries for user1 on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
- User user1 may run the following commands on this host:
- (user2) /bin/ls
- [[email protected] ~]$ ls /home/user2 #user1直接查看user2的家目录肯定是不允许的
- ls: 无法打开目录/home/user2: 权限不够
- [[email protected] ~]$ sudo -u user2 ls /home/user2 #但是sudo以user2的身份查看就可以
- a
- #这里不能以user2的身份添加用户,因为user2本身还没有useradd的权限
- #事实上,即使给user2 sudo的添加用户权限这样也是不行的,因为user2添加的时候也要sudo的啊
- #直接以user2肯定不行,看演示。
- [[email protected] ~]$ sudo -u user2 useradd user4 #这时候不能添加
- Sorry, user user1 is not allowed to execute ‘/usr/sbin/useradd user4‘ as user2 on mail.example.com.
- [[email protected] ~]$ exit
- logout
- [[email protected] ~]# visudo
- #添加了这行,给user2 sudo添加用户的权限,这时候sudo -u user2 useradd user4是否可以呢?不行的!
- user2 ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
- [[email protected] ~]# su - user2
- [[email protected] ~]$ sudo -l
- We trust you have received the usual lecture from the local System
- Administrator. It usually boils down to these three things:
- #1) Respect the privacy of others.
- #2) Think before you type.
- #3) With great power comes great responsibility.
- [sudo] password for user2:
- Matching Defaults entries for user2 on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
- User user2 may run the following commands on this host:
- (root) /usr/sbin/useradd, (root) /usr/bin/passwd
- [[email protected] ~]$ su - user1
- 密码:
- [[email protected] ~]$ sudo -u user2 useradd user4 #答案在此,不行的!
- Sorry, user user1 is not allowed to execute ‘/usr/sbin/useradd user4‘ as user2 on mail.example.com.
- [[email protected] ~]$
- #总结下,sudo -u 用户名 命令 ,当前用户以某个用户的身份执行某个命令的时候,必须这个用户本身不加sudo的情况
- #直接能执行的命令,才可以这种方式执行。另外,sudo不加-u,默认以root身份执行
- [[email protected] ~]$ exit
- logout
- [[email protected] ~]$ exit
- logout
- [[email protected] ~]# visudo
- #改动如下:删除了91,92行,
- 88 ## Allow root to run any commands anywhere
- 89 root ALL=(ALL) ALL
- 90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
- 91 user1 ALL=(user2) /bin/ls #删除
- 92 user2 ALL=(root) /usr/sbin/useradd,/usr/bin/passwd #删除
- 88 ## Allow root to run any commands anywhere
- 89 root ALL=(ALL) ALL
- 90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
- 91 ADMIN ALL=(root) /usr/sbin/useradd,/usr/bin/passwd #新添加
- 20 # User_Alias ADMINS = jsmith, mikem
- 21 User_Alias ADMIN = user1, user2 #新添加
- 22
- #这里相当于ADMIN为user1,user2的别名,这个别名具有添加用户的权限,user1和user2也具有这个权限
- [[email protected] ~]# su - user1
- [[email protected] ~]$ sudo -l
- [sudo] password for user1:
- Matching Defaults entries for user1 on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
- User user1 may run the following commands on this host:
- (root) /usr/sbin/useradd, (root) /usr/bin/passwd #可以看到user1有useradd权限
- [[email protected] ~]$ su - user2
- 密码:
- [[email protected] ~]$ sudo -l
- [sudo] password for user2:
- Matching Defaults entries for user2 on this host:
- requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
- HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
- LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
- LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
- LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
- _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
- User user2 may run the following commands on this host:
- (root) /usr/sbin/useradd, (root) /usr/bin/passwd #user2也有
- [[email protected] ~]$
原文地址:https://www.cnblogs.com/exmyth/p/9074718.html
时间: 2024-10-08 03:25:26