su命、sudo命令、限制root遠程登錄
3.7 su命令
· su切換用戶但不切換當前工作目錄以及 HOME,SHELL,USER,LOGNAME;僅僅擁有了root的權限
[root@24centos7-01~]# su vitus
[vitus@24centos7-01root]$ pwd
/root
· su-,su-l或su--login 命令改變身份時,也同時變更工作目錄,以及HOME,SHELL,USER,LOGNAME。此外,也會變更PATH變量
[root@24centos7-01~]# su - vitus
上一次登錄:四 10月 26 20:09:48 CST 2689pxs/0 上
[vitus@24centos7-01~]$ pwd
/home/vitus
· su- -c 指定用戶的身份去執行命令
[root@24centos7-01~]# su - -c "touch /tmp/vitus.txt" vitus
[root@24centos7-01~]# ls -l /tmp/
總用量 1
-rw-rw-r--1 vitus vitus 0 10月 26 21:31 vitus.txt
· root切換至其它普通用戶時無需密碼,普通用戶切換至用戶時需要輸入目標用戶的密碼
3.8 sudo命令讓普通用戶臨時擁有root用戶的身份,方便執行某些操作,避免將root用戶的密碼分發給過多員工
· visudo打開sudoer
[root@24centos7-01~]# visudo
##Sudoers allows particular users to run various commands as
## theroot user, without needing the root password.
##
##Examples are provided at the bottom of the file for collections
## ofrelated commands, which can then be delegated out to particular
## usersor groups.
##
## Thisfile must be edited with the ‘visudo‘ command.
## HostAliases --主機別名授權
## Groupsof machines. You may prefer to use hostnames (perhaps using
##wildcards for entire domains) or IP addresses instead.
#Host_Alias FILESERVERS = fs1, fs2
#Host_Alias MAILSERVERS = smtp, smtp2
## UserAliases --用戶別名授權
## Thesearen‘t often necessary, as you can use regular groups
## (ie,from files, LDAP, NIS, etc) in this file - just use %groupname
## ratherthan USERALIAS
#User_Alias ADMINS = jsmith, mikem
##Command Aliases
## Theseare groups of related commands...
##Networking
##Installation and management of software
#Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
##Services
##Updating the locate database
#Cmnd_Alias LOCATE = /usr/bin/updatedb
##Storage
#Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe,/bin/mount, /bin/umount
##Delegating permissions
#Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
##Processes
#Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
##Drivers
#Cmnd_Alias DRIVERS = /sbin/modprobe
#Defaults specification
#
# Refuseto run if unable to disable echo on the tty.
#
Defaults !visiblepw
#
#Preserving HOME has security implications since many programs
# use itwhen searching for configuration files. Note that HOME
# isalready set when the the env_reset option is enabled, so
# thisoption is only effective for configurations where either
#env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIRUSERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATELC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAMELC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGELINGUAS _XKB_CHARSET XAUTHORITY"
#
# AddingHOME to env_keep may enable a user to run unrestricted
#commands via sudo.
#
#Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comesthe main part: which users can run what software on
## whichmachines (the sudoers file can be shared between multiple
##systems).
##Syntax:
##
## user MACHINE=COMMANDS
##
## TheCOMMANDS section may have other options added to it.
##
## Allowroot to run any commands anywhere
root ALL=(ALL) ALL --允許root用戶在任何地方運行所有的命令
vitus ALL=(ALL) /usr/bin/ls, /usr/bin/mv,/usr/bin/cat --為普通用戶添加ls,mv,cat權限
## Allowsmembers of the ‘sys‘ group to run networking, software,
##service management apps and more.
# %sysALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE,DRIVERS
## Allowspeople in group wheel to run all commands
%wheel ALL=(ALL) ALL --為group成員添加權限
## Samething without a password
#%wheel ALL=(ALL) NOPASSWD: ALL
## Allowsmembers of the users group to mount and unmount the
## cdromas root
#%users ALL=/sbin/mount /mnt/cdrom,/sbin/umount /mnt/cdrom
## Allowsmembers of the users group to shutdown this system
#%users localhost=/sbin/shutdown -h now
## Readdrop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir/etc/sudoers.d
· 測試普通用戶vitus下ls,mv,cat的是否可以使用
[root@24centos7-01~]# su - vitus
上一次登錄:四 10月 26 21:50:40 CST 2689pxs/0 上
[vitus@24centos7-01~]$ ls /root/
ls: 無法打開目錄/root/: 權限不夠
[vitus@24centos7-01~]$ sudo ls /root/
[sudo]password for vitus:
anaconda-ks.cfg showtime.txt test
[vitus@24centos7-01~]$ mv /root/showtime.txt /root/showtime_1.txt
mv:failed to access "/root/showtime_1.txt": 權限不夠
[vitus@24centos7-01~]$ sudo mv /root/showtime.txt /root/showtime_1.txt
[vitus@24centos7-01~]$ sudo ls /root/
anaconda-ks.cfg showtime_1.txt test
[vitus@24centos7-01~]$ sudo mv /root/showtime_1.txt /root/showtime.txt
[vitus@24centos7-01~]$ cat /root/showtime.txt
cat:/root/showtime.txt: 權限不夠
[vitus@24centos7-01~]$ sudo cat /root/showtime.txt
linux
learninglinux
3.9 限制root遠程登錄
1.修改/etc/ssh/sshd_config配置文件,將#PermitRootLogin yes改為PermitRootLogin no
[root@24centos7-01~]# vim /etc/ssh/sshd_config
#PermitRootLoginyes --將其修改,去掉註釋#,將yes改為no,保存退出
[root@24centos7-01~]# systemctl restart sshd.service --重啟ssh服務
login as:root
[email protected]‘spassword:
Accessdenied
[email protected]‘spassword:
Accessdenied
[email protected]‘spassword: --這時使用密碼無法登錄root
2.修改visudo,添加
vitus ALL=(ALL) NOPASSWD: /bin/su, /bin/sudo
3.使用普通用戶登錄然後通過sudo su - root切換至root用戶下
[vitus@24centos7-01~]$ sudo su - root
上一次登錄:四 10月 26 22:37:43 CST 2689pxs/0 上
[root@24centos7-01~]# whoami
root
su命、sudo命令、限制root遠程登錄