linux中的sudo許可權
1、sudo許可權
root把本來只能超級使用者執行的命令賦予普通使用者執行
sudo的操作物件是系統命令
2、sudo使用
visudo #實際修改的是/etc/sudoers檔案
# 使用者名稱 被管理主機的地址=(可使用的身份)授權命令(絕對路徑)
root ALL=(ALL) ALL #(注意這只是系統給的一個例子,root使用者本身就具有最高許可權,這句話刪除了也沒關係)
# %wheel ALL=(ALL) ALL
%組名 被管理主機的地址=(可使用的身份)授權命令(絕對路徑)
以下是visudo命令後看到的配置檔案,前面帶#號的都是系統註釋
## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Refuse to run if unable to disable echo on the tty. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults env_reset Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL fz ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d
要想使某個原本root使用者才能使用的命令能被普通使用者fz執行,可以直接在檔案尾新增:
如新增使用者fz為sudoer
root ALL=(ALL) ALL
如新增組group1為sudoer
%group1 ALL=(ALL) ALL
如讓user1使用者能夠使用/sbin/shutdown -r now命令
user1 ALL=(ALL) /sbin/shutdown -r now # 注意這個命令最好寫絕對路徑,使用時也需寫成絕對路徑
3、檢視可用的sudo命令
sudo -l
4、授權普通使用者可以新增其他使用者
fz ALL= /usr/sbin/useradd
想要新增使用者成功,還得給普通使用者設定密碼的許可權:
然而這種許可權是很危險的,如下:當管理員(root)給了普通使用者(fz)新增其他使用者並且設定密碼的許可權後,該使用者甚至可以修改root使用者的密碼,這無異於root使用者直接將伺服器拱手送人,顯然這種行為是不推薦的。
為了防止出現這種情況,可以在visudo命令後的檔案末尾新增以下語句
該語句的意思是:可以執行passwd 使用者名稱(但不包括passwd+空內容及passwd+root命令),[A-Za-z]* 是正則表示式,表示任意字母開頭的單詞。新增完成該語句後,執行結果如下