生活随笔
收集整理的這篇文章主要介紹了
sudo配置临时取得root权限
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
sudo配置臨時取得root權限
系統中的普通用戶有時需要root權限執行某種操作,要是使用su - root的話必須要知道root的密碼,這是不安全的,所以有了sudo,root可以對/etc/sudoers做一定的配置,讓普通用戶
在不切換到root的情況下,執行一些只有root才能執行的操作。這個文件只能root去修改,建議使用visudo這個命令修改,而不是直接vim /etc/sudoers。
原因有二:
? 一是它能夠防止兩個用戶同時修改它;
? 二是它也能進行有限的語法檢查。
當編輯這個文件有錯誤時,使用visudo會給出錯誤提示,此時可以按e重新編輯,x不保存退出,Q保存退出,如果選擇Q,sudo就不能正常工作了。
實驗過程完成了給指定用戶sudo權限和用別名指定一組用戶的可以執行的sudo指令
過程如下:
?
[plain]?view plaincopy
[root@mail?~]#?visudo?????#chen為普通用戶,ALL可以從任何的主機登陸,(root)可以以root身份,后面是可以執行的命令,最好寫全路徑???????88?##?Allow?root?to?run?any?commands?anywhere???????89?root????ALL=(ALL)???????ALL???????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???????91?##?Allows?members?of?the?'sys'?group?to?run?networking,?software,??????[root@mail?~]#?exit??logout??[chen@mail?桌面]$?sudo?-l?#查看自己可以執行的sudo命令??[sudo]?password?for?chen:???#輸入自己的密碼??Matching?Defaults?entries?for?chen?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?chen?may?run?the?following?commands?on?this?host:??????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#這里看到可以執行的sudo命令??[chen@mail?桌面]$?sudo?useradd?user3??#測試??[chen@mail?桌面]$?sudo?passwd?user3??更改用戶?user3?的密碼?。??新的?密碼:??無效的密碼:?過短??無效的密碼:?過于簡單??重新輸入新的?密碼:??passwd:?所有的身份驗證令牌已經成功更新。??[chen@mail?桌面]$?id?user3????#添加user3成功??uid=503(user3)?gid=503(user3)?組=503(user3)??[chen@mail?桌面]$?visudo??#普通用戶不允許編輯??visudo:?/etc/sudoers:?Permission?denied??visudo:?/etc/sudoers:?Permission?denied??[chen@mail?桌面]$?su?-?root?????密碼:??[root@mail?~]#?visudo???[root@mail?~]#?cat?/etc/sudoers?|grep?user1?#編輯增加了下面一行??user1???ALL=(user2)?/bin/ls??[root@mail?~]#?su?-?user1??[user1@mail?~]$?sudo?-l????We?trust?you?have?received?the?usual?lecture?from?the?local?System??Administrator.?It?usually?boils?down?to?these?three?things:????????#1)?Respect?the?privacy?of?others.??????#2)?Think?before?you?type.??????#3)?With?great?power?comes?great?responsibility.????[sudo]?password?for?user1:???Matching?Defaults?entries?for?user1?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?user1?may?run?the?following?commands?on?this?host:??????(user2)?/bin/ls??[user1@mail?~]$?ls?/home/user2??#user1直接查看user2的家目錄肯定是不允許的??ls:?無法打開目錄/home/user2:?權限不夠??[user1@mail?~]$?sudo?-u?user2?ls?/home/user2????#但是sudo以user2的身份查看就可以??a????#這里不能以user2的身份添加用戶,因為user2本身還沒有useradd的權限??#事實上,即使給user2?sudo的添加用戶權限這樣也是不行的,因為user2添加的時候也要sudo的啊??#直接以user2肯定不行,看演示。??[user1@mail?~]$?sudo?-u?user2?useradd?user4?#這時候不能添加??Sorry,?user?user1?is?not?allowed?to?execute?'/usr/sbin/useradd?user4'?as?user2?on?mail.example.com.??[user1@mail?~]$?exit??logout??[root@mail?~]#?visudo?????#添加了這行,給user2?sudo添加用戶的權限,這時候sudo?-u?user2?useradd?user4是否可以呢?不行的!???user2???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd??[root@mail?~]#?su?-?user2??[user2@mail?~]$?sudo?-l????We?trust?you?have?received?the?usual?lecture?from?the?local?System??Administrator.?It?usually?boils?down?to?these?three?things:????????#1)?Respect?the?privacy?of?others.??????#2)?Think?before?you?type.??????#3)?With?great?power?comes?great?responsibility.????[sudo]?password?for?user2:???Matching?Defaults?entries?for?user2?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?user2?may?run?the?following?commands?on?this?host:??????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd??[user2@mail?~]$?su?-?user1??密碼:??[user1@mail?~]$?sudo?-u?user2?useradd?user4?#答案在此,不行的!??Sorry,?user?user1?is?not?allowed?to?execute?'/usr/sbin/useradd?user4'?as?user2?on?mail.example.com.??[user1@mail?~]$???#總結下,sudo?-u?用戶名?命令?,當前用戶以某個用戶的身份執行某個命令的時候,必須這個用戶本身不加sudo的情況??#直接能執行的命令,才可以這種方式執行。另外,sudo不加-u,默認以root身份執行????[user1@mail?~]$?exit??logout??[user2@mail?~]$?exit??logout??[root@mail?~]#?visudo???#改動如下:刪除了91,92行,???????88?##?Allow?root?to?run?any?commands?anywhere???????89?root????ALL=(ALL)???????ALL???????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???????91?user1???ALL=(user2)?????/bin/ls?????#刪除???????92?user2???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???#刪除?????????88?##?Allow?root?to?run?any?commands?anywhere???????89?root????ALL=(ALL)???????ALL???????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???????91?ADMIN???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???#新添加?????????20?#?User_Alias?ADMINS?=?jsmith,?mikem???????21??User_Alias?ADMIN?=?user1,?user2????????#新添加???????22???#這里相當于ADMIN為user1,user2的別名,這個別名具有添加用戶的權限,user1和user2也具有這個權限??[root@mail?~]#?su?-?user1??[user1@mail?~]$?sudo?-l??[sudo]?password?for?user1:???Matching?Defaults?entries?for?user1?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?user1?may?run?the?following?commands?on?this?host:??????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#可以看到user1有useradd權限??[user1@mail?~]$?su?-?user2??密碼:??[user2@mail?~]$?sudo?-l??[sudo]?password?for?user2:???Matching?Defaults?entries?for?user2?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?user2?may?run?the?following?commands?on?this?host:??????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#user2也有??[user2@mail?~]$???
轉載于:https://www.cnblogs.com/exmyth/p/9074718.html
總結
以上是生活随笔為你收集整理的sudo配置临时取得root权限的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
