sudo 的特点
限制用户执行指定的命令
记录用户执行的每一条命令
配置文件(/etc/sudoers)提供集中的用户管理、权限与主机等参数
验证密码的后5分钟内(默认值)无须再让用户再次验证密码
实战演练
环境:Red Hat Enterprise Linux Server release 7.3
1. 测试普通用户能否删除 root 用户创建的文件
[root@localhost ~] mkdir /test
[root@localhost ~] cd /test
[root@localhost test] touch test.txt
[root@localhost test] mkdir test.dir
[root@localhost test] ll
total 0
drwxr-xr-x. 2 root root 6 Jul 18 02:19 test.dir
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
[root@localhost test] id test
uid=1004(test) gid=1005(test) groups=1005(test)
[root@localhost test] su - test
Last login: Thu Jul 18 02:17:11 EDT 2019 on pts/0
[test@localhost ~]$ cd /test
[test@localhost test]$ ll
total 0
drwxr-xr-x. 2 root root 6 Jul 18 02:19 test.dir
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
[test@localhost test]$ rm -rf test.dir/
rm: cannot remove ‘test.dir/’: Permission denied
[test@localhost test]$ rm -rf test.txt
rm: cannot remove ‘test.txt’: Permission denied
[test@localhost test]$ ll
total 0
drwxr-xr-x. 2 root root 6 Jul 18 02:19 test.dir
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
2. 用 visudo 命令配置 sudo
[root@localhost ~] visudo
在 /etc/sudoers 配置文件中 root ALL=(ALL) ALL 这一行下面加入 test ALL=(ALL) ALL
[root@localhost ~] cat /etc/sudoers | grep ALL
Defaults env_keep = "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
root ALL=(ALL) ALL
test ALL=(ALL) ALL
%sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL
%wheel ALL=(ALL) NOPASSWD: ALL
%users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
3. 普通用户结合 sudo 删除 root 用户的文件
[root@localhost ~] echo "Jaking" | passwd --stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.
[root@localhost ~] su - test
Last login: Thu Jul 18 02:34:50 EDT 2019 on pts/0
[test@localhost ~]$ cd /test/
[test@localhost test]$ ll
total 0
drwxr-xr-x. 2 root root 6 Jul 18 02:19 test.dir
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
[test@localhost test]$ rm -rf test.dir/
rm: cannot remove ‘test.dir/’: Permission denied
[test@localhost test]$ rm -rf test.txt
rm: cannot remove ‘test.txt’: Permission denied
[test@localhost test]$ sudo rm -rf test.dir/
[sudo] password for test:
[test@localhost test]$ ll
total 0
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
[test@localhost test]$ sudo rm -rf test.txt
[test@localhost test]$ ll
total 0
4. sudo 免密配置
[test@localhost test]$ sudo cat /etc/shadow
[sudo] password for test:
root:$6$YZrm6scxO5zzICbR$fOzORb.0Ib9POZzJmrnzOGDqfFySp8X.9p5QpcpnJXWHIJvZcFpXQONyNigwrZbhXtyfnFn5F1mJsdkXS3jEF/::0:99999:7:::
bin:*:16925:0:99999:7:::
daemon:*:16925:0:99999:7:::
adm:*:16925:0:99999:7:::
***省略部分输出信息***
[test@localhost test]$ id test2
uid=1006(test2) gid=1007(test2) groups=1007(test2)
[root@localhost ~] visudo
在 /etc/sudoers 配置文件中 %wheel ALL=(ALL) NOPASSWD: ALL 这一行的下面 加入test ALL=(ALL) NOPASSWD: ALL
[root@localhost ~] cat /etc/sudoers | grep NOPASSWD
%wheel ALL=(ALL) NOPASSWD: ALL
%wheel ALL=(ALL) NOPASSWD: ALL
test ALL=(ALL) NOPASSWD: ALL
[test@localhost ~]$ sudo cat /etc/shadow
用普通用户查看 /etc/shadow 文件已经不需要再输入当前登录用户的密码
root:$6$YZrm6scxO5zzICbR$fOzORb.0Ib9POZzJmrnzOGDqfFySp8X.9p5QpcpnJXWHIJvZcFpXQONyNigwrZbhXtyfnFn5F1mJsdkXS3jEF/::0:99999:7:::
bin:*:16925:0:99999:7:::
daemon:*:16925:0:99999:7:::
adm:*:16925:0:99999:7:::
***省略部分输出信息***
5. 配置 sudo 的部分权限
[root@localhost ~] cd /tmp
[root@localhost tmp] rm -rf *
[root@localhost tmp] ll
total 0
[root@localhost tmp] touch file
[root@localhost tmp] mkdir dir
[root@localhost tmp] ll
total 0
drwxr-xr-x. 2 root root 6 Jul 18 03:01 dir
-rw-r--r--. 1 root root 0 Jul 18 03:01 file
[root@localhost tmp] whereis cat
cat: /usr/bin/cat /usr/share/man/man1/cat.1.gz
[root@localhost tmp] visudo
把 /etc/sudoers 配置文件中的 test ALL=(ALL) ALL 改为 test ALL=(ALL) /usr/bin/cat
[root@localhost ~] cat /etc/sudoers | grep cat
Updating the locate database
Defaults specification
Preserving HOME has security implications since many programs
test ALL=(ALL) /usr/bin/cat
[root@localhost ~] su - test
Last login: Thu Jul 18 03:06:55 EDT 2019 on pts/0
[test@localhost ~]$ sudo cat /etc/shadow
给 test 用户配置了查看权限
root:$6$YZrm6scxO5zzICbR$fOzORb.0Ib9POZzJmrnzOGDqfFySp8X.9p5QpcpnJXWHIJvZcFpXQONyNigwrZbhXtyfnFn5F1mJsdkXS3jEF/::0:99999:7:::
bin:*:16925:0:99999:7:::
daemon:*:16925:0:99999:7:::
adm:*:16925:0:99999:7:::
***省略部分输出信息***
[test@localhost ~]$ cd /tmp
[test@localhost tmp]$ ll
total 0
drwxr-xr-x. 2 root root 6 Jul 18 03:06 dir
-rw-r--r--. 1 root root 0 Jul 18 03:01 file
[test@localhost tmp]$ rm -rf dir
test 用户已经没有了删除权限
rm: cannot remove ‘dir’: Permission denied
[test@localhost tmp]$ rm -rf file
test 用户已经没有了删除权限
rm: cannot remove ‘file’: Permission denied
[test@localhost tmp]$ ll
total 0
drwxr-xr-x. 2 root root 6 Jul 18 03:06 dir
-rw-r--r--. 1 root root 0 Jul 18 03:01 file
特别声明:文章来源用户上传并发布,本站只提供信息存储服务,不拥有所有权,内容仅供参考。