sudo:
su: switch user
用户切换两种方式:
(1) su - user, su -l user
(2) su user
su -c ‘COMMAND‘ 不用切换用户的身份,执行命令
sudo:(如同window上以管理员身份运行) executea command as another user;以另外一个用户的身份执行指定的;
命令
授权机制实现:
授权文件,/etc/sudoers
授权文件的使用帮助:man sudoers
两类内容:
(1)别名的定义,即为变量;
(2)授权项,可使用别名进行授权;
授权项(每行定义一个授权项):
who where=(whom) commands
或者你可以这样理解:
users hosts=(runas) commands
授权编辑:
编辑/etc/sudoers时,不建议使用vim直接进行编辑,对于/etc/sudoers文件具有一定的格式,因此需要visudo这个专门的编辑工具编辑该文件,同时使用visodu编辑该文件出现语法错误的时候,会有相应的禁告提示;
[root@bogon ~]# visudo visudo: /etc/sudoers.tmp unchanged
查看/etc/sudoers
~]# less /etc/soduers ## Allow root to run any commands anywhere root ALL=(ALL) ALL#这里就可以看出root可以运行所有命令的原因 ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL#表示在wheel组中可以运行所有的命令
注意:用户通过sudo获得的授权,只能以sudo命令来启动;
sudo命令:
sudo [options] COMMAND
-u:username:以指定的用户身份运行命令;
[root@bogon ~]# useradd centos [root@bogon ~]# sudo -u yixuan whoami yixuan #表示root以yixuan的身份运行whoami
-l:列出用户能以sudo方式执行的所有命令;
[root@bogon~]# usermod -aG wheel yixuan #添加用户到wheel组 [root@bogon ~]#id yixuan uid=1001(yixuan)gid=1001(yixuan) groups=1001(yixuan),10(wheel) [root@bogon ~]# su - yixuan Last login: Thu Apr 28 08:40:15 CST 2016 on pts/0 [yixuan@bogon ~]$ sudo -l Matching Defaults entries for yixuan on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User yixuan may run the following commands on this host: (ALL) ALL #这里看出在wheel组中可以执行所有的命令 [yixuan@bogon ~]$ sudo -u root useradd fedora [yixuan@bogon ~]$ tail -n1 /etc/passwd fedora:x:1002:1002::/home/fedora:/bin/bash [yixuan@bogon ~]$
-k:清除此前缓存的用户认证成功的结果;
下面我们来解剖一下授权项中各项的意义:
who:
username:单个用户;
#uid:单个用户的ID号;
%groupname:组内的所有用户;
%#gid:组内的所有用户;
user_alias:用户别名;
where:
ip或hostname:单个主机;
NetAddr:网络地址;
host_alias:主机别名;
whom:
username
#uid
runas_alias:表示以谁的身份运行
commands:
command:单个命令;
directory:指定目录内的所有应用程序;
sudoedit:特殊权限,可用于向其他用户授予sudo权限;
cmnd_alias:命令别名;
练习:为用户fedora授权使用useradd,usermod两个命令
[root@bogon ~]# visudo **************省略*************** ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d #可以吧授权信息卸载/etc/sudoers.d目录下 fedora ALL=(root) /usr/sbin/useradd,/usr/sbin/usermod [root@bogon ~]# su - fedora Last login: Thu Apr 28 09:09:12 CST 2016 on pts/0 [fedora@bogon ~]$ sudo -l [sudo] password for fedora: #这里是验证fedora,只验证一次 Matching Defaults entries for fedora on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User fedora may run the following commands on this host: (root) /usr/sbin/useradd, (root) /usr/sbin/usermod #授权项
定义别名的方法:
ALIAS_TYPE NAME=item1, item2, ...
ALIAS_TYPE:
User_Alias
Host_Alias
Runas_Alias
Cmnd_Alias
NAME:别名的名称字符,必须使用全大写字母;
示例:利用定义别名的方式,为tom和jerry授权root身份使用userdel,useradd,passwd命令
[root@bogon sudoers.d]# useradd tom [root@bogon sudoers.d]# useradd jerry [root@bogon sudoers.d]# echo test | passwd --stdin tom Changing password for user tom. passwd: all authentication tokens updated successfully. [root@bogon sudoers.d]# echo test | passwd --stdin jerry Changing password for user jerry. passwd: all authentication tokens updated successfully. [root@bogon sudoers.d]# visudo #fedora ALL=(root) /usr/sbin/useradd,/usr/sbin/usermod User_Alias USERADMINS=tom,jerry Cmnd_Alias USERADMINCMNDS=/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd USERADMINS ALL=(root) USERADMINCMNDS [root@bogon sudoers.d]# su - tom [tom@bogon ~]$ sudo /usr/sbin/useradd nihao useradd: warning: the home directory already exists. Not copying any file from skel directory into it. Creating mailbox file: File exists [tom@bogon ~]$ test [tom@bogon ~]$ tail -n1 /etc/passwd nihao:x:1006:1006::/home/nihao:/bin/bash [tom@bogon ~]$
注意:上面的案例说明passwd也能修改root的密码,对不对,因此为了系统安全,需要这样做!!!
示例:
#includedir /etc/sudoers.d #fedora ALL=(root) /usr/sbin/useradd,/usr/sbin/usermod User_Alias USERADMINS=tom,jerry Cmnd_Alias USERADMINCMNDS=/usr/sbin/useradd,/usr/sbin/userdel,/usr/bin/passwd [a-z]*,!/usr/bin/passwd root,/usr/sbin/us erdel USERADMINS ALL=(root) USERADMINCMNDS [tom@bogon ~]$ sudo -l [sudo] password for tom: Matching Defaults entries for tom on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User tom may run the following commands on this host: (root) /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [a-z]*, !/usr/bin/passwd root, /usr/sbin/userdel [tom@bogon ~]$ sudo /usr/bin/passwd root Sorry, user tom is not allowed to execute ‘/usr/bin/passwd root‘ as root on bogon.
!表示取反的意思,该授权就过滤了修改root密码的权限
【注意】在sudo命令使用的整个过程,我们都只是使用当前用户的密码进行身份验证,但是如果切换到管理员root的身份,怎么办呢?
root超级管理员有密码:直接exit
root超级管理员没有密码:就无法验证切换root的身份,因此可以使用
[tom@bogon ~]$ sudo -l [sudo] password for tom: Matching Defaults entries for tom on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User tom may run the following commands on this host: (root) /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [a-z]*, !/usr/bin/passwd root, /usr/sbin/userdel, /bin/su [tom@bogon ~]$ sudo su - root Last login: Thu Apr 28 08:07:45 CST 2016 from 192.168.1.108 on pts/0 [root@bogon ~]# 或者"centos ALL=(root) ALL"
不过这些操作都会在/var/log/messages中记录
常用标签:
NOPASSWD:表示用户使用sudo不使用密码
PASSWD:
示例:
fedora ALL=(root) NOPASSWD: /usr/sbin/useradd,/usr/sbin/usermod, PASSWD: /usr/sbin/userdel
本文出自 “Touch Dream” 博客,请务必保留此出处http://xuelong.blog.51cto.com/10573089/1768472
原文地址:http://xuelong.blog.51cto.com/10573089/1768472
