标签:su sudo 限制root远程登录
su命令[root@aminglinux-02 ~]# su aming
[aming@aminglinux-02 root]$ whoami
aming
[aming@aminglinux-02 root]$ pwd
/root
[root@aminglinux-02 ~]# su - aming
Last login: Wed Apr 4 20:42:45 CST 2018 on pts/0
[aming@aminglinux-02 ~]$ whoami
aming
[aming@aminglinux-02 ~]$ pwd
/home/aming
[root@aminglinux-02 ~]# su - -c "touch /tmp/aming.111" aming
[root@aminglinux-02 ~]# ls -l /tmp/
total 12
drwxr-xr-x 2 root root 4096 Apr 1 20:26 1
srwxr-xr-x 1 root root 0 Mar 14 16:52 Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)>
-rw-rw-r-- 1 aming aming 0 Apr 4 20:48 aming.111
用户配置文件模板目录/etc/skel/,用户没有家目录和配置文件,不能正常显示命令行需要拷贝模板文件
root@aminglinux-02 ~]# ls -al /etc/skel/
总用量 24
drwxr-xr-x. 2 root root 62 5月 28 18:43 .
drwxr-xr-x. 77 root root 8192 6月 13 21:10 ..
-rw-r--r--. 1 root root 18 8月 3 2016 .bash_logout
-rw-r--r--. 1 root root 193 8月 3 2016 .bash_profile
-rw-r--r--. 1 root root 231 8月 3 2016 .bashrc
具体操作如下
[root@aminglinux-02 ~]# su - user5
su: warning: cannot change directory to /home/user5: No such file or directory
-bash-4.2$ pwd
/root
-bash-4.2$ exit
logout
[root@aminglinux-02 ~]# mkdir /home/user5
[root@aminglinux-02 ~]# cp /etc/skel/.bash
.bash_logout .bash_profile .bashrc
[root@aminglinux-02 ~]# cp /etc/skel/.bash* /home/user5/
[root@aminglinux-02 ~]# chown -R user5:user5 !$
chown -R user5:user5 /home/user5/
[root@aminglinux-02 ~]# su - user5
Last login: Wed Apr 4 20:56:11 CST 2018 on pts/0
[user5@aminglinux-02 ~]$ pwd
/home/user5
91 root ALL=(ALL) ALL
92 aming ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
第一个ALL表示在哪里默认就行,第二个ALL表示所有的命令,也可以写多个命令用逗号加空格隔开,必须写命令的绝对路径
[aming@aminglinux-02 ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[aming@aminglinux-02 ~]$ sudo ls /root/
[sudo] password for aming:
1.txt
[aming@aminglinux-02 ~]$ sudo ls /root/
1.txt
## Host Aliases 主机组
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases 用户组
## These aren‘t often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases 命令组
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
19 ## rather than USERALIAS
20 # User_Alias ADMINS = jsmith, mikem
21 User_Alias AMINGS = aming, user3
90 ## Allow root to run any commands anywhere
91 root ALL=(ALL) ALL
92 aming ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
93 AMINGS ALL=(ALL) NOPASSWD: /usr/bin/su
#NOPASSWD:这个可以使普通用户sudo的时候不用输入密码
#root用户限制远程登录,可以在普通用户下su切换到root用户且不用密码
[root@aminglinux-02 ~]# su - aming
Last login: Wed Apr 4 21:35:36 CST 2018 on pts/0
[aming@aminglinux-02 ~]$ sudo su -
Last login: Wed Apr 4 20:46:18 CST 2018 on pts/0
[root@aminglinux-02 ~]# pwd
/root
47
48 #LoginGraceTime 2m
49 PermitRootLogin no
标签:su sudo 限制root远程登录
原文地址:http://blog.51cto.com/akui2521/2094902