系統中的普通用戶有時需要root權限執行某種操作,要是使用su - root的話必須要知道root的密碼,這是不安全的,所以有了sudo,root可以對/etc/sudoers做一定的配置,讓普通用戶在不切換到root的情況下,執行一些只有root才能執行的操作。這個文件只能root去修改,建議使用visudo這個命令修改,而不是直接vim /etc/sudoers。
原因有二:
◦ 一是它能夠防止兩個用戶同時修改它;
◦ 二是它也能進行有限的語法檢查。
當編輯這個文件有錯誤時,使用visudo會給出錯誤提示,此時可以按e重新編輯,x不保存退出,Q保存退出,如果選擇Q,sudo就不能正常工作了。
實驗過程完成了給指定用戶sudo權限和用別名指定一組用戶的可以執行的sudo指令
過程如下:
[root@mail ~]# visudo
#chen為普通用戶,ALL可以從任何的主機登陸,(root)可以以root身份,後面是可以執行的命令,最好寫全路徑
88 ## Allow root to run any commands anywhere
89 root ALL=(ALL) ALL
90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
91 ## Allows members of the 'sys' group to run networking, software,
[root@mail ~]# exit
logout
[chen@mail 桌面]$ sudo -l #查看自己可以執行的sudo命令
[sudo] password for chen: #輸入自己的密碼
Matching Defaults entries for chen on this host:
requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User chen may run the following commands on this host:
(root) /usr/sbin/useradd, (root) /usr/bin/passwd #這裡看到可以執行的sudo命令
[chen@mail 桌面]$ sudo useradd user3 #測試
[chen@mail 桌面]$ sudo passwd user3
更改用戶 user3 的密碼 。
新的 密碼:
無效的密碼: 過短
無效的密碼: 過於簡單
重新輸入新的 密碼:
passwd: 所有的身份驗證令牌已經成功更新。
[chen@mail 桌面]$ id user3 #添加user3成功
uid=503(user3) gid=503(user3) 組=503(user3)
[chen@mail 桌面]$ visudo #普通用戶不允許編輯
visudo: /etc/sudoers: Permission denied
visudo: /etc/sudoers: Permission denied
[chen@mail 桌面]$ su - root
密碼:
[root@mail ~]# visudo
[root@mail ~]# cat /etc/sudoers |grep user1 #編輯增加了下面一行
user1 ALL=(user2) /bin/ls
[root@mail ~]# su - user1
[user1@mail ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user1:
Matching Defaults entries for user1 on this host:
requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user1 may run the following commands on this host:
(user2) /bin/ls
[user1@mail ~]$ ls /home/user2 #user1直接查看user2的家目錄肯定是不允許的
ls: 無法打開目錄/home/user2: 權限不夠
[user1@mail ~]$ sudo -u user2 ls /home/user2 #但是sudo以user2的身份查看就可以
a
#這裡不能以user2的身份添加用戶,因為user2本身還沒有useradd的權限
#事實上,即使給user2 sudo的添加用戶權限這樣也是不行的,因為user2添加的時候也要sudo的啊
#直接以user2肯定不行,看演示。
[user1@mail ~]$ sudo -u user2 useradd user4 #這時候不能添加
Sorry, user user1 is not allowed to execute '/usr/sbin/useradd user4' as user2 on mail.example.com.
[user1@mail ~]$ exit
logout
[root@mail ~]# visudo
#添加了這行,給user2 sudo添加用戶的權限,這時候sudo -u user2 useradd user4是否可以呢?不行的!
user2 ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
[root@mail ~]# su - user2
[user2@mail ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user2:
Matching Defaults entries for user2 on this host:
requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user2 may run the following commands on this host:
(root) /usr/sbin/useradd, (root) /usr/bin/passwd
[user2@mail ~]$ su - user1
密碼:
[user1@mail ~]$ sudo -u user2 useradd user4 #答案在此,不行的!
Sorry, user user1 is not allowed to execute '/usr/sbin/useradd user4' as user2 on mail.example.com.
[user1@mail ~]$
#總結下,sudo -u 用戶名 命令 ,當前用戶以某個用戶的身份執行某個命令的時候,必須這個用戶本身不加sudo的情況
#直接能執行的命令,才可以這種方式執行。另外,sudo不加-u,默認以root身份執行
[user1@mail ~]$ exit
logout
[user2@mail ~]$ exit
logout
[root@mail ~]# visudo
#改動如下:刪除了91,92行,
88 ## Allow root to run any commands anywhere
89 root ALL=(ALL) ALL
90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
91 user1 ALL=(user2) /bin/ls #刪除
92 user2 ALL=(root) /usr/sbin/useradd,/usr/bin/passwd #刪除
88 ## Allow root to run any commands anywhere
89 root ALL=(ALL) ALL
90 chen ALL=(root) /usr/sbin/useradd,/usr/bin/passwd
91 ADMIN ALL=(root) /usr/sbin/useradd,/usr/bin/passwd #新添加
20 # User_Alias ADMINS = jsmith, mikem
21 User_Alias ADMIN = user1, user2 #新添加
22
#這裡相當於ADMIN為user1,user2的別名,這個別名具有添加用戶的權限,user1和user2也具有這個權限
[root@mail ~]# su - user1
[user1@mail ~]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on this host:
requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user1 may run the following commands on this host:
(root) /usr/sbin/useradd, (root) /usr/bin/passwd #可以看到user1有useradd權限
[user1@mail ~]$ su - user2
密碼:
[user2@mail ~]$ sudo -l
[sudo] password for user2:
Matching Defaults entries for user2 on this host:
requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user2 may run the following commands on this host:
(root) /usr/sbin/useradd, (root) /usr/bin/passwd #user2也有
[user2@mail ~]$