Linux configures sudo rights for ordinary users

Philosophy of life 2020-11-09 22:18:29
linux configures sudo rights ordinary


One . About sudo

​ sudo Commands provide a mechanism , It can be shared without having to root Under the premise of the user's password , Provide system management rights for trusted users . They can do most of them

Manage operations , But it's not like root The same has full authority .sudo It's a program , Ordinary users can use it to execute commands as superusers or other users , It's by security

Strategy specific .sudo The user's access rights are provided by /etc/sudoers Document controlled .

Two .sudo Working process of

  1. ​ When the user executes sudo when , The system will actively look for /etc/sudoers file , Determine whether the user has executed sudo Authority

  2. ​ Confirm that the user has executable sudo Right after , Let users enter their own password to confirm

  3. ​ If the password is entered successfully , Start execution sudo Subsequent orders

  4. ​ root perform sudo You don't need to enter a password (sudoers There is a configuration in the file root ALL=(ALL) ALL Such a rule )

  5. ​ If you want to switch identity and executor identity is the same , There's no need to enter a password

3、 ... and . Configure for ordinary users sudo jurisdiction

​ perform visudo Command is equivalent to execution vim /etc/sudoers command , But when saving the exit ,visudo Will check internal Syntax , Avoid users entering wrong information , So it is recommended that

use visudo. Another implementation visudo Orders require root jurisdiction . Configure for ordinary users sudo There are two ways of permissions , Let's go through each of these .

3.1 Method 1 : Change the affiliate group of ordinary users to wheel, Make it have sudo jurisdiction ( recommend )

1.wheel Is based on RHEL A special user group in the system of , It provides additional permissions , Users can be authorized to perform restricted commands like superusers .

# The system and default created this user group
[root@node5 ~]# grep wheel /etc/group
wheel:x:10:

2. First of all, make sure /etc/sudoers In the document “%wheel ALL=(ALL) ALL” This line is not annotated

[root@node5 ~]# cat /etc/sudoers
# Make sure /etc/sudoers In file “%wheel ALL=(ALL) ALL” This line is not annotated
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

3. change nginx The user's affiliate group is wheel, send nginx Users have sudo jurisdiction

#nginx Users are created users
[root@node5 ~]# id nginx
uid=8000(nginx) gid=8000(nginx) groups=8000(nginx)
# change nginx The user's affiliate group is wheel
[root@node5 ~]# usermod -aG wheel nginx
[root@node5 ~]# id nginx
uid=8000(nginx) gid=8000(nginx) groups=8000(nginx),10(wheel)
[root@node5 ~]# grep wheel /etc/group
wheel:x:10:nginx
[root@node5 ~]# su - nginx
Last login: Wed Oct 28 16:48:36 CST 2020 on pts/0
# Use nginx Users can't view it /etc/shadow Of documents
[nginx@node5 ~]$ tail -f /etc/shadow
tail: cannot open ‘/etc/shadow’ for reading: Permission denied
tail: no files remaining
# Use nginx Users can't view it /etc/shadow Of documents , But add... To the front sudo after , Input nginx The password can be used to check /etc/shadow The file
[nginx@node5 ~]$ sudo tail -f /etc/shadow
[sudo] password for nginx:
rpc:!!:18023:0:99999:7:::
rpcuser:!!:18023::::::
nfsnobody:!!:18023::::::
tss:!!:18341::::::
stick:$6$yKQtTFMB$YszPx1AOZQfV91stJ4NXmR/DoLU2DjluS5uycrFexU4.yMCw7kjkyQYKIF7UcE4PPCAsM.QyKaDIAgOY6zbrn/:18550:0:99999:7:::
www:!!:18557:0:99999:7:::

Since then ,nginx Possess sudo jurisdiction .

3.2 Method 2 : modify /etc/sudoers file , Make ordinary users have sudo jurisdiction

1. stay /etc/sudoers In file , Yes “root ALL=(ALL) ALL” This business , Add a similar line under this line , hold www The user adds in and has sudo jurisdiction . about “root ALL=(ALL) ALL” This business , Now explain the meaning of : first ALL A host in a network , In the second bracket ALL The target user , That is, in whose capacity to execute the order , the last one ALL Command name, of course .

[root@node5 ~]# id www
uid=8003(www) gid=8003(www) groups=8003(www)
# hold www Users adding to /etc/sudoers In file
# intend www This user , You can use all the commands
# But if you just want a user to have a command sudo jurisdiction , You can set it like this :putong ALL=(ALL) /usr/bin/systemctl, If you set it like this putong This user has to execute systemctl Only when you command sudo jurisdiction
[root@node5 ~]# cat /etc/sudoers
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
www ALL=(ALL) ALL
[root@node5 ~]# su www
#www No view /etc/shadow Authority
[www@node5 root]$ tail -f /etc/shadow
tail: cannot open ‘/etc/shadow’ for reading: Permission denied
tail: no files remaining
#www No view /etc/shadow Authority , But add sudo You can view the contents of the file
[www@node5 root]$ sudo tail -f /etc/shadow
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for www:
rpc:!!:18023:0:99999:7:::
rpcuser:!!:18023::::::
nfsnobody:!!:18023::::::
tss:!!:18341::::::
www:$6$EOuaJn9t$Qpm5GszWdDZ.dGP/GVcTzbzyeLpFqi9Zg84UmAGjnUtBb9QGV0KI7pRJGN6NiRnNvBTEKwVxjmu2Spn6l5dH6/:18564:0:99999:7:::
# for example , We want to make Daniel The user is in linux On the main engine jimmy or rene Identity execution for kill command , You can write configuration files like this :
Daniel linux=(jimmy,rene) /bin/kill
# But there's a problem ,Daniel In the end jimmy still rene Identity execution for ? Now we should have thought of sudo -u 了 , It's used at times like this . Daniel have access to sudo -u jimmy kill PID perhaps sudo -u rene kill PID.

Four ./etc/sudoers Configuration file details

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
## This file allows specific users to look like root Users also use a variety of commands , Without the need for root User's password
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## At the bottom of the file, there are many examples of related commands to choose from , These examples can be used by specific users or
## User groups use
##
## This file must be edited with the 'visudo' command.
## The document must use "visudo" Command to edit
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
## For a set of servers , You may prefer to use the host name ( It may be a wildcard for the full domain name )
## 、 or IP Address , You can configure the host alias
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
## It's not very common , Because you can use groups instead of a group of user aliases
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Specifies a series of interrelated commands ( Of course, it can be a ) Another name for , By giving the alias sudo jurisdiction ,
## Can pass sudo Call all commands contained in the alias , Here are some examples
## Networking Network operation related command alias
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient
, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig
, /sbin/mii-tool
## Installation and management of software Software installation management related command alias
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services Service related command alias
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database Local database upgrade command alias
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage Disk operation related command alias
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe
, /bin/mount, /bin/umount
## Delegating permissions Proxy authority related command alias
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes Process related command alias
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers Driver command alias
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
# Configuration of some environment variables , The specific situation can be seen in man soduers
Defaults requiretty
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Here's the rule configuration : Which users can execute which commands on which server (sudoers Files can be shared on multiple systems )
## Syntax( grammar ):
##
## user MACHINE=COMMANDS user Login Host =( Identity that can be changed ) Orders that can be executed
##
## The COMMANDS section may have other options added to it.
## Some other options can be attached to the command section
##
## Allow root to run any commands anywhere
## allow root The user executes any command in any path
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
## allow sys Users in the user group use NETWORKING Wait for all commands configured in the alias
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE
, DRIVERS
## Allows people in group wheel to run all commands
## allow wheel Users in the user group execute all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
## allow wheel Users in a user group use all commands without entering the user's password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
## allow users Users in a user group are like root Users use it the same way mount、unmount、chrom command
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
## allow users The user in the user group is turned off localhost This server
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
## Read placed in /etc/sudoers.d/ Files in folder ( Here # Doesn't mean it's a statement )
#includedir /etc/sudoers.d

Reference link :

https://blog.csdn.net/a19881029/article/details/18730671

版权声明
本文为[Philosophy of life]所创,转载请带上原文链接,感谢

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云