sudo Decentralized management

1、 Why sudo?

When my host is in a multiplayer environment , If everyone uses su To switch to root The identity of the , Then everyone has to know root Password , So that too many people know the password, it may flow out , Very unsafe ! What should we do ? through sudo Just deal with it !

sudo You only need your own password to execute ,sudo It allows you to execute instructions as other users ( It is usually used root To execute the command ), So not everyone can execute sudo , It's only regulated to /etc/sudoers Only the users within can execute sudo This instruction .

2、sudo Command usage

sudo It allows the user to execute the specified instruction in another capacity , The pre-set identity is root. stay /etc/sudoers The executable is set in sudo The user of the command . If its unauthorized user attempts to use sudo, Will send a warning email to the Administrator . The user to use sudo when , You must first enter the current user password , After a 5 Minutes of validity , If the time limit is exceeded, you must re-enter the password .

grammar :

sudo [-bhHpV][-s ][-u < user >][ Instructions ] or sudo [-klv]

Parameters :

Parameters

describe

-b

Execute instructions in the background

-H

take HOME The environment variable is set to the new identity HOME environment variable

-k

End the validity period of the password , That is to say, the next time you execute sudo You need to enter a password

-K

Same as -k

-l

List the instructions that can and cannot be executed by the current user

-p

Change the prompt symbol for asking for the password

-s

Execute specified shell

-u

As the new identity of the designated user . If this parameter is not added , The default is root As a new identity

-v

Extend the password validity period 5 minute

-V

Display version information

3、sudo Workflow

1) When the user executes sudo when , System in /etc/sudoers Search the file to see if the user has executed sudo Authority ;

2) If the user has an executable sudo Right after , Let users enter their own password to confirm ;

3) If the password is entered successfully , And we started sudo Subsequent instructions ( but root perform sudo when , No password required );

4) If the identity to be switched is the same as that of the executor , That doesn't require a password .

4、visudo Single user authorization

visudo It's direct operation /etc/sudoers file , We can also directly vi /etc/sudoers, however visudo The good thing about orders is , sign out /etc/sudoers When you file , The system will check /etc/sudoers Is the grammar correct .

[[email protected] ~]# visudo

....( Omit from the front )....

root ALL=(ALL) ALL #<== Find this line , Around the 80 Row or so

yang1 ALL=(ALL) ALL #<== New line ! be yang1 User pass sudo Have all permissions

....( Omit from the front )....

Grammar explanation :

root

ALL=(ALL)

ALL

User account

The source host name of the login =( Switchable identities )

Instructions that can be given

Explain in detail :

User accounts

On behalf of which user to use sudo Authority

Source host name

Specify the trusted user , According to w see [ User accounts ] Source host of

Switchable identities

Represents a switchable user role , and sudo -u Use a combination of , The default is to switch to root.

Instructions that can be given

For permission settings , You can also use ! To represent an unenforceable command

give an example :

[[email protected] ~]# visudo

yang2 ALL=(root) !/usr/bin/passwd,!/usr/bin/passwd root

# allow yang2 User pass sudo To change the passwords of all other users , But it can't be modified root Password

 

5、visudo Using group Authorization

[[email protected] ~]# visudo

....( Omit from the front )....

%test ALL=(ALL) ALL

# Add... To the far left % , The representative is followed by a group , The format is the same as single user authorization

[[email protected] ~]# usermod -a -G testtest #<== take test Join in root In the group of

Anyone who joins test Users of this group , Can use sudo Switch any identity to operate any instruction

 

You don't need a password to use it sudo

[[email protected] ~]# visudo

....( Omit from the front )....

%wheel ALL=(ALL) NOPASSWD: ALL

# Add... To the command NOPASSWD:ALL that will do

 

6、visudo Use alias Authorization

The company has many departments , To facilitate management , You can use aliases , Such as : Development Department , Operation and maintenance department , Technical support department , There are many people in each department , Different departments have different command authority , The same department has the same authority . If you write one by one , It's troublesome to write , It's even more troublesome .

How to use alias :

It can be used through man sudoers The following examples find

root

ALL=

(ALL)

ALL

User account

The source host name of the login

Switchable identities

Instructions that can be given

User_Alias FULLTIMERS = millert, mikef, dowdy

Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

Runas_Alias OP = root, operator

Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm

example :

[[email protected] ~]# visudo

User_Alias ADMPW = pro1,pro2, pro3, myuser1, myuser2 # Configure user aliases ADMPW

Cmnd_Alias ADMPWCOM =!/usr/bin/passwd, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

# Configure command aliases ADMPWCOM

ADMPW ALL=(root) ADMPWCOM # Specify the members in the user alias , Have permissions in the command alias

 

7、visudo And environment variables

1) Phenomenon description :test1 user sudo The command already has all the permissions , But you can't view the NIC information .

[[email protected] ~]$ sudo -l

… Omit …

User test1 may run thefollowing commands on this host:

(ALL) ALL

sudo I've got all the permissions

[[email protected] ~]$ sudo ifconfig eth0

sudo: ifconfig: command notfound

You can't see ! Prompt this command cannot be found ? Why? ? This is caused by system environment variables .

 

2) root Compare environment variables with common user environment variables

test1 The user can't find which Where is the order , and root Users can .

[[email protected] ~]$ which ifconfig

/usr/bin/which: no ifconfig in(/application/mysql/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/test1/bin)

[[email protected] ~]$ su - root

Password:

[[email protected] ~]# which ifconfig

/sbin/ifconfig

 

3) See two test1 and root Of PATH Variable

[[email protected] ~]# echo $PATH

/application/mysql/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

[[email protected] ~]# su - test1

[[email protected] ~]$ echo $PATH

/application/mysql/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/test1/bin

Found that ordinary users do not have sbin The path of , And a lot of commands are placed in these paths .

 

4) Add the above path to the normal user variable file ,cd ~ && vi ~.profile

stay PATH Then add :/sbin:/usr/sbin:/usr/local/sbin

[[email protected] ~]$ cat.bash_profile |grep PATH

PATH=$PATH:$HOME/bin:/sbin:/usr/sbin:/usr/local/sbin

[[email protected] ~]$ source.bash_profile # Make the modified variable file effective

# After modifying variables , Next, continue to view the network card information

[[email protected] ~]$ sudo ifconfigeth0

eth0 Link encap:Ethernet HWaddr 00:0C:29:3B:DA:97

inet addr:10.0.0.239 Bcast:10.0.0.255 Mask:255.255.255.0

It can be executed normally !

 

5) To prevent commands that users cannot find from appearing , There are two ways

5.1) Add the above path to the environment variable ,~/.bash_profile file ( Ordinary users can edit ), or /etc/profile Global file ( Need to be root User edit )

5.2) Execute command with absolute path , Such as : /sbin/ifconfig eth0

notes :centos6.4 There is no such problem

 

8、 To configure sudo Log file tracking

Operation steps :

1) Inquire about sample.sudoers file location

[[email protected] ~]# rpm -ql sudo

/usr/share/doc/sudo-1.7.2p1/sample.sudoers

/usr/share/doc/sudo-1.7.2p1/sample.syslog.conf

2) see sample.sudoers Log related configuration in

sample.syslog.conf This file is the official configuration sudo Log configuration notes

[[email protected] ~]# cat/usr/share/doc/sudo-1.7.2p1/sample.sudoers|grep "log"

Defaults syslog=auth

Defaults>root !set_logname

[email protected] log_year, logfile=/var/log/sudo.log

3) Create a log file

touch /var/log/sudo.log

4) hold sudo Log files are added to the system log

Add the following command to /etc/syslog.conf At the end of

local2.debug /var/log/sudo.log

notes : You can't use spaces in the blanks , Must use tab

centos6.4 The log service of is rsyslog

5) stay /etc/sudoers Add log path to ( Also available visudo edit )

Add to /etc/sudoers At the end of :

echo 'Defaults logfile=/var/log/sudo.log' >> /etc/sudoers

6) test

[[email protected] ~]# cat/var/log/sudo.log # Before testing sudo.log It's empty

[[email protected] ~]# su - yang1 # Enter ordinary users ( Authorized in advance )

[[email protected] ~]$ sudo -l # View the current user sudo Executable commands

[sudo] password for yang1:

Matching Defaults entries foryang1 on this host:

requiretty, !visiblepw, env_reset, env_keep="COLORS DISPLAYHOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR

USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATIONLC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC

LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSETXAUTHORITY", logfile=/var/log/sudo.log

 

Runas and Command-specificdefaults for yang1:

 

User yang1 may run the followingcommands on this host:

(ALL)!/usr/sbin/useradd, (ALL) !/usr/sbin/userdel, (ALL) /bin/touch # Found unable to create delete user , Can create files .

[[email protected] ~]$ sudo touchyangrong # Use sudo Create a file

[[email protected] ~]$ cat/var/log/sudo.log # see sudo.log file , There are records , Test success

9 month 5 12:37:46 : yang1 : TTY=pts/2; PWD=/home/yang1 ; USER=root ; COMMAND=list

9 month 5 12:38:05 : yang1 : TTY=pts/2; PWD=/home/yang1 ; USER=root ;

COMMAND=/bin/touch yangrong

Test success !

The above is a simple audit , If it's more complicated, you can store logs in a centralized way , More complicated, you can play back the user's behavior , Filtration analysis, etc .