sudo实现管理授权详解

sudo实现管理授权详解

sudo：

Linux sudo命令以系统管理者的身份执行指令，也就是说，经由 sudo 所执行的指令就好像是 root 亲自执行。

使用权限：在 /etc/sudoers 中有出现的使用者。

参数说明：

• -V 显示版本编号
• -h 会显示版本编号及指令的使用方式说明
• -l 显示出自己（执行 sudo 的使用者）的权限
• -v 因为 sudo 在第一次执行时或是在 N 分钟内没有执行（N 预设为五）会问密码，这个参数是重新做一次确认，如果超过 N 分钟，也会问密码
• -k 将会强迫使用者在下一次执行 sudo 时问密码（不论有没有超过 N 分钟）
• -b 将要执行的指令放在背景执行
• -p prompt 可以更改问密码的提示语，其中 %u 会代换为使用者的帐号名称， %h 会显示主机名称
• -u username/#uid 不加此参数，代表要以 root 的身份执行指令，而加了此参数，可以以 username 的身份执行指令（#uid 为该 username 的使用者号码）
• -s 执行环境变数中的 SHELL 所指定的 shell ，或是 /etc/passwd 里所指定的 shell
• -H 将环境变数中的 HOME （家目录）指定为要变更身份的使用者家目录（如不加 -u 参数就是系统管理者 root ）
• command 要以系统管理者身份（或以 -u 更改为其他人）执行的指令

sudo包信息：

[root@localhost ~]#rpm -qi sudo
Name        : sudo
Version     : 1.8.23
Release     : 4.el7
Architecture: x86_64
Install Date: Fri 27 Dec 2019 03:39:34 AM CST
Group       : Applications/System
Size        : 3195829
License     : ISC
Signature   : RSA/SHA256, Fri 23 Aug 2019 05:44:10 AM CST, Key ID 24c6a8a7f4a80eb5
Source RPM  : sudo-1.8.23-4.el7.src.rpm
Build Date  : Fri 09 Aug 2019 10:58:23 AM CST
Build Host  : x86-02.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.courtesan.com/sudo/
Summary     : Allows restricted root access for specified users
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis.  It is not a replacement for the shell.  Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.

sudo文件列表：

[root@localhost ~]#rpm -ql sudo
/etc/pam.d/sudo
/etc/pam.d/sudo-i
/etc/sudo-ldap.conf
/etc/sudo.conf
/etc/sudoers
# sudo授权文件,定义了授权规则
/etc/sudoers.d
/usr/bin/cvtsudoers
/usr/bin/sudo
/usr/bin/sudoedit
/usr/bin/sudoreplay
/usr/lib/tmpfiles.d/sudo.conf
...

sudoers:

[root@localhost ~]#vim /etc/sudoers


## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##  user    MACHINE=COMMANDS
##	用户		当前主机=(代表ALL)	执行ALL命令
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 

# 授权格式范例：
root    ALL=(ALL)   ALL
# 仿写：授权flamenca在本机下代表root 执行/bin/mount /dev/sr0 /mnt命令时有权限(挂光盘)
flamenca	192.168.33.128=(root) /bin/mount /dev/sr0 /mnt

## 注意该文件是只读的。修改这个文件后直接存不了，请使用visudo形式修改

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

## 在wheel组里也能实现授权效果
%wheel  ALL=(ALL)   ALL

## Same thing without a password
# %wheel    ALL=(ALL)   NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
## 授权信息也可以放到下列文件夹中
#includedir /etc/sudoers.d

flamenca的sudo权限设置好后测试挂载功能：

[root@localhost ~]#su - flamenca
Last login: Sat May 16 16:56:17 CST 2020 on pts/0
[flamenca@localhost ~]$mount /dev/sr0 /mnt
mount: only root can do that
[flamenca@localhost ~]$sudo mount /dev/sr0 /mnt

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for flamenca: 

[flamenca@localhost ~]$sudo mount /dev/sr0 /mnt
mount: /dev/sr0 is write-protected, mounting read-only

[flamenca@localhost ~]$df
Filesystem              1K-blocks     Used Available Use% Mounted on
...
/dev/sr0                 10767514 10767514         0 100% /mnt

sudo也能按分组授权：

为什么root也要写入sudoers文件中？

如果root用户UID不是0时（名为root其实权限是普通用户），这是sudoers配置的作用是给名为root的用户留了个“后门”

sudo命令默认在一段时间内不用输口令：默认时间为5分钟

关于配置文件中 #includedir /etc/sudoers.d文件中的内容：

• 写在这个文件中的用户也可以具有相应的权限

  flamenca ALL=	ALL
  # 这种写法是默认为ALL=(root)
  
  # 授权flamenca可以修改sudoers文件
  flamenca ALL=	sudoedit
  
  # 修改命令为
  [flamenca@localhost ~]$sudoedit
  # 或者改/etc/sudoers.d中的文件
  

• visudo -c格式修改

• visudo -f FILE单独修改一个文件

sudo别名：

• 别名种类 ：User_Alias,Runas_Alias, Host_Alias,Cmnd_Alias

• 别名格式：[A-Z]([A-Z][0-9]_)*别名要求必须大写嗷

• 示例：

  • User_Alias NETADMIN=netuser1,netuser2
  • Cmnd_Alias NETCMD=/usr/sbin/ip
  • NETDMIN ALL=(root) NETCMD

• %whell ALL=(ALL) NOPASSWD:ALL执行命令时不再需要输入密码