sudo权限委派介绍
- su 切换身份:su –l username –c ‘command’
- sudo
- 来自sudo包
- man 5 sudoers
- sudo能够授权指定用户在指定主机上运行某些命令。如果未授权用户尝试使 用 sudo,会提示联系管理员
- sudo可以提供日志,记录每个用户使用sudo操作
- sudo为系统管理员提供配置文件,允许系统管理员集中地管理用户的使用权限和使用的主机
- sudo使用时间戳文件来完成类似“检票”的系统,默认存活期为5分钟的“入场券”
- 通过visudo命令编辑配置文件,具有语法检查功能
- visudo –c 检查语法
- visudo -f /etc/sudoers.d/test
sudo
- 配置文件:/etc/sudoers, /etc/sudoers.d/
- 时间戳文件:/var/db/sudo
- 日志文件:/var/log/secure
- 配置文件支持使用通配符glob:
- ?:任意单一字符
- *:匹配任意长度字符
- [wxc ] 匹配其中一个字符
- [!wxc] 除了这三个字符的其它字符
- \x : 转义
- [[alpha]] :字母 示例: /bin/ls [[alpha]]*
- 配置文件规则有两类;
1、别名定义:不是必须的
2、授权规则:必须的
sudoers
- 授权规则格式:
用户 登入主机=(代表用户) 命令 - 示例:
root ALL=(ALL) ALL - 格式说明:
user: 运行命令者的身份
host: 通过哪些主机
(runas):以哪个用户的身份
command: 运行哪些命令
别名
- Users和runas:
username
#uid
%group_name
%#gid
user_alias|runas_alias host:
ip或hostname
network(/netmask)
host_aliascommand:
command name
directory
sudoedit
Cmnd_Alias
sudo别名和示例
- 别名有四种类型:User_Alias, Runas_Alias, Host_Alias ,Cmnd_Alias
- 别名格式:A-Z*
- 别名定义:Alias_Type NAME1 = item1, item2, item3 : NAME2 = item4, item5
- 示例1:
Student ALL=(ALL) ALL
%wheel ALL=(ALL) ALL - 示例2:
student ALL=(root) /sbin/pidof,/sbin/ifconfig
%wheel ALL=(ALL) NOPASSWD: ALL - 示例3
User_Alias NETADMIN= netuser1,netuser2
Cmnd_Alias NETCMD = /usr/sbin/ip
NETADMIN ALL=(root) NETCMD - 示例4
User_Alias SYSADER=wang,dhy,%admins
User_Alias DISKADER=tom
Host_Alias SERS=www.dhydu.com,172.16.0.0/24
Runas_Alias OP=root
Cmnd_Alias SYDCMD=/bin/chown,/bin/chmod
Cmnd_Alias DSKCMD=/sbin/parted,/sbin/fdisk
SYSADER SERS= SYDCMD,DSKCMD
DISKADER ALL=(OP) DSKCMD
User_Alias ADMINUSER = adminuser1,adminuser2
Cmnd_Alias ADMINCMD = /usr/sbin/useradd,/usr/sbin/usermod, /usr/bin/passwd [a-zA-Z]*, !/usr/bin/passwd root
ADMINUSER ALL=(root) NOPASSWD:ADMINCMD,PASSWD:/usr/sbin/userdel - 示例5
Defaults:wang runas_default=tom
wang ALL=(tom,jerry) ALL - 示例6
wang 192.168.175.136,192.168.175.138=(root) /usr/sbin/,!/usr/sbin/useradd - 示例7
wang ALL=(ALL) /bin/cat /var/log/messages*
sudo命令
- ls -l /usr/bin/sudo
- sudo –i –u wang 切换身份
- sudo [-u user] COMMAND
-V 显示版本信息等配置信息
-u user 默认为root
-l,ll 列出用户在主机上可用的和被禁止的命令
-v 再延长密码有效期限5分钟,更新时间戳
-k 清除时间戳(1970-01-01),下次需要重新输密码
-K 与-k类似,还要删除时间戳文件
-b 在后台执行指令
-p 改变询问密码的提示符号
示例:-p ”password on %h for user %p:”
–help 帮助文档
sudo权限委派操作
- 说明:su切换用户身份:如普通用户切换为root做一些管理的工作
- sudo:实现权限的委派
介绍
[root@centos7test:~]# ll /etc/shadow
----------. 1 root root 1232 Jun 5 11:17 /etc/shadow
[root@centos7test:~]# su - dhy
Last login: Mon Jul 9 20:12:40 CST 2018 on pts/0
[dhy@centos7test:~]$ fdisk /dev/sda
fdisk: cannot open /dev/sda: Permission denied #无权限,sudo可提升dhy用户权限
[dhy@centos7test:~]$ rpm -qi sudo
Name : sudo
Version : 1.8.19p2
Release : 13.el7
Architecture: x86_64
Install Date: Tue 15 May 2018 06:58:17 PM CST
Group : Applications/System
Size : 4055906
License : ISC
Signature : RSA/SHA256, Wed 25 Apr 2018 07:48:05 PM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : sudo-1.8.19p2-13.el7.src.rpm
Build Date : Wed 11 Apr 2018 12:30:09 PM CST
Build Host : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem http://bugs.centos.org
Vendor : CentOS
URL : http://www.courtesan.com/sudo/
Summary : Allows restricted root access for specified users
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis. It is not a replacement for the shell. Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.
[dhy@centos7test:~]$ rpm -ql sudo
/etc/pam.d/sudo
/etc/pam.d/sudo-i
/etc/sudo-ldap.conf
/etc/sudo.conf
/etc/sudoers
/etc/sudoers.d
/usr/bin/sudo
\***省略***
[dhy@centos7test:~]$ man 5 sudoers
SUDOERS(5) BSD File Formats Manual SUDOERS(5)
NAME
sudoers — default sudo security policy plugin
DESCRIPTION
The sudoers policy plugin determines a user's sudo privileges. It is the default sudo policy plugin. The policy is driven by the /etc/sudoers file or, optionally in LDAP. The
policy format is described in detail in the SUDOERS FILE FORMAT section. For infrmation
on storing sudoers policy information in LDAP, please see sudoers.ldap(5).
省略sudo提升用户权限方法1:委派用户
主配置文件
[root@centos7test:~]# vim /etc/sudoers
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
dhy 172.18.119.212=(root) /bin/mount /dev/cdrom /mnt/
#授权用户 哪台主机登录=(代表谁执行命令) 授权执行的命令
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL [root@centos7:~]# ll /usr/bin /bin -d
lrwxrwxrwx. 1 root root 7 May 15 18:52 /bin -> usr/bin
dr-xr-xr-x. 2 root root 49152 Jul 9 10:48 /usr/bin [root@centos7:etc]# visudo
#文件/etc/sudoers是只读的,用visudo = vi /etc/sudoers visudo
[root@centos7:etc]# export EDITOR=vim
#visudo用的是vi编辑器,无颜色,可以使其用vim编辑器,设置一下环境变量EDITOR即可,,可写到 /etc/profile.d/env.sh永久生效/etc/sudoers文件编辑好后,及时生效
[root@centos7:sudoers.d]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/dhy: parsed OK
#具有语法检查功能即:visudo -c [root@centos7:etc]# su - dhy
Last login: Tue Jul 10 10:28:50 CST 2018 on pts/0 [dhy@centos7:~]$ mount /dev/cdrom /mnt/
mount:only root can do this #权限不足
[dhy@centos7:~]$ sudo mount /dev/cdrom /mnt/ #sudo提升权限
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for dhy:
mount: /dev/sr0 is write-protected, mounting read-only只能执行授权的一条命令,并且5分钟内执行此命令不用再输入密码
把规则写到文件中,如下
[root@centos7:~]# visudo
\## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d #授权文件可以放到/etc/sudoers.d
[root@centos7:sudoers.d]# vim dhy
dhy 172.18.119.212=(root) /bin/mount /dev/cdrom /mnt/, /bin/umount
[root@centos7:sudoers.d]# ls
dhy
[root@centos7:sudoers.d]# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/dhy: bad permissions, should be mode 0440
[root@centos7:sudoers.d]# chmod 440 dhy
[dhy@centos7:~]$ sudo umount /mnt
[sudo] password for dhy:
[dhy@centos7:~]$
[root@centos7:sudoers.d]# visudo -f /etc/sudoers.d/dhy #visudo -c 是检查主文件的,visudo -f 是检查文件的权限的sudo提升权限方法二:委派组
主配置文件
[root@centos7:sudo]# visudo
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
#组wheel 用%区别组,而不是用户,组wheel系统默认存在,所有主机=(所有用户) 执行任何命令
[root@centos6 ~ ]#getent group wheel
wheel: x:10:
sudo --help [root@centos7:sudoers.d]# getent passwd dhy
dhy: x:1000:1000:dhy:/home/dhy:/bin/bash
[root@centos7:sudoers.d]# groupmems -a dhy -g wheel
[root@centos7:sudoers.d]# id dhy
uid=1000(dhy) gid=1000(dhy) groups=1000(dhy),10(wheel) #用户dhy加入到了wheel组中
[root@centos7:sudoers.d]# getent group wheel
wheel: x:10:dhy- 上述命令为把用户dhy加入wheel组,就可以执行wheel组的命令
[root@centos7:sudoers.d]# su - dhy
[dhy@centos7:~]$ sudo cat /etc/shadow
[sudo] password for dhy:
root:$6$oC3Y9WXlG1G/zP2u$kPBr51L0rRKNIkJOVJdI9v2USbWmPudoVSkg.djDH5lmk14zr3ct9gOONECpdeXOvduY5xNZVdr8vd2LzDSt50::0:99999:7:::写到配置文件中
[root@centos7:sudoers.d]# useradd zhaoliying
[root@centos7:sudoers.d]# getent passwd zhaoliying
zhaoliying: x:1002:1002::/home/zhaoliying:/bin/bash
[root@centos7:sudoers.d]# visudo -f dhy #辅助配置文件语法检查用visudo -f file
zhaoliying 172.18.119.212=(dhy) all #错误写法:all写错
"dhy.tmp" 2L, 38C written
>>> dhy: syntax error near line 1 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)
What now? e
zhaoliying 172.18.119.212=(dhy) ALL #纠正为大写的ALL,用户zhaoliying提升权限为用户dhy
[zhaoliying@centos7:~]$ sudo -u dhy cat /etc/shadow #由于用户dhy在wheel中,dhy执行也需要sudo
[sudo] password for zhaoliying:
cat: /etc/shadow: Permission denied
[zhaoliying@centos7:~]$ sudo -u dhy sudo cat /etc/shadow #如zhaoliying用户执行dhy的权限
[sudo] password for dhy: 提升权限5分钟记录时间数据库
[root@centos7:sudoers.d]# cd /var/db/sudo
[root@centos7:sudo]# ls
lectured
[root@centos7:sudo]# cd lectured/
[root@centos7:lectured]# ll
total 0
-rw-------. 1 root dhy 0 Jul 10 10:32 dhy
-rw-------. 1 root zhaoliying 0 Jul 10 11:13 zhaoliying
\## Allows people in group wheel to run all commands执行时无需密码格式
%wheel ALL=(ALL) ALL NOPASSED:ALL
则执行命令时可以不用输入用户密码,或者在/etc/sudoers.d/dhy中
zhaoliying 172.18.119.212=(dhy) ALL NOPASSWD:ALL
好处是,写脚本时不用可以避免输入密码导致交互式执行
命令执行记录日志
cat /var/log/secure 中记录了用户提升权限执行命令的行为