su command, sudo command, restrict root remote login

Others 2022-04-27 11:31:25 views: 0

3.7 su instruction

  • su switches users but does not switch the current working directory and HOME, SHELL, USER, LOGNAME; only has root permissions
[root@24centos7-01 ~]# su vitus
[vitus@24centos7-01 root]$ pwd
/root
  • When the su -, su -l or su --login command changes the identity, it also changes the working directory, as well as HOME, SHELL, USER, LOGNAME. Also, the PATH variable is changed
[root@24centos7-01 ~]# su - vitus
上一次登录:四 10月 26 20:09:48 CST 2017pts/0 上
[vitus@24centos7-01 ~]$ pwd
/home/vitus
  • su - -c specifies the user's identity to execute the command
[root@24centos7-01 ~]# su - -c "touch /tmp/vitus.txt" vitus
[root@24centos7-01 ~]# ls -l /tmp/
总用量 1
-rw-rw-r-- 1 vitus vitus  0 10月 26 21:31 vitus.txt
  • When root switches to other ordinary users, no password is required. When ordinary users switch to users, they need to enter the password of the target user.

3.8 The sudo command allows ordinary users to temporarily have the identity of the root user, which is convenient for performing certain operations and avoids distributing the password of the root user to too many employees

  • visudo opens sudoer's configuration file
[root@24centos7-01 ~]# visudo

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases		--主机别名授权
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases		--用户别名授权
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL											--允许root用户在任何地方运行所有的命令
vitus   ALL=(ALL)       /usr/bin/ls, /usr/bin/mv, /usr/bin/cat		--为普通用户添加ls,mv,cat权限

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL											--为group成员添加权限

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
  • Test whether ls, mv, cat can be used under the common user vitus
[root@24centos7-01 ~]# su - vitus
上一次登录:四 10月 26 21:50:40 CST 2017pts/0 上
[vitus@24centos7-01 ~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[vitus@24centos7-01 ~]$ sudo ls /root/
[sudo] password for vitus: 
anaconda-ks.cfg  showtime.txt  test
[vitus@24centos7-01 ~]$ mv /root/showtime.txt /root/showtime_1.txt
mv: failed to access "/root/showtime_1.txt": 权限不够
[vitus@24centos7-01 ~]$ sudo mv /root/showtime.txt /root/showtime_1.txt
[vitus@24centos7-01 ~]$ sudo ls /root/
anaconda-ks.cfg  showtime_1.txt  test
[vitus@24centos7-01 ~]$ sudo mv /root/showtime_1.txt /root/showtime.txt
[vitus@24centos7-01 ~]$ cat /root/showtime.txt
cat: /root/showtime.txt: 权限不够
[vitus@24centos7-01 ~]$ sudo cat /root/showtime.txt
linux
learning linux

3.9 Restrict root remote login

1. Modify the /etc/ssh/sshd_config configuration file and change #PermitRootLogin yes to PermitRootLogin no

[root@24centos7-01 ~]# vim /etc/ssh/sshd_config 
#PermitRootLogin yes	--将其修改,去掉注释#,将yes改为no,保存退出

[root@24centos7-01 ~]# systemctl restart sshd.service	--重启ssh服务

login as: root
[email protected]'s password:
Access denied
[email protected]'s password:
Access denied
[email protected]'s password:				--这时使用密码无法登录root

2. Modify visudo, add

vitus   ALL=(ALL)       NOPASSWD: /bin/su, /bin/sudo

3. Log in as a normal user and switch to the root user via sudo su - root

[vitus@24centos7-01 ~]$ sudo su - root
上一次登录:四 10月 26 22:37:43 CST 2017pts/0 上
[root@24centos7-01 ~]# whoami
root

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325566766&siteId=291194637
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com