Please indicate the source for reprinting: Senior Xiaofeng’s Big Bang Theory [xfxuezhagn.cn]
Table of contents
Background information
Sometimes ordinary users need to use sudo to perform some operations. As a server administrator, you need to watch the user before revoking sudo permissions for him. When the number of users increases, this work becomes very troublesome. By automatically revoking sudo permissions at regular intervals, we can forget about it after giving sudo. We can even perform a sudo permission application step to automatically apply for and revoke sudo permissions.
Start operation
1. Grant sudo permissions to the user : add the user to /etc/sudoers
the file or /etc/sudoers.d/
file in the directory. This can visudo
be done via the tool or by editing the corresponding file directly. (It is not recommended to operate directly/etc/sudoers)
For example, to username
grant sudo permissions to a user named , you would use the following command:
echo "username ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/temporary_sudo
2. Set up a scheduled task to revoke permissions after 1 hour : at
You can easily set up such a scheduled task using the command. First, make sure at
that is installed, you also need to start the at daemon:
sudo apt install at -y
sudo systemctl enable --now atd
Next, set a task to delete the previously created file after 1 hour (note that normal tasks do not need to add sudo, but since the /etc directory is to be operated here, sudo needs to be added in front of at, otherwise the execution will fail) :
echo "sudo rm /etc/sudoers.d/temporary_sudo" | sudo at now + 1 hours
In this way, the user will be granted the permission immediately sudo
, and then after 1 hour, the scheduled task will automatically delete the previously created file, thus revoking the user's sudo
permission.
Please note that you must be careful when making changes to /etc/sudoers
files or /etc/sudoers.d/
files in a directory, as incorrect changes may cause system instability or loss of sudo
access rights.
at command
The format of the at command is very simple. The basic format is as follows:
at [选项] [时间]
Options | meaning |
---|---|
-m | When the at work is completed, regardless of whether the command is output or not, the user who executed the at command will be notified by e-mail. |
-c job identification number | Show the actual content of the at work. |
-t time | Submit the work and execute it at the specified time. The time format is [[CC]YY]MMDDhhmm. |
-d | To delete a job, you need to provide the corresponding job identification number (ID), which has the same effect as the atrm command. |
-l | Lists all currently waiting jobs and has the same effect as the atq command. |
-f script file | Specify the script file to be submitted. |
Format | usage |
---|---|
HH:MM | For example, 04:00 AM. If the time has passed, it will be executed at the same time the next day. |
Midnight(midnight) | Represents 12:00 AM (that is, 00:00). |
Noon(noon) | Represents 12:00 PM (equivalent to 12:00). |
Teatime(teatime) | Represents 4:00 PM (equivalent to 16:00). |
English month name date year | For example, January 15 2018 means January 15, 2018, and the year is optional. |
MMDDYY、MM/DD/YY、MM.DD.YY | For example, 011518 represents January 15, 2018. |
now+time | In minutes, hours, days or weeks as the unit, for example now+5 days means that the command will be executed at this moment 5 days later. |
As long as the at command specifies the correct time, you can enter a command that needs to be executed at the specified time. This command can be a system command or a Shell script.
Use the atq command to view the jobs currently waiting to be run, and the atrm command to delete the specified job:
atq
#9 2013-07-26 02:00 a root
#说明root用户有一个at任务在2013年7月26日02:00执行,工作号是9
atrm [工作号]
#删除指定的at任务