合规国际互联网加速 OSASE为企业客户提供高速稳定SD-WAN国际加速解决方案。 广告
### sudo 临时拥有一些权限 使用sudo可以使普通账户不用知道root的密码而临时拥有root的权限,这是为了提高安全性,不可登录。 某个用户从哪一台主机以某个用户身份执行某一个命令 有效期限五分钟 ~~~ which users can run what software on which machines 格式 who which_host=(runas) command ~~~ ~~~ User_Alias NAME = MEMBER1,MEMBER2,... 用户名;%组名;其他User_Alias Host_Alias NAME = HOST1,HOST2,... 主机名;IP;网络地址;其他Host_Alias Runas_Alias NAME = MEMBER1,MEMBER2,... 用户名;%组名;其他Runas_Alias Cmnd_Alias CMD = CMD1,CMD2,... 命令最好使用绝对路径,可以是目录 ~~~ ~~~ # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl User_Alias WEBMASTERS = will, wendy, wim # Runas alias specification Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase Runas_Alias ADMINGRP = adm, oper # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ HPPA = boa, nag, python Host_Alias CUNETS = 128.138.0.0/255.255.0.0 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore Cmnd_Alias KILL = /usr/bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt Cmnd_Alias REBOOT = /usr/sbin/reboot Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less ~~~ 让普通用户拥有root用户的权限,但是不能修改root用户的密码 ~~~ User_Alias DEV = tom Cmnd_Alias NOTCHANGEPASSWD = !/usr/bin/passwd,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root ## Allow root to run any commands anywhere root ALL=(ALL) ALL DEV ALL=(root) NOPASSWD:ALL,NOTCHANGEPASSWD ~~~ ### visudo visudo -f sudoers 指定sudoers文件 sudo -l 查看普通用户在sudo下有哪些权限 su -k 每次执行都必须输入密码 visudo 命令去编辑相关的配置文件/etc/sudoers(440). 如果没有visudo这个命令,请使用 yum install -y sudo 安装 ~~~ ## Allow root to run any commands anywhere root ALL=(ALL) ALL test 192.168.8.1/24=(root) NOPASSWD:/bin/ls,/usr/bin/passwd test1 ALL=(root) /bin/ls,/usr/bin/passwd ~~~ 可以限制IP和命令