SUDO 说明:
sudo 是受限制的 su ,使用 sudo 时不需要知道管理密码,以保证安全
通过 /etc/sudoers 来进行授权配置
只允许普通用户登陆系统,并通过此配置业实现特殊权限的分配
流程:切换到指定用户下,并以此用户身份执行命令,完成后直接退出
设计目的:让用户授权尽可能少的权限,又能完成自己的工作
例子:
操作:在 /etc/sudoers 中添加配置: user01 ALL=/bin/more /etc/shadow
说明:当用户【user01】在执行 more /etc/shadow 时,会要求输入当前用户的密码
密码正确之后,会在5分钟内获得相应的执行权限,默认时间只能在编译内核时修改
超时后要重新输入密码
进价: 如果每次都需要输入密码,则有些脚本无法在后台执行,此时可配置【免密SUDO】
操作:在 /etc/sudoers 添加配置: user01 ALL=NOPASSWD:/etc/init.d/nginx restart
说明:此时,用户【user01】就可以免密执行 nginx的重启了
高级:让普通用户拥有超级用户的权限,而又不需要输入密码
操作:在 /etc/sudoers 添加配置: user01 ALL=(ALL) NOPASSWD:ALL
说明:此时,用户【user01】登陆系统后,可使用 sudo su - [root] 切换到 root 身份并拥有相应的权限,注意 su 后面需要的“-”,此表示Bash也一起切换
配置文件说明:
## Sudoers allows particular users to run various commands as the root user, without needing the root password. ## 【允许特定用户以Root身份运行指定命令,且不需要密码】 ## Examples are provided at the bottom of the file for collections of related commands, which can then be delegated out to particular users or groups. ## 【设置命令组名,并指派给特写的用户或组】 ## This file must be edited with the 'visudo' command. ## Host Aliases 【主机别名】 ## Groups of machines. You may prefer to use hostnames (perhaps using wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases 【用户别名】 ## These aren't often necessary, as you can use regular groups (ie, from files, LDAP, NIS, etc) in this file - just use %groupname rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases 【命令别名】 ## These are groups of related commands... ## Networking 【网络方面的命令别名组】 # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software 【安装和管理软件命令的别名组】 # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services 【服务命令的别名组】 # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database 【更新本地数据库的别名组】 # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage 【存储命令的别名组】 # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions 【授权命令的别名组】 # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes 【进程命令别名组】 # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers 【设备管理别名组】 # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification [默认规范] # # Disable "ssh hostname sudo ", because it will show the password in clear. # You have to run "ssh -t hostname sudo ". # Defaults requiretty # # Refuse to run if unable to disable echo on the tty. # This setting should also be changed in order to be able to use sudo without a tty. # See requiretty above. # Defaults !visiblepw # # Preserving HOME has security implications since many programs use it when searching for configuration files. # Note that HOME is already set when the the env_reset option is enabled, # so this option is only effective for configurations where either env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## [配置特定用户的SUDO权限] ## Next comes the main part: which users can run what software on which machines (the sudoers file can be shared between multiple systems). ## Syntax: ## user MACHINE=COMMANDS ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere 【允许root用户运行任意命令】 root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, service management apps and more. ## 【允许"sys"组成员运行networking, software, service management apps】,此处使用的别名都在开头定义了 # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands ## 【允许“wheel”组运行所有命令】 %wheel ALL=(ALL) ALL ## Same thing without a password ## 【不需要密码运行命令】 # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the cdrom as root ## 【允许"users"组以root身份挂载与卸载cdrom】 # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system ## 【允许"users"组成员关闭此系统】 # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) ## 【包含此目录下的配置】 #includedir /etc/sudoers.d