欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

20.1 linux之sudo委派权限

程序员文章站 2022-05-10 09:45:56
...

sudo权限委派介绍


  • su 切换身份:su –l username –c ‘command’
  • sudo
  • 来自sudo包
  • man 5 sudoers
  • sudo能够授权指定用户在指定主机上运行某些命令。如果未授权用户尝试使 用 sudo,会提示联系管理员
  • sudo可以提供日志,记录每个用户使用sudo操作
  • sudo为系统管理员提供配置文件,允许系统管理员集中地管理用户的使用权限和使用的主机
  • sudo使用时间戳文件来完成类似“检票”的系统,默认存活期为5分钟的“入场券”
  • 通过visudo命令编辑配置文件,具有语法检查功能
    • visudo –c 检查语法
    • visudo -f /etc/sudoers.d/test

sudo

  • 配置文件:/etc/sudoers, /etc/sudoers.d/
  • 时间戳文件:/var/db/sudo
  • 日志文件:/var/log/secure
  • 配置文件支持使用通配符glob:
    • ?:任意单一字符
    • *:匹配任意长度字符
    • [wxc ] 匹配其中一个字符
    • [!wxc] 除了这三个字符的其它字符
    • \x : 转义
    • [[alpha]] :字母 示例: /bin/ls [[alpha]]*
  • 配置文件规则有两类;
    1、别名定义:不是必须的
    2、授权规则:必须的

sudoers

  • 授权规则格式:
    用户 登入主机=(代表用户) 命令
  • 示例:
    root ALL=(ALL) ALL
  • 格式说明:
    user: 运行命令者的身份
    host: 通过哪些主机
    (runas):以哪个用户的身份
    command: 运行哪些命令

别名

  • Users和runas:
    username
    #uid
    %group_name
    %#gid
    user_alias|runas_alias
  • host:
    ip或hostname
    network(/netmask)
    host_alias

  • command:
    command name
    directory
    sudoedit
    Cmnd_Alias

sudo别名和示例

  • 别名有四种类型:User_Alias, Runas_Alias, Host_Alias ,Cmnd_Alias
  • 别名格式:A-Z*
  • 别名定义:Alias_Type NAME1 = item1, item2, item3 : NAME2 = item4, item5
  • 示例1:
    Student ALL=(ALL) ALL
    %wheel ALL=(ALL) ALL
  • 示例2:
    student ALL=(root) /sbin/pidof,/sbin/ifconfig
    %wheel ALL=(ALL) NOPASSWD: ALL
  • 示例3
    User_Alias NETADMIN= netuser1,netuser2
    Cmnd_Alias NETCMD = /usr/sbin/ip
    NETADMIN ALL=(root) NETCMD
  • 示例4
    User_Alias SYSADER=wang,dhy,%admins
    User_Alias DISKADER=tom
    Host_Alias SERS=www.dhydu.com,172.16.0.0/24
    Runas_Alias OP=root
    Cmnd_Alias SYDCMD=/bin/chown,/bin/chmod
    Cmnd_Alias DSKCMD=/sbin/parted,/sbin/fdisk
    SYSADER SERS= SYDCMD,DSKCMD
    DISKADER ALL=(OP) DSKCMD
    User_Alias ADMINUSER = adminuser1,adminuser2
    Cmnd_Alias ADMINCMD = /usr/sbin/useradd,/usr/sbin/usermod, /usr/bin/passwd [a-zA-Z]*, !/usr/bin/passwd root
    ADMINUSER ALL=(root) NOPASSWD:ADMINCMD,PASSWD:/usr/sbin/userdel
  • 示例5
    Defaults:wang runas_default=tom
    wang ALL=(tom,jerry) ALL
  • 示例6
    wang 192.168.175.136,192.168.175.138=(root) /usr/sbin/,!/usr/sbin/useradd
  • 示例7
    wang ALL=(ALL) /bin/cat /var/log/messages*

sudo命令

  • ls -l /usr/bin/sudo
  • sudo –i –u wang 切换身份
  • sudo [-u user] COMMAND
    -V 显示版本信息等配置信息
    -u user 默认为root
    -l,ll 列出用户在主机上可用的和被禁止的命令
    -v 再延长密码有效期限5分钟,更新时间戳
    -k 清除时间戳(1970-01-01),下次需要重新输密码
    -K 与-k类似,还要删除时间戳文件
    -b 在后台执行指令
    -p 改变询问密码的提示符号
    示例:-p ”password on %h for user %p:”
    –help 帮助文档


sudo权限委派操作

  • 说明:su切换用户身份:如普通用户切换为root做一些管理的工作
  • sudo:实现权限的委派

介绍

[[email protected]:~]# ll /etc/shadow
    ----------. 1 root root 1232 Jun  5 11:17 /etc/shadow
    [[email protected]:~]# su - dhy
    Last login: Mon Jul  9 20:12:40 CST 2018 on pts/0
    [[email protected]:~]$ fdisk /dev/sda
    fdisk: cannot open /dev/sda: Permission denied    #无权限,sudo可提升dhy用户权限
    [[email protected]:~]$ rpm -qi sudo
    Name        : sudo
    Version     : 1.8.19p2
    Release     : 13.el7
    Architecture: x86_64
    Install Date: Tue 15 May 2018 06:58:17 PM CST
    Group       : Applications/System
    Size        : 4055906
    License     : ISC
    Signature   : RSA/SHA256, Wed 25 Apr 2018 07:48:05 PM CST, Key ID 24c6a8a7f4a80eb5
    Source RPM  : sudo-1.8.19p2-13.el7.src.rpm
    Build Date  : Wed 11 Apr 2018 12:30:09 PM CST
    Build Host  : x86-01.bsys.centos.org
    Relocations : (not relocatable)
    Packager    : CentOS BuildSystem http://bugs.centos.org
    Vendor      : CentOS
    URL         : http://www.courtesan.com/sudo/
    Summary     : Allows restricted root access for specified users
    Description :
    Sudo (superuser do) allows a system administrator to give certain
    users (or groups of users) the ability to run some (or all) commands
    as root while logging all commands and arguments. Sudo operates on a
    per-command basis.  It is not a replacement for the shell.  Features
    include: the ability to restrict what commands a user may run on a
    per-host basis, copious logging of each command (providing a clear
    audit trail of who did what), a configurable timeout of the sudo
    command, and the ability to use the same configuration file (sudoers)
    on many different machines.

    [[email protected]:~]$ rpm -ql sudo
    /etc/pam.d/sudo
    /etc/pam.d/sudo-i
    /etc/sudo-ldap.conf
    /etc/sudo.conf
    /etc/sudoers
    /etc/sudoers.d
    /usr/bin/sudo
    \***省略***

    [[email protected]:~]$ man 5 sudoers
    SUDOERS(5)                           BSD File Formats Manual                          SUDOERS(5)
    NAME
         sudoers — default sudo security policy plugin
    DESCRIPTION
         The sudoers policy plugin determines a user's sudo privileges.  It is the default sudo policy plugin.  The policy is driven by the /etc/sudoers file or, optionally in LDAP.  The
         policy format is described in detail in the SUDOERS FILE FORMAT section.  For infrmation
         on storing sudoers policy information in LDAP, please see sudoers.ldap(5).
    省略

sudo提升用户权限方法1:委派用户

主配置文件

    [[email protected]:~]# vim /etc/sudoers   
    ## Allow root to run any commands anywhere 
    root    ALL=(ALL)       ALL
    dhy     172.18.119.212=(root)   /bin/mount /dev/cdrom /mnt/  
                    #授权用户 哪台主机登录=(代表谁执行命令)    授权执行的命令
    ## Allows members of the 'sys' group to run networking, software, 
    ## service management apps and more.
    # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL
    [root@centos7:~]# ll /usr/bin /bin  -d
    lrwxrwxrwx. 1 root root     7 May 15 18:52 /bin -> usr/bin
    dr-xr-xr-x. 2 root root 49152 Jul  9 10:48 /usr/bin
    [root@centos7:etc]# visudo
    #文件/etc/sudoers是只读的,用visudo = vi /etc/sudoers visudo
    [root@centos7:etc]# export EDITOR=vim
    #visudo用的是vi编辑器,无颜色,可以使其用vim编辑器,设置一下环境变量EDITOR即可,,可写到 /etc/profile.d/env.sh永久生效

/etc/sudoers文件编辑好后,及时生效

    [root@centos7:sudoers.d]# visudo -c
    /etc/sudoers: parsed OK
    /etc/sudoers.d/dhy: parsed OK
                                                     #具有语法检查功能即:visudo -c
    [root@centos7:etc]# su - dhy
    Last login: Tue Jul 10 10:28:50 CST 2018 on pts/0
    [[email protected]:~]$ mount /dev/cdrom /mnt/
    mount:only root can do this                      #权限不足
    [[email protected]:~]$ sudo mount /dev/cdrom /mnt/      #sudo提升权限
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
       #1) Respect the privacy of others.
       #2) Think before you type.
       #3) With great power comes great responsibility.
    [sudo] password for dhy: 
    mount: /dev/sr0 is write-protected, mounting read-only

只能执行授权的一条命令,并且5分钟内执行此命令不用再输入密码

把规则写到文件中,如下

    [root@centos7:~]# visudo
    \## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
    #includedir /etc/sudoers.d                      #授权文件可以放到/etc/sudoers.d
    [root@centos7:sudoers.d]# vim dhy
    dhy 172.18.119.212=(root) /bin/mount /dev/cdrom /mnt/, /bin/umount  
    [root@centos7:sudoers.d]# ls
    dhy
    [root@centos7:sudoers.d]# visudo -c
    /etc/sudoers: parsed OK
    /etc/sudoers.d/dhy: bad permissions, should be mode 0440
    [root@centos7:sudoers.d]# chmod 440 dhy
    [dhy@centos7:~]$ sudo umount /mnt
    [sudo] password for dhy: 
    [dhy@centos7:~]$ 
    [root@centos7:sudoers.d]# visudo -f /etc/sudoers.d/dhy   #visudo -c 是检查主文件的,visudo -f 是检查文件的权限的

sudo提升权限方法二:委派组

主配置文件

    [[email protected]:sudo]# visudo
    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL
    #组wheel 用%区别组,而不是用户,组wheel系统默认存在,所有主机=(所有用户)  执行任何命令
    [[email protected] ~ ]#getent group wheel
    wheel: x:10:
    sudo --help
    [root@centos7:sudoers.d]# getent passwd dhy
    dhy: x:1000:1000:dhy:/home/dhy:/bin/bash
    [root@centos7:sudoers.d]# groupmems -a dhy -g wheel
    [root@centos7:sudoers.d]# id dhy
    uid=1000(dhy) gid=1000(dhy) groups=1000(dhy),10(wheel)           #用户dhy加入到了wheel组中
    [root@centos7:sudoers.d]# getent group wheel
    wheel: x:10:dhy
  • 上述命令为把用户dhy加入wheel组,就可以执行wheel组的命令
    [root@centos7:sudoers.d]# su - dhy
    [dhy@centos7:~]$ sudo cat /etc/shadow
    [sudo] password for dhy: 
    root:$6$oC3Y9WXlG1G/zP2u$kPBr51L0rRKNIkJOVJdI9v2USbWmPudoVSkg.djDH5lmk14zr3ct9gOONECpdeXOvduY5xNZVdr8vd2LzDSt50::0:99999:7:::

写到配置文件中

    [root@centos7:sudoers.d]# useradd zhaoliying
    [root@centos7:sudoers.d]# getent passwd zhaoliying
    zhaoliying: x:1002:1002::/home/zhaoliying:/bin/bash
    [root@centos7:sudoers.d]# visudo -f dhy            #辅助配置文件语法检查用visudo -f file
    zhaoliying 172.18.119.212=(dhy) all               #错误写法:all写错
    "dhy.tmp" 2L, 38C written
    >>> dhy: syntax error near line 1 <<<
    What now? 
    Options are:
         (e)dit sudoers file again
         e(x)it without saving changes to sudoers file
         (Q)uit and save changes to sudoers file (DANGER!)
    What now? e
    zhaoliying 172.18.119.212=(dhy) ALL            #纠正为大写的ALL,用户zhaoliying提升权限为用户dhy

    [zhaoliying@centos7:~]$ sudo -u dhy cat /etc/shadow  #由于用户dhy在wheel中,dhy执行也需要sudo
    [sudo] password for zhaoliying: 
    cat: /etc/shadow: Permission denied
    [zhaoliying@centos7:~]$ sudo -u dhy sudo cat /etc/shadow   #如zhaoliying用户执行dhy的权限
    [sudo] password for dhy: 

提升权限5分钟记录时间数据库

    [root@centos7:sudoers.d]# cd /var/db/sudo
    [root@centos7:sudo]# ls
    lectured
    [root@centos7:sudo]# cd lectured/
    [root@centos7:lectured]# ll
    total 0
    -rw-------. 1 root dhy        0 Jul 10 10:32 dhy
    -rw-------. 1 root zhaoliying 0 Jul 10 11:13 zhaoliying
    \## Allows people in group wheel to run all commands

执行时无需密码格式

%wheel  ALL=(ALL)       ALL   NOPASSED:ALL

则执行命令时可以不用输入用户密码,或者在/etc/sudoers.d/dhy中

zhaoliying 172.18.119.212=(dhy) ALL NOPASSWD:ALL

好处是,写脚本时不用可以避免输入密码导致交互式执行


命令执行记录日志

cat /var/log/secure 中记录了用户提升权限执行命令的行为

相关标签: sudo