sudo管理帐号权限

4tr32

大家都知道root是超级管理员，拥有无限大的权限，为了系统安全,尽量不要让root被人随便使用，或者远程登录进来。由此需要在Linux上创建一些管理帐号，那么这些帐号的权限如何分配呢？Linux 有sudo这些工作，sudo主要是配置那个用户可以使用那些帐号，使用visudo或者编辑"/etc/sudoers"可以修改参数。


[iyunv@localhost ~]# useradd lbx
[iyunv@localhost ~]# echo "qwe123" | passwd --stdin lbx
[iyunv@localhost ~]#vim /etc/soders

lbx     localhost.localdomain=/bin/mkdir,/bin/touch,/bin/rpm,/bin/ls
我添加了lbx这个用户
然后在/etc/sudoers中添加用户lbx的权限管理，可以创建文件和文件夹，安装rpm，显示目录。
[lbx@localhost opt]$ su lbx //用su切换到lbx
[lbx@localhost opt]$ mkdir test
mkdir: 无法创建目录 “test”: 权限不够                //显示无法创建目录
[lbx@localhost opt]$ sudo mkdir test                //使用sudo提权，由此可以使用命令mkdir
Password:
[lbx@localhost opt]$ ls                        //密码会保留一段时间，不用sudo提权，也可以使用命令ls
setup  test

[lbx@localhost opt]$ sudo -k        //清除保留的密码
[lbx@localhost opt]$ touch file
touch: 无法触碰 “file”: 权限不够
[lbx@localhost opt]$ sudo touch file
[lbx@localhost opt]$ ls
file  setup  tes


[iyunv@localhost opt]# useradd user1
[iyunv@localhost opt]# useradd user2       
[iyunv@localhost opt]# echo "qwe123"|passwd --stdin user1
Changing password for user user1.
passwd: all authentication tokens updated successfully.
[iyunv@localhost opt]# echo "qwe123"|passwd --stdin user2
Changing password for user user2.
passwd: all authentication tokens updated successfully.
//添加两个帐号user1和usser2 并分配密码

[iyunv@localhost ~]#vim /etc/soders
lbx     localhost.localdomain=/usr/bin/passwd
//修改/etc/sudoders,让lbx可以使用命令passwd

[iyunv@localhost opt]# su lbx
[lbx@localhost opt]$ sudo passwd user1
Changing password for user user1.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

//lbx可以修改user1的密码，但大家看以下这种情况，lbx居然可以root的密码，呵呵，有点宣兵夺主的感觉

[lbx@localhost opt]$ sudo passwd root
Changing password for user root.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

为了避免这种情况可以如下配置，让他可以使用passwd，但禁止修改root的password：
lbx     localhost.localdomain=/usr/bin/passwd,!/usr/bin/passwd root

效果出来了：
[iyunv@localhost opt]# su lbx
[lbx@localhost opt]$ sudo passwd root
Sorry, user lbx is not allowed to execute '/usr/bin/passwd root' as root on localhost.localdomain.




如果要管理的帐号有很多需要配置管理呢？那怎么配置？在系统账号管理方面，window做得很细致，可以分组管理，并且已经规划好权限。Linux也可以只是需要你自己去写。
User_Alias      OPERATORS=user1,user2
Cmnd_Alias      PKGTOOLS=/bin/mkdir,/bin/cp,/bin/touch,/bin/ls
OPERATORS       localhost.localdomain=PKGTOOLS
如上所示，Useeer_Alias格式创建了OPERATORS管理组，组中有用户user1和user2。Cmnd_Alias格式后面PKTOOLS指定允许使用的命令.



[user2@localhost opt]$ mkdir diretory
mkdir: 无法创建目录 “diretory”: 权限不够
[user2@localhost opt]$ sudo mkdir diretory

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
[user2@localhost opt]$ sudo ls
diretory

mkdir: 无法创建目录 “diretory”: 权限不够,sudo提权以后可以获得操作权限。
[user2@localhost opt]$ sudo mkdir diretory

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
[user2@localhost opt]$ sudo ls
diretory  file        setup  test
[user2@localhost opt]$ su user1
口令：
[user1@localhost opt]$ cd /tmp/
[user1@localhost tmp]$ sudo mkdir diretory

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
[user1@localhost tmp]$ touch file
[user1@localhost tmp]$ ls
diretory