Linux用戶配置sudo權(quán)限(visudo)[轉(zhuǎn)]

2024-06-28 16:01:18

字體：大中小

來(lái)源：轉(zhuǎn)載

供稿：網(wǎng)友

本文

sudo的工作過(guò)程如下：

1，當(dāng)用戶執(zhí)行sudo時(shí)，系統(tǒng)會(huì)主動(dòng)尋找/etc/sudoers文件，判斷該用戶是否有執(zhí)行sudo的權(quán)限

2，確認(rèn)用戶具有可執(zhí)行sudo的權(quán)限后，讓用戶輸入用戶自己的密碼確認(rèn)

3，若密碼輸入成功，則開(kāi)始執(zhí)行sudo后續(xù)的命令

4，root執(zhí)行sudo時(shí)不需要輸入密碼(eudoers文件中有配置root ALL=(ALL) ALL這樣一條規(guī)則)

5，若欲切換的身份與執(zhí)行者的身份相同，也不需要輸入密碼

visudo使用vi打開(kāi)/etc/sudoers文件，但是在保存退出時(shí)，visudo會(huì)檢查內(nèi)部語(yǔ)法，避免用戶輸入錯(cuò)誤信息

visudo需要root權(quán)限

[hadoop@localhost ~]$ visudovisudo：/etc/sudoers：權(quán)限不夠visudo：/etc/sudoers：權(quán)限不夠

## Sudoers allows particular users to run various commands as## the root user, without needing the root passWord.## 該文件允許特定用戶像root用戶一樣使用各種各樣的命令，而不需要root用戶的密碼#### Examples are PRovided at the bottom of the file for collections## of related commands, which can then be delegated out to particular## users or groups.## 在文件的底部提供了很多相關(guān)命令的示例以供選擇，這些示例都可以被特定用戶或## 用戶組所使用 #### This file must be edited with the 'visudo' command.## 該文件必須使用"visudo"命令編輯## Host Aliases## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or ip addresses instead.## 對(duì)于一組服務(wù)器，你可能會(huì)更喜歡使用主機(jī)名（可能是全域名的通配符）## 、或IP地址，這時(shí)可以配置主機(jī)別名# Host_Alias FILESERVERS = fs1, fs2# Host_Alias MAILSERVERS = smtp, smtp2## User Aliases## These aren't often necessary, as you can use regular groups## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS## 這并不很常用，因?yàn)槟憧梢酝ㄟ^(guò)使用組來(lái)代替一組用戶的別名# User_Alias ADMINS = jsmith, mikem## Command Aliases## These are groups of related commands...## 指定一系列相互關(guān)聯(lián)的命令（當(dāng)然可以是一個(gè)）的別名，通過(guò)賦予該別名sudo權(quán)限，## 可以通過(guò)sudo調(diào)用所有別名包含的命令，下面是一些示例## Networking 網(wǎng)絡(luò)操作相關(guān)命令別名# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool## Installation and management of software 軟件安裝管理相關(guān)命令別名# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum## Services 服務(wù)相關(guān)命令別名# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig## Updating the locate database 本地?cái)?shù)據(jù)庫(kù)升級(jí)命令別名# Cmnd_Alias LOCATE = /usr/bin/updatedb## Storage 磁盤(pán)操作相關(guān)命令別名# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount## Delegating permissions 代理權(quán)限相關(guān)命令別名# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes 進(jìn)程相關(guān)命令別名# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall## Drivers 驅(qū)動(dòng)命令別名# Cmnd_Alias DRIVERS = /sbin/modprobe# Defaults specification## Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>".# 一些環(huán)境變量的相關(guān)配置，具體情況可見(jiàn)man soduersDefaults requirettyDefaults env_resetDefaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple## systems).## 下面是規(guī)則配置：什么用戶在哪臺(tái)服務(wù)器上可以執(zhí)行哪些命令（sudoers文件可以在多個(gè)系統(tǒng)上共享）## Syntax(語(yǔ)法):#### user MACHINE=COMMANDS 用戶登錄的主機(jī)=（可以變換的身份）可以執(zhí)行的命令#### The COMMANDS section may have other options added to it.## 命令部分可以附帶一些其它的選項(xiàng)#### Allow root to run any commands anywhere ## 允許root用戶執(zhí)行任意路徑下的任意命令root ALL=(ALL) ALL## Allows members of the 'sys' group to run networking, software, ## service management apps and more.## 允許sys中戶組中的用戶使用NETWORKING等所有別名中配置的命令# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS## Allows people in group wheel to run all commands## 允許wheel用戶組中的用戶執(zhí)行所有命令%wheel ALL=(ALL) ALL## Same thing without a password## 允許wheel用戶組中的用戶在不輸入該用戶的密碼的情況下使用所有命令# %wheel ALL=(ALL) NOPASSWD: ALL## Allows members of the users group to mount and unmount the ## cdrom as root## 允許users用戶組中的用戶像root用戶一樣使用mount、unmount、chrom命令# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom## Allows members of the users group to shutdown this system## 允許users用戶組中的用戶關(guān)閉localhost這臺(tái)服務(wù)器# %users localhost=/sbin/shutdown -h now## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)## 讀取放置在/etc/sudoers.d/文件夾中的文件（此處的#不意味著這是一個(gè)聲明）#includedir /etc/sudoers.d

特別要注意的是別名一定要使用大寫(xiě)

查看當(dāng)前用戶的sudo權(quán)限；這里寫(xiě)圖片描述