转载自:点击打开链接
②、修改配置文件,为tom添加特殊权限useradd
## Allow root to run any commands anywhere root ALL=(ALL) ALL tom ALL=(root) /usr/sbin/useradd ##添加权限,这里的/usr/sbin/useradd表示普通用户执行时必须使用全路径,可以使用which 命令查看哦! ## Allows members of the 'sys' group to run networking, software,③、切换到用户tom,验证特殊权限
[root@localhost ~]# su - tom ##切换用户 [tom@localhost ~]$ sudo -l ##查看此用户拥有的特殊权限 We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for tom: ##这里需要验证密码,以保证是用户本人执行操作 Matching Defaults entries for tom on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User tom may run the following commands on this host: (root) /usr/sbin/useradd ##可以以root身份,使用useradd命令 tom执行useradd [tom@localhost ~]$ sudo /usr/sbin/useradd test1 ##添加用户test1 [tom@localhost ~]$ tail -1 /etc/passwd test1:x:501:501::/home/test1:/bin/bash ##添加成功 ④、查看日志/vat/log/secure 注意:要切换回root才有权限查看日志 [root@localhost ~]# tail /var/log/secure Apr 5 13:55:58 localhost su: pam_unix(su-l:session): session opened for user tom by root(uid=0) Apr 5 13:56:11 localhost su: pam_unix(su-l:session): session closed for user tom Apr 5 13:56:17 localhost passwd: pam_unix(passwd:chauthtok): password changed for tom Apr 5 13:56:17 localhost passwd: gkr-pam: couldn't update the 'login' keyring password: no old password was entered Apr 5 13:56:23 localhost su: pam_unix(su-l:session): session opened for user tom by root(uid=0) Apr 5 13:56:43 localhost sudo: tom : TTY=pts/0 ; PWD=/home/tom ; USER=root ; COMMAND=list ##tom以管理员身份执行了list命令 Apr 5 14:00:50 localhost sudo: tom : TTY=pts/0 ; PWD=/home/tom ; USER=root ; COMMAND=/usr/sbin/useradd test1 ##tom以管理员身份执行了useradd命令,添加用户test1 Apr 5 14:00:50 localhost useradd[2128]: new group: name=test1, GID=501 Apr 5 14:00:50 localhost useradd[2128]: new user: name=test1, UID=501, GID=501, home=/home/test1, shell=/bin/bash Apr 5 14:07:15 localhost su: pam_unix(su-l:session): session closed for user tom 以后可以使用此命令日志查看主机是否遭到入侵攻击,或者查看某用户登录进来并使用特殊权限执行错误指令等等。所以我们要实时监控此文件的动向。⑤、-k参数示例
[root@localhost ~]# su - tom [tom@localhost ~]$ sudo -k ##结束密码有效期 [tom@localhost ~]$ sudo /usr/sbin/useradd test2 [sudo] password for tom: ##有效期结束后,执行特殊命令,需重新验证密码 [tom@localhost ~]$ tail -1 /etc/passwd test2:x:502:502::/home/test2:/bin/bash #添加test2成功 2、别名应用,alias: sudoers文件支持使用别名对同类对象进行分组:组名必须使用全大写字母,使用逗号将同类对象命令隔开。 Host_Alias:主机别名 User_Alias:用户别名 Runas_Alias:在哪些主机以谁的身份运行 的别名 Cmnd_Alias:命令别名 ①、在配置文件中定义别名 [root@localhost ~]# visudo Host_Alias USERHOSTS = 172.16.0.0/16,127.0.0.0/8,192.168.0.0/24 ##定义主机别名,可以在哪些机器执行特殊命令 Cmnd_Alias USERADMIN=/usr/sbin/useradd,/usr/sbin/usermod,/usr/sbin/userdel ##定义命令别名 root ALL=(ALL) ALL tom ALL=(root) USERADMIN ##此处定义tom可以执行别名USERADMIN中的所有命令 tom USERHOSTS=(ROOT) USERADMIN ##可以在别名USERHOSTS中机器上执行别名USERADMIN中的命令
验证:
[root@localhost ~]# su - tom [tom@localhost ~]$ sudo /usr/sbin/userdel -r test2 ##删除用户test2 [sudo] password for tom: [tom@localhost ~]$ tail -1 /etc/passwd ##删除成功 test1:x:501:501::/home/test1:/bin/bash ②、设禁止某用户执行某操作 tom ALL=(root) /usr/bin/passwd [a-zA-Z]*,!/usr/bin/passwd root ##tom可以以root的身份更改密码,但禁止更改root的密码。③、设置执特权命了时,无需输入密码
tom ALL=(root) /usr/sbin/useradd,NOPASSWD: /usr/sbin/userdel,/usr/sbin/groupdel,PASSWD: /usr/sbin/usermod,/usr/sbin/groupmod ##这里的/usr/sbin/useradd 操作时必须使用密码;/usr/sbin/userdel, /usr/sbin/groupdel操作时可以不使用密码(跟在其后的所有操作一律不使用密码);/usr/sbin/usermod, /usr/sbin/groupmod 操作时还是要输入密码;还有PASSWD和NOPASSWD不可定义于别名中哦! 验证: [root@localhost ~]# su - tom [tom@localhost ~]$ sudo /usr/sbin/useradd test3 [sudo] password for tom: [tom@localhost ~]$ sudo -k [tom@localhost ~]$ sudo /usr/sbin/useradd test4 [sudo] password for tom: ##useradd每次都需要输入密码 [tom@localhost ~]$ sudo -k [tom@localhost ~]$ sudo /usr/sbin/userdel test3 ##执行userdel没有要求输入密码,NOPASSWD设置生效 [tom@localhost ~]$ tail -3 /etc/passwd tom:x:500:500::/home/tom:/bin/bash test1:x:501:501::/home/test1:/bin/bash test4:x:503:503::/home/test4:/bin/bash