Linux command – sudo

Loading

測試環境為 CentOS 7 x86_64 (虛擬機)

一般使用者無法執行特權指令,這時候可以透過 sudo 讓一般使用者可以執行特權指令,但不是每一個使用者都是 suders (可以透過 sudo 執行的使用者).

[ben@localhost ~]$ yum update
Loaded plugins: fastestmirror, langpacks
You need to be root to perform this command.
[ben@localhost ~]$ sudo yum update
[sudo] password for ben: 
ben is not in the sudoers file.  This incident will be reported.

下面針對 #sudo 指令與其設定檔做說明:

  • #sudo
    這個指令主要是用在給非特權使用者暫時有權限去執行 root(特權使用者) 才能執行的指令.
  • sudo 的設定檔 (/etc/sudoers)
    sudo 的設定檔 /etc/sudoers ,不過我們不會去用 vi 直接編輯這個檔,而是使用指令 #visudo 去編輯 /etc/sudoers ,因為 visudo 還會幫我們檢查是否有語法或編寫錯誤….等.

後面幾個範例會使用到不同使用者,這邊可以透過 #sudo 新增使用者 user1,user2 並設定使用者的密碼.

[root@localhost ~]# adduser user1
[root@localhost ~]# passwd user1
Changing password for user user1.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@localhost ~]# adduser user2
[root@localhost ~]# passwd user2
Changing password for user user2.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

應用

  1. 給 user1 #yum update 的權限.
    [root@localhost ~]# visudo
    user1 ALL=/usr/bin/yum update
    

    定義 user1 具有 yum update 的能力
    說明:

    • user1
      定義 user1 具備 root 的權限去執行接下來的指令.
    • ALL
      定義 user1 是從哪裡登入系統(本機或遠端 telnet,ssh…)來做限制,ALL 表示不受限,localhost 表示只有本機使用者可用,也可以根據遠端機名稱來設限.
    • =/usr/bin/yum update
      定義 user1 具有哪些指令可以以 root 身份執行,使用者登入後可以透過 #sudo -l 來查詢他有哪一些特權指令可以使用.
    [user1@localhost ~]$ sudo -l
    [sudo] password for user1: 
    Matching Defaults entries for user1 on localhost:
        !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
        env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
        env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
        env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
        env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
        env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
        secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
    
    User user1 may run the following commands on localhost:
        (root) /usr/bin/yum update
    
    [user1@localhost ~]$ yum update
    Loaded plugins: fastestmirror, langpacks
    You need to be root to perform this command.
    [user1@localhost ~]$ sudo yum update
    [sudo] password for user1: 
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
     * base: mirror01.idc.hinet.net
     * epel: mirror01.idc.hinet.net
     * extras: mirror01.idc.hinet.net
     * updates: mirror01.idc.hinet.net
    Resolving Dependencies
    

    如果連密碼都想省略,可以用 NOPASSWD: .

    [root@localhost ~]# visudo
    user1        ALL= NOPASSWD: /usr/bin/yum update
    

    我們剛剛只有給 #yum update 的權限,其他 yum install 皆不能使用.

    [user1@localhost ~]$ sudo yum install telnet
    Sorry, user user1 is not allowed to execute '/bin/yum install telnet' as root on localhost.localdomain.
    

    如果要給 yum 全部的權限,後面不不需要接任何參數.

    [root@localhost ~]# visudo
    user1 ALL=/usr/bin/yum
    
    [user1@localhost ~]$ sudo -l
    Matching Defaults entries for user1 on localhost:
        !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
        env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
        env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
        env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
        env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
        env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
        secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
    
    User user1 may run the following commands on localhost:
        (root) /usr/bin/yum
    
    [user1@localhost ~]$ sudo yum install telnet
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
     * base: mirror01.idc.hinet.net
     * epel: mirror01.idc.hinet.net
     * extras: mirror01.idc.hinet.net
     * updates: mirror01.idc.hinet.net
    Resolving Dependencies
    --> Running transaction check
    ---> Package telnet.x86_64 1:0.17-64.el7 will be installed
    --> Finished Dependency Resolution
    
  2. 讓 user1 , user2 具有 mount / umount 光碟的權限
    [root@localhost ~]# visudo
    user1  ALL=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
    user2  ALL=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
    

    定義 user1 , user2 具有掛載,卸載光碟的權限.
    說明:

    • user1
      定義 user1 具備 root 的權限去執行接下來的指令.
    • ALL
      定義 user1 是從哪裡登入系統(本機或遠端 telnet,ssh…)來做限制,ALL 表示不受限,localhost 表示只有本機使用者可用,也可以根據遠端機名稱來設限.
    • =/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
      定義 user1 具有哪些指令可以以 root 身份執行,使用者登入後可以透過 #sudo -l 來查詢他有哪一些特權指令可以使用.

    user2 設定同 user1 .

    [user1@localhost ~]$ sudo -l
    [sudo] password for user1: 
    Matching Defaults entries for user1 on localhost:
        !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
        env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
        env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
        env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
        env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
        env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
        secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
    
    User user1 may run the following commands on localhost:
        (root) /bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
    
    [user2@localhost ~]$ sudo -l
    [sudo] password for user2: 
    Matching Defaults entries for user2 on localhost:
        !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
        env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
        env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
        env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
        env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
        env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
        secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
    
    User user2 may run the following commands on localhost:
        (root) /bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
    

    user1 , user2 就可以透過 sudo 指令去執行 mount,umount 的權限了.

    [user1@localhost ~]$ sudo mount /dev/sr0 /mnt/cdrom
    mount: /dev/sr0 is write-protected, mounting read-only
    [user1@localhost ~]$ sudo umount /mnt/cdrom
    
    [user2@localhost ~]$ sudo mount /dev/sr0 /mnt/cdrom
    mount: /dev/sr0 is write-protected, mounting read-only
    
    [user2@localhost ~]$ sudo umount /mnt/cdrom
    

    當需要多人設定相同權限時,可以直接使用 /etc/group 中的群組來定義,但在 #User privlege specification 中的群組必須以 “%”(代表使用 /etc/group 中的群組) 開頭.
    功能同第一個範例,但使用 #User privlege specification 中的群組 (以 “%” 代表使用 /etc/group 中的群組) 來定義.

    [root@localhost ~]# visudo
    %mountuser    ALL=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
    

    %mountuser 的定義存放在 /etc/group .

    [root@localhost ~]# cat /etc/group 
    mountuser:x:1004:user1,user2
    
  3. 讓 user1 可以執行所有 root 才能執行的指令
    [root@localhost ~]# visudo
    user1     ALL=(ALL) ALL
    
    [user1@localhost ~]$ sudo -l
    [sudo] password for user1: 
    Matching Defaults entries for user1 on localhost:
        !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
        env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
        env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
        env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
        env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
        env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
        secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
    
    User user1 may run the following commands on localhost:
        (ALL) ALL
    

    這樣 user1 就可以執行 root 才能執行的指令.

    如果連密碼都想省略,可以用 NOPASSWD: ALL .

    [root@localhost ~]# visudo
    user1        ALL=(ALL)       NOPASSWD: ALL
    
  4. 改變 root 身份為 user1
    sudo 除了可以為非特權使用者新增某些特別權限外,還可以將 root 變成其他使用者來執行指令.

    [root@localhost ~]# sudo -u user1 touch /home/user1/rootfile
    [root@localhost ~]# ll /home/user1/
    total 0
    -rw-r--r-- 1 user1 user1 0 Feb 13 17:50 rootfile
    

    很明顯 rootfile 的 owner,group 都是 user1.

sudo 正規寫法

[root@localhost ~]# visudo
# Host alias specification
# User alias specification
User_Alias ADMIN=user1 , user2
# Cmnd alias specification
Cmnd_Alias  MOUNTCMD=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
# User privilege specification
ADMIN ALL=MOUNTCMD

定義 user2 具有掛載光碟,磁碟機的能力說明:

  • User_Alias ADMIN=user1 , user2
    User_Alias – 為定義使用者保留字,ADMIN 為使用者定義別名(一個別名可包含多個使用用者),但規定上名稱都必須為大寫.
  • Cmnd_Alias MOUNTCMD=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
    Cmnd_Alias – 為定義命令者保留字,MOUNTCMD 為命令定義別名(一個別名可包含多個命令),但規定上名稱都必須為大寫.
  • ADMIN ALL=MOUNTCMD
    ADMIN – 定義 ADMIN 具備 root 的權限去執行接下來的指令.
    ALL – 定義 ADMIN 是從哪裡登入系統(本機或遠端 telnet,ssh…)來做限制,ALL表示不受限制,localhost表示只有本機使用者可用,也可以根據遠端機名稱來設限.
    =MOUNTCMD – 定義 ADMIN 具有哪些指令可以以 root 身份執行.
[user2@localhost ~]$ sudo -l
[sudo] password for user2: 
Matching Defaults entries for user2 on localhost:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user2 may run the following commands on localhost:
    (root) /bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
[user1@localhost ~]$ sudo -l
[sudo] password for user1: 
Matching Defaults entries for user1 on localhost:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user1 may run the following commands on localhost:
    (root) /bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
沒有解決問題,試試搜尋本站其他內容

One thought on “Linux command – sudo

  1. 自動引用通知: 安全性 | Benjr.tw

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料