測試環境為 CentOS 7 x86_64 (虛擬機)
一般使用者無法執行特權指令,這時候可以透過 sudo 讓一般使用者可以執行特權指令,但不是每一個使用者都是 suders (可以透過 sudo 執行的使用者).
[ben@localhost ~]$ yum update Loaded plugins: fastestmirror, langpacks You need to be root to perform this command. [ben@localhost ~]$ sudo yum update [sudo] password for ben: ben is not in the sudoers file. This incident will be reported.
下面針對 #sudo 指令與其設定檔做說明:
- #sudo
這個指令主要是用在給非特權使用者暫時有權限去執行 root(特權使用者) 才能執行的指令. - sudo 的設定檔 (/etc/sudoers)
sudo 的設定檔 /etc/sudoers ,不過我們不會去用 vi 直接編輯這個檔,而是使用指令 #visudo 去編輯 /etc/sudoers ,因為 visudo 還會幫我們檢查是否有語法或編寫錯誤….等.
後面幾個範例會使用到不同使用者,這邊可以透過 #sudo 新增使用者 user1,user2 並設定使用者的密碼.
[root@localhost ~]# adduser user1 [root@localhost ~]# passwd user1 Changing password for user user1. New password: Retype new password: passwd: all authentication tokens updated successfully.
[root@localhost ~]# adduser user2 [root@localhost ~]# passwd user2 Changing password for user user2. New password: Retype new password: passwd: all authentication tokens updated successfully.
應用
- 給 user1 #yum update 的權限.
[root@localhost ~]# visudo user1 ALL=/usr/bin/yum update
定義 user1 具有 yum update 的能力
說明:- user1
定義 user1 具備 root 的權限去執行接下來的指令. - ALL
定義 user1 是從哪裡登入系統(本機或遠端 telnet,ssh…)來做限制,ALL 表示不受限,localhost 表示只有本機使用者可用,也可以根據遠端機名稱來設限. - =/usr/bin/yum update
定義 user1 具有哪些指令可以以 root 身份執行,使用者登入後可以透過 #sudo -l 來查詢他有哪一些特權指令可以使用.
[user1@localhost ~]$ sudo -l [sudo] password for user1: Matching Defaults entries for user1 on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User user1 may run the following commands on localhost: (root) /usr/bin/yum update[user1@localhost ~]$ yum update Loaded plugins: fastestmirror, langpacks You need to be root to perform this command. [user1@localhost ~]$ sudo yum update [sudo] password for user1: Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror01.idc.hinet.net * epel: mirror01.idc.hinet.net * extras: mirror01.idc.hinet.net * updates: mirror01.idc.hinet.net Resolving Dependencies
如果連密碼都想省略,可以用 NOPASSWD: .
[root@localhost ~]# visudo user1 ALL= NOPASSWD: /usr/bin/yum update
我們剛剛只有給 #yum update 的權限,其他 yum install 皆不能使用.
[user1@localhost ~]$ sudo yum install telnet Sorry, user user1 is not allowed to execute '/bin/yum install telnet' as root on localhost.localdomain.
如果要給 yum 全部的權限,後面不不需要接任何參數.
[root@localhost ~]# visudo user1 ALL=/usr/bin/yum
[user1@localhost ~]$ sudo -l Matching Defaults entries for user1 on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User user1 may run the following commands on localhost: (root) /usr/bin/yum[user1@localhost ~]$ sudo yum install telnet Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror01.idc.hinet.net * epel: mirror01.idc.hinet.net * extras: mirror01.idc.hinet.net * updates: mirror01.idc.hinet.net Resolving Dependencies --> Running transaction check ---> Package telnet.x86_64 1:0.17-64.el7 will be installed --> Finished Dependency Resolution
- user1
- 讓 user1 , user2 具有 mount / umount 光碟的權限
[root@localhost ~]# visudo user1 ALL=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom user2 ALL=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
定義 user1 , user2 具有掛載,卸載光碟的權限.
說明:- user1
定義 user1 具備 root 的權限去執行接下來的指令. - ALL
定義 user1 是從哪裡登入系統(本機或遠端 telnet,ssh…)來做限制,ALL 表示不受限,localhost 表示只有本機使用者可用,也可以根據遠端機名稱來設限. - =/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
定義 user1 具有哪些指令可以以 root 身份執行,使用者登入後可以透過 #sudo -l 來查詢他有哪一些特權指令可以使用.
user2 設定同 user1 .
[user1@localhost ~]$ sudo -l [sudo] password for user1: Matching Defaults entries for user1 on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User user1 may run the following commands on localhost: (root) /bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom[user2@localhost ~]$ sudo -l [sudo] password for user2: Matching Defaults entries for user2 on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User user2 may run the following commands on localhost: (root) /bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdromuser1 , user2 就可以透過 sudo 指令去執行 mount,umount 的權限了.
[user1@localhost ~]$ sudo mount /dev/sr0 /mnt/cdrom mount: /dev/sr0 is write-protected, mounting read-only [user1@localhost ~]$ sudo umount /mnt/cdrom
[user2@localhost ~]$ sudo mount /dev/sr0 /mnt/cdrom mount: /dev/sr0 is write-protected, mounting read-only
[user2@localhost ~]$ sudo umount /mnt/cdrom
當需要多人設定相同權限時,可以直接使用 /etc/group 中的群組來定義,但在 #User privlege specification 中的群組必須以 “%”(代表使用 /etc/group 中的群組) 開頭.
功能同第一個範例,但使用 #User privlege specification 中的群組 (以 “%” 代表使用 /etc/group 中的群組) 來定義.[root@localhost ~]# visudo %mountuser ALL=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
%mountuser 的定義存放在 /etc/group .
[root@localhost ~]# cat /etc/group mountuser:x:1004:user1,user2
- user1
- 讓 user1 可以執行所有 root 才能執行的指令
[root@localhost ~]# visudo user1 ALL=(ALL) ALL
[user1@localhost ~]$ sudo -l [sudo] password for user1: Matching Defaults entries for user1 on localhost: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User user1 may run the following commands on localhost: (ALL) ALL這樣 user1 就可以執行 root 才能執行的指令.
如果連密碼都想省略,可以用 NOPASSWD: ALL .
[root@localhost ~]# visudo user1 ALL=(ALL) NOPASSWD: ALL
- 改變 root 身份為 user1
sudo 除了可以為非特權使用者新增某些特別權限外,還可以將 root 變成其他使用者來執行指令.[root@localhost ~]# sudo -u user1 touch /home/user1/rootfile [root@localhost ~]# ll /home/user1/ total 0 -rw-r--r-- 1 user1 user1 0 Feb 13 17:50 rootfile
很明顯 rootfile 的 owner,group 都是 user1.
sudo 正規寫法
[root@localhost ~]# visudo # Host alias specification # User alias specification User_Alias ADMIN=user1 , user2 # Cmnd alias specification Cmnd_Alias MOUNTCMD=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom # User privilege specification ADMIN ALL=MOUNTCMD
定義 user2 具有掛載光碟,磁碟機的能力說明:
- User_Alias ADMIN=user1 , user2
User_Alias – 為定義使用者保留字,ADMIN 為使用者定義別名(一個別名可包含多個使用用者),但規定上名稱都必須為大寫. - Cmnd_Alias MOUNTCMD=/bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
Cmnd_Alias – 為定義命令者保留字,MOUNTCMD 為命令定義別名(一個別名可包含多個命令),但規定上名稱都必須為大寫. - ADMIN ALL=MOUNTCMD
ADMIN – 定義 ADMIN 具備 root 的權限去執行接下來的指令.
ALL – 定義 ADMIN 是從哪裡登入系統(本機或遠端 telnet,ssh…)來做限制,ALL表示不受限制,localhost表示只有本機使用者可用,也可以根據遠端機名稱來設限.
=MOUNTCMD – 定義 ADMIN 具有哪些指令可以以 root 身份執行.
[user2@localhost ~]$ sudo -l
[sudo] password for user2:
Matching Defaults entries for user2 on localhost:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user2 may run the following commands on localhost:
(root) /bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
[user1@localhost ~]$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on localhost:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User user1 may run the following commands on localhost:
(root) /bin/mount /dev/sr0 /mnt/cdrom, /bin/umount /mnt/cdrom
沒有解決問題,試試搜尋本站其他內容
One thought on “Linux command – sudo”