sudo配置臨時取得root權限

sudo配置臨時取得root權限
系統中的普通用戶有時需要root權限執行某種操作，要是使用su - root的話必須要知道root的密碼，這是不安全的，所以有了sudo，root可以對/etc/sudoers做一定的配置，讓普通用戶
在不切換到root的情況下，執行一些只有root才能執行的操作。這個文件只能root去修改，建議使用visudo這個命令修改，而不是直接vim /etc/sudoers。
原因有二：
? 一是它能夠防止兩個用戶同時修改它；
? 二是它也能進行有限的語法檢查。
當編輯這個文件有錯誤時，使用visudo會給出錯誤提示，此時可以按e重新編輯，x不保存退出，Q保存退出，如果選擇Q，sudo就不能正常工作了。

實驗過程完成了給指定用戶sudo權限和用別名指定一組用戶的可以執行的sudo指令

過程如下：

?

[root@mail?~]#?visudo?????#chen為普通用戶，ALL可以從任何的主機登陸，(root)可以以root身份，后面是可以執行的命令，最好寫全路徑???????88?##?Allow?root?to?run?any?commands?anywhere???????89?root????ALL=(ALL)???????ALL???????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???????91?##?Allows?members?of?the?'sys'?group?to?run?networking,?software,??????[root@mail?~]#?exit??logout??[chen@mail?桌面]$?sudo?-l?#查看自己可以執行的sudo命令??[sudo]?password?for?chen:???#輸入自己的密碼??Matching?Defaults?entries?for?chen?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?chen?may?run?the?following?commands?on?this?host:??????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#這里看到可以執行的sudo命令??[chen@mail?桌面]$?sudo?useradd?user3??#測試??[chen@mail?桌面]$?sudo?passwd?user3??更改用戶?user3?的密碼?。??新的?密碼：??無效的密碼：?過短??無效的密碼：?過于簡單??重新輸入新的?密碼：??passwd：?所有的身份驗證令牌已經成功更新。??[chen@mail?桌面]$?id?user3????#添加user3成功??uid=503(user3)?gid=503(user3)?組=503(user3)??[chen@mail?桌面]$?visudo??#普通用戶不允許編輯??visudo:?/etc/sudoers:?Permission?denied??visudo:?/etc/sudoers:?Permission?denied??[chen@mail?桌面]$?su?-?root?????密碼：??[root@mail?~]#?visudo???[root@mail?~]#?cat?/etc/sudoers?|grep?user1?#編輯增加了下面一行??user1???ALL=(user2)?/bin/ls??[root@mail?~]#?su?-?user1??[user1@mail?~]$?sudo?-l????We?trust?you?have?received?the?usual?lecture?from?the?local?System??Administrator.?It?usually?boils?down?to?these?three?things:????????#1)?Respect?the?privacy?of?others.??????#2)?Think?before?you?type.??????#3)?With?great?power?comes?great?responsibility.????[sudo]?password?for?user1:???Matching?Defaults?entries?for?user1?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?user1?may?run?the?following?commands?on?this?host:??????(user2)?/bin/ls??[user1@mail?~]$?ls?/home/user2??#user1直接查看user2的家目錄肯定是不允許的??ls:?無法打開目錄/home/user2:?權限不夠??[user1@mail?~]$?sudo?-u?user2?ls?/home/user2????#但是sudo以user2的身份查看就可以??a????#這里不能以user2的身份添加用戶，因為user2本身還沒有useradd的權限??#事實上，即使給user2?sudo的添加用戶權限這樣也是不行的，因為user2添加的時候也要sudo的啊??#直接以user2肯定不行，看演示。??[user1@mail?~]$?sudo?-u?user2?useradd?user4?#這時候不能添加??Sorry,?user?user1?is?not?allowed?to?execute?'/usr/sbin/useradd?user4'?as?user2?on?mail.example.com.??[user1@mail?~]$?exit??logout??[root@mail?~]#?visudo?????#添加了這行，給user2?sudo添加用戶的權限，這時候sudo?-u?user2?useradd?user4是否可以呢？不行的！???user2???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd??[root@mail?~]#?su?-?user2??[user2@mail?~]$?sudo?-l????We?trust?you?have?received?the?usual?lecture?from?the?local?System??Administrator.?It?usually?boils?down?to?these?three?things:????????#1)?Respect?the?privacy?of?others.??????#2)?Think?before?you?type.??????#3)?With?great?power?comes?great?responsibility.????[sudo]?password?for?user2:???Matching?Defaults?entries?for?user2?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?user2?may?run?the?following?commands?on?this?host:??????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd??[user2@mail?~]$?su?-?user1??密碼：??[user1@mail?~]$?sudo?-u?user2?useradd?user4?#答案在此，不行的！??Sorry,?user?user1?is?not?allowed?to?execute?'/usr/sbin/useradd?user4'?as?user2?on?mail.example.com.??[user1@mail?~]$???#總結下，sudo?-u?用戶名?命令?，當前用戶以某個用戶的身份執行某個命令的時候，必須這個用戶本身不加sudo的情況??#直接能執行的命令，才可以這種方式執行。另外，sudo不加-u，默認以root身份執行????[user1@mail?~]$?exit??logout??[user2@mail?~]$?exit??logout??[root@mail?~]#?visudo???#改動如下：刪除了91，92行，???????88?##?Allow?root?to?run?any?commands?anywhere???????89?root????ALL=(ALL)???????ALL???????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???????91?user1???ALL=(user2)?????/bin/ls?????#刪除???????92?user2???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???#刪除?????????88?##?Allow?root?to?run?any?commands?anywhere???????89?root????ALL=(ALL)???????ALL???????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???????91?ADMIN???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???#新添加?????????20?#?User_Alias?ADMINS?=?jsmith,?mikem???????21??User_Alias?ADMIN?=?user1,?user2????????#新添加???????22???#這里相當于ADMIN為user1，user2的別名，這個別名具有添加用戶的權限，user1和user2也具有這個權限??[root@mail?~]#?su?-?user1??[user1@mail?~]$?sudo?-l??[sudo]?password?for?user1:???Matching?Defaults?entries?for?user1?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?user1?may?run?the?following?commands?on?this?host:??????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#可以看到user1有useradd權限??[user1@mail?~]$?su?-?user2??密碼：??[user2@mail?~]$?sudo?-l??[sudo]?password?for?user2:???Matching?Defaults?entries?for?user2?on?this?host:??????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin????User?user2?may?run?the?following?commands?on?this?host:??????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#user2也有??[user2@mail?~]$???
[root@mail?~]#?visudo???
??
#chen為普通用戶，ALL可以從任何的主機登陸，(root)可以以root身份，后面是可以執行的命令，最好寫全路徑??
?????88?##?Allow?root?to?run?any?commands?anywhere??
?????89?root????ALL=(ALL)???????ALL??
?????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd??
?????91?##?Allows?members?of?the?'sys'?group?to?run?networking,?software,??
??
??
[root@mail?~]#?exit??
logout??
[chen@mail?桌面]$?sudo?-l?#查看自己可以執行的sudo命令??
[sudo]?password?for?chen:???#輸入自己的密碼??
Matching?Defaults?entries?for?chen?on?this?host:??
????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??
????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??
????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??
????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??
????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??
????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin??
??
User?chen?may?run?the?following?commands?on?this?host:??
????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#這里看到可以執行的sudo命令??
[chen@mail?桌面]$?sudo?useradd?user3??#測試??
[chen@mail?桌面]$?sudo?passwd?user3??
更改用戶?user3?的密碼?。??
新的?密碼：??
無效的密碼：?過短??
無效的密碼：?過于簡單??
重新輸入新的?密碼：??
passwd：?所有的身份驗證令牌已經成功更新。??
[chen@mail?桌面]$?id?user3????#添加user3成功??
uid=503(user3)?gid=503(user3)?組=503(user3)??
[chen@mail?桌面]$?visudo??#普通用戶不允許編輯??
visudo:?/etc/sudoers:?Permission?denied??
visudo:?/etc/sudoers:?Permission?denied??
[chen@mail?桌面]$?su?-?root?????
密碼：??
[root@mail?~]#?visudo???
[root@mail?~]#?cat?/etc/sudoers?|grep?user1?#編輯增加了下面一行??
user1???ALL=(user2)?/bin/ls??
[root@mail?~]#?su?-?user1??
[user1@mail?~]$?sudo?-l??
??
We?trust?you?have?received?the?usual?lecture?from?the?local?System??
Administrator.?It?usually?boils?down?to?these?three?things:??
??
????#1)?Respect?the?privacy?of?others.??
????#2)?Think?before?you?type.??
????#3)?With?great?power?comes?great?responsibility.??
??
[sudo]?password?for?user1:???
Matching?Defaults?entries?for?user1?on?this?host:??
????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??
????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??
????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??
????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??
????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??
????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin??
??
User?user1?may?run?the?following?commands?on?this?host:??
????(user2)?/bin/ls??
[user1@mail?~]$?ls?/home/user2??#user1直接查看user2的家目錄肯定是不允許的??
ls:?無法打開目錄/home/user2:?權限不夠??
[user1@mail?~]$?sudo?-u?user2?ls?/home/user2????#但是sudo以user2的身份查看就可以??
a??
??
#這里不能以user2的身份添加用戶，因為user2本身還沒有useradd的權限??
#事實上，即使給user2?sudo的添加用戶權限這樣也是不行的，因為user2添加的時候也要sudo的啊??
#直接以user2肯定不行，看演示。??
[user1@mail?~]$?sudo?-u?user2?useradd?user4?#這時候不能添加??
Sorry,?user?user1?is?not?allowed?to?execute?'/usr/sbin/useradd?user4'?as?user2?on?mail.example.com.??
[user1@mail?~]$?exit??
logout??
[root@mail?~]#?visudo?????
#添加了這行，給user2?sudo添加用戶的權限，這時候sudo?-u?user2?useradd?user4是否可以呢？不行的！??
?user2???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd??
[root@mail?~]#?su?-?user2??
[user2@mail?~]$?sudo?-l??
??
We?trust?you?have?received?the?usual?lecture?from?the?local?System??
Administrator.?It?usually?boils?down?to?these?three?things:??
??
????#1)?Respect?the?privacy?of?others.??
????#2)?Think?before?you?type.??
????#3)?With?great?power?comes?great?responsibility.??
??
[sudo]?password?for?user2:???
Matching?Defaults?entries?for?user2?on?this?host:??
????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??
????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??
????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??
????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??
????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??
????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin??
??
User?user2?may?run?the?following?commands?on?this?host:??
????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd??
[user2@mail?~]$?su?-?user1??
密碼：??
[user1@mail?~]$?sudo?-u?user2?useradd?user4?#答案在此，不行的！??
Sorry,?user?user1?is?not?allowed?to?execute?'/usr/sbin/useradd?user4'?as?user2?on?mail.example.com.??
[user1@mail?~]$???
#總結下，sudo?-u?用戶名?命令?，當前用戶以某個用戶的身份執行某個命令的時候，必須這個用戶本身不加sudo的情況??
#直接能執行的命令，才可以這種方式執行。另外，sudo不加-u，默認以root身份執行??
??
[user1@mail?~]$?exit??
logout??
[user2@mail?~]$?exit??
logout??
[root@mail?~]#?visudo???
#改動如下：刪除了91，92行，??
?????88?##?Allow?root?to?run?any?commands?anywhere??
?????89?root????ALL=(ALL)???????ALL??
?????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd??
?????91?user1???ALL=(user2)?????/bin/ls?????#刪除??
?????92?user2???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???#刪除??
??
?????88?##?Allow?root?to?run?any?commands?anywhere??
?????89?root????ALL=(ALL)???????ALL??
?????90?chen????ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd??
?????91?ADMIN???ALL=(root)??????/usr/sbin/useradd,/usr/bin/passwd???#新添加??
??
?????20?#?User_Alias?ADMINS?=?jsmith,?mikem??
?????21??User_Alias?ADMIN?=?user1,?user2????????#新添加??
?????22???
#這里相當于ADMIN為user1，user2的別名，這個別名具有添加用戶的權限，user1和user2也具有這個權限??
[root@mail?~]#?su?-?user1??
[user1@mail?~]$?sudo?-l??
[sudo]?password?for?user1:???
Matching?Defaults?entries?for?user1?on?this?host:??
????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??
????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??
????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??
????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??
????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??
????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin??
??
User?user1?may?run?the?following?commands?on?this?host:??
????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#可以看到user1有useradd權限??
[user1@mail?~]$?su?-?user2??
密碼：??
[user2@mail?~]$?sudo?-l??
[sudo]?password?for?user2:???
Matching?Defaults?entries?for?user2?on?this?host:??
????requiretty,?always_set_home,?env_reset,?env_keep="COLORS?DISPLAY?HOSTNAME??
????HISTSIZE?INPUTRC?KDEDIR?LS_COLORS",?env_keep+="MAIL?PS1?PS2?QTDIR?USERNAME??
????LANG?LC_ADDRESS?LC_CTYPE",?env_keep+="LC_COLLATE?LC_IDENTIFICATION??
????LC_MEASUREMENT?LC_MESSAGES",?env_keep+="LC_MONETARY?LC_NAME?LC_NUMERIC??
????LC_PAPER?LC_TELEPHONE",?env_keep+="LC_TIME?LC_ALL?LANGUAGE?LINGUAS??
????_XKB_CHARSET?XAUTHORITY",?secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin??
??
User?user2?may?run?the?following?commands?on?this?host:??
????(root)?/usr/sbin/useradd,?(root)?/usr/bin/passwd????#user2也有??
[user2@mail?~]$???