sudo
sudo命令允许一个通过sudoers文件指定的授权用户作为超级用户或者另外一个用户来执行命令。
语法:sudo [-u 用户] 命令
选项:
-u user 默认为root
-l,ll 列出用户在主机上可用的和被禁止的命令
-v 再延长密码有效期限5分钟,更新时间戳
-k 清除时间戳(1970-01-01),下次需要重新输密码
-K 与-k类似,还要删除时间戳文件
-b 在后台执行指令
查看 /etc/sudoers 文件,在配置 sudo 时,建议按照 /etc/sudoers 的格式存放在 /etc/sudoers.d 中。
[root@CentOS7 ~]# cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases #主机别名
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases #用户别名
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases #命令别名
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults match_group_by_gid
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
#授权root用户在任何主机代替任何用户,执行任何命令
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL #建议删除
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
授权语法:授权用户 主机=(代替用户) 命令
注意:命令要写命令文件的绝对路径,并且命令参数必须完全一致。
root ALL=(ALL) ALL 的存在意义:当 root 用户的 UID 被修改,不再是超级用户,root用户可以通过 sudo 命令的 -u 选项拥有管理员权限取执行操作。
在 /etc/suoders.d 中创建 sudo 配置文件,格式与授权语法一样。
在修改 /etc/sudoers 文件时,默认此文件是只读权限,建议使用 visudo 命令,也可以通过设置 export EDITOR=vim 变量来更改系统默认的文本编辑器。
visudo命令用于修改或者检查 sudo 的配置文件。
[root@CentOS7 sudoers.d]# cat jiangbowen
jiangbowen 192.168.30.75=(root) /bin/cat /etc/shadow
[root@CentOS7 sudoers.d]# visudo -c -f jiangbowen #使用-c选项检查语法,使用-f指定文件
jiangbowen: parsed OK
[jiangbowen@CentOS7 ~]$ sudo cat /etc/shadow
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for jiangbowen:
在配置文件中支持使用 glob 风格的通配符。
注意:当配置文件中出现类似语句时
jiangbowen 192.168.30.75=(root) /bin/cat /etc/shadow*
那么该用户可以通过 cat /etc/shadow 后跟任何文件来查看权限以外的文件
时间戳文件 CentOS7存放在 /var/run/sudo/ts CentOS6存放在 /var/db/sudo,默认权限保存5分钟,在5分钟以后会重新检查用户的身份。
[root@CentOS7 sudo]# cd /var/run/sudo/ts
[root@CentOS7 ts]# ll
total 4
-rw-------. 1 root jiangbowen 80 May 25 04:22 jiangbowen #jiangbowen用户在04:27后使用sudo将会重新输入密码
查看 sudo 的日志文件 /var/log/secure
[root@CentOS7 ts]#⮀cat /var/log/secure | tail
May 25 04:16:59 CentOS7 su: pam_unix(su-l:session): session opened for user jiangbowen by root(uid=0)
May 25 04:17:10 CentOS7 su: pam_unix(su-l:session): session closed for user jiangbowen
May 25 04:21:14 CentOS7 su: pam_unix(su-l:session): session opened for user jiangbowen by root(uid=0)
May 25 04:21:57 CentOS7 unix_chkpwd[11231]: password check failed for user (jiangbowen)
May 25 04:21:57 CentOS7 sudo: pam_unix(sudo:auth): authentication failure; logname=root uid=1000 euid=0 tty=/dev/pts/0 ruser=jiangbowen rhost= user=jiangbowen
May 25 04:22:00 CentOS7 sudo: pam_unix(sudo:auth): conversation failed
May 25 04:22:00 CentOS7 sudo: pam_unix(sudo:auth): auth could not identify password for [jiangbowen]
May 25 04:22:02 CentOS7 sudo: jiangbowen : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/jiangbowen ; USER=root ; COMMAND=/bin/cat /etc/shadow
May 25 04:22:09 CentOS7 sudo: jiangbowen : TTY=pts/0 ; PWD=/home/jiangbowen ; USER=root ; COMMAND=/bin/cat /etc/shadow
May 25 04:26:06 CentOS7 su: pam_unix(su-l:session): session closed for user jiangbowen
别名
sudo 有四种类型的别名::User_Alias, Runas_Alias, Host_Alias ,Cmnd_Alias(注意大小写)
语法:别名类型 名字1 = 项目1,项目2,项目3...:名字2 = 项目1,项目2,项目3...
User_Alias Name1 = user1,#uid2: Name2 = user3,#uid4
Host_Alias Name2=www.jiangbowen.com.cn,192.168.30.74/24
Cmnd_Alias DSKCMD=/sbin/parted,/sbin/fdisk
PAM认证机制
PAM 提供了对所有服务进行认证的中央机制,适用于login,远程登录(telnet,rlogin,fsh,ftp,点对点协议(PPP)),su等应用程序中。系统管理员通过PAM配置文件来制定不同应用程序的不同认证策略;应用程序开发者通过在服务程序中使用PAM API(pam_xxxx( ))来实现对认证方法的调用;而PAM服务模块的开发者则利用PAM SPI来编写模块(主要是引出一些函数pam_sm_xxxx( )供PAM接口库调用),将不同的认证机制加入到系统中;PAM接口库(libpam)则读取配置文件,将应用程序和相应的PAM服务模块联系起来。
PAM的基本构架
[root@CentOS7 ts]# cd /etc/security/
[root@CentOS7 security]# ll
total 52
-rw-r--r--. 1 root root 4564 Apr 11 11:21 access.conf
-rw-r--r--. 1 root root 82 Apr 11 11:21 chroot.conf
drwxr-xr-x. 2 root root 69 May 23 01:15 console.apps
-rw-r--r--. 1 root root 604 Apr 11 11:21 console.handlers
-rw-r--r--. 1 root root 939 Apr 11 11:21 console.perms
drwxr-xr-x. 2 root root 6 Apr 11 11:21 console.perms.d
-rw-r--r--. 1 root root 3635 Apr 11 11:22 group.conf
-rw-r--r--. 1 root root 2422 Apr 11 11:22 limits.conf
drwxr-xr-x. 2 root root 27 May 23 01:11 limits.d
-rw-r--r--. 1 root root 1440 Apr 11 11:22 namespace.conf
drwxr-xr-x. 2 root root 6 Apr 11 11:22 namespace.d
-rwxr-xr-x. 1 root root 1019 Apr 11 11:22 namespace.init
-rw-------. 1 root root 0 Apr 11 11:22 opasswd
-rw-r--r--. 1 root root 2972 Apr 11 11:21 pam_env.conf
-rw-r--r--. 1 root root 1718 Dec 7 2011 pwquality.conf
-rw-r--r--. 1 root root 419 Apr 11 11:22 sepermit.conf
-rw-r--r--. 1 root root 2179 Apr 11 11:22 time.conf
PAM 模块文件存放在 /lib64/security/ 中
各个软件的 PAM 配置文件存放在 /etc/pam.d/ 中。通用的配置文件存放在件 /etc/pam.conf,默认不存在
PAM的工作原理
PAM认证首先要确定那一项服务,然后加载相应的PAM的配置文件(/etc/pam.d),最后调用认证文件(/lib/security)进行安全认证。
查看软件的 PAM 配置文件
[root@CentOS7 pam.d]# cat passwd
#%PAM-1.0
auth include system-auth
account include system-auth
password substack system-auth
-password optional pam_gnome_keyring.so use_authtok
password substack postlogin
语法:模块类型 控制 模块路径 [参数]
模块类型:
Auth:账号的认证和授权
Account:与账号管理相关的非认证类的功能,如:用来限制/允许用户对某个服务的访问时间,当前有效的系统资源(最多可以有多少个用户),限制用户的位置(例如:root用户只能从控制台登录)
Password:用户修改密码时密码复杂度检查机制等功能
Session:用户获取到服务之前或使用服务完成之后需要进行一些附加的操作,如:记录打开/关闭数据的信息,监视目录等
-[模块类型]:表示因为缺失而不能加载的模块将不记录到系统日志,对于那些不总是安装在系统上的模块有用
控制:
required:一票否决,表示本模块必须返回成功才能通过认证,但是如果该模块返回失败,失败结果也不会立即通知用户,而是要等到同一type中的所有模块全部执行完毕再将失败结果返回给应用程序。即为必要条件
requisite:一票否决,该模块必须返回成功才能通过认证,但是一旦该模块返回失败,将不再执行同一type内的任何模块,而是直接将控制权返回给应用程序。是一个必要条件
sufficient:一票通过,表明本模块返回成功则通过身份认证的要求,不必再执行同一type内的其它模块,但如果本模块返回失败可忽略,即为充分条件
optional:表明本模块是可选的,它的成功与否不会对身份认证起关键作用,其返回值一般被忽略
include: 调用其他的配置文件中定义的配置信息
注意:修改PAM配置文件将马上生效,所以建议编辑pam规则时,保持至少打开一个root会话,以防止root身份验证错误
常用 PAM 模块
[root@CentOS7 ~]#⮀ls /lib64/security/ #查看当前系统所有PAM模块
pam_access.so pam_echo.so pam_fprintd.so pam_lastlog.so pam_motd.so pam_pwquality.so pam_shells.so pam_timestamp.so pam_unix.so
pam_cap.so pam_env.so pam_ftp.so pam_limits.so pam_namespace.so pam_rhosts.so pam_sss.so pam_tty_audit.so pam_userdb.so
pam_chroot.so pam_exec.so pam_gdm.so pam_listfile.so pam_nologin.so pam_rootok.so pam_stress.so pam_umask.so pam_warn.so
pam_console.so pam_faildelay.so pam_gnome_keyring.so pam_localuser.so pam_oddjob_mkhomedir.so pam_securetty.so pam_succeed_if.so pam_unix_acct.so pam_wheel.so
pam_cracklib.so pam_faillock.so pam_group.so pam_loginuid.so pam_permit.so pam_selinux_permit.so pam_systemd.so pam_unix_auth.so pam_xauth.so
pam_debug.so pam_filter pam_issue.so pam_mail.so pam_postgresok.so pam_selinux.so pam_tally2.so pam_unix_passwd.so
pam_deny.so pam_filter.so pam_keyinit.so pam_mkhomedir.so pam_pwhistory.so pam_sepermit.so pam_time.so pam_unix_session.so
pam_shells.so 模块会检查用户使用的 shell 类型,使用不在 /etc/shells 文件中的 shell 都将认证失败。
[root@CentOS7 ~]# grep pam_shells.so /etc/pam.d/* #查看使用pam_shells.so的程序
/etc/pam.d/vmtoolsd:auth required pam_shells.so
/etc/pam.d/vmtoolsd:account required pam_shells.so
在 su 程序中添加 pam_shells.so 模块
[root@CentOS7 pam.d]# cat su
#%PAM-1.0
auth required pam_shells.so #将pam_shells.so放在第一行,提高优先级
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
将 /ect/shells 文件中的 /bin/csh 行删除后,使用 su 命令切换用户使用 csh
[root@CentOS7 pam.d]# cat /etc/shells #文件中没有/bin/csh
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/tcsh
[root@CentOS7 pam.d]#⮀usermod -s /bin/csh jiangbowen #将jiangbowen用户的默认shell修改为csh
[root@CentOS7 pam.d]#⮀su - jiangbowen #当使用su时,jiangbowen用户无法登陆
Password:
su: Authentication failure
[root@CentOS7 pam.d]# echo /bin/csh >> /etc/shells #在文件中添加/bin/csh
[root@CentOS7 pam.d]# su - jiangbowen #切换至使用csh的用户成功
Last login: Fri May 25 04:21:14 CST 2018 on pts/0
Last failed login: Sat May 26 03:49:20 CST 2018 on pts/0
There was 1 failed login attempt since the last successful login.
[jiangbowen@CentOS7 ~]$
pam_securetty.so 模块会检查 root 用户只能在 /etc/securetty 中列出的终端登陆
[root@CentOS7 pam.d]# grep pam_securetty.so /etc/pam.d/*
/etc/pam.d/login:auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
/etc/pam.d/remote:auth required pam_securetty.so
查看 /etc/securetty 后,发现没有 pts 类型的终端
[root@CentOS7 pam.d]# telnet 192.168.30.75 #通过telnet使用root登陆
Trying 192.168.30.75...
Connected to 192.168.30.75.
Escape character is '^]'.
Kernel 3.10.0-862.el7.x86_64 on an x86_64
CentOS7 login: root
Password:
Login incorrect #登陆失败
[root@CentOS7 pam.d]# echo pts/1 >> /etc/securetty #在/etc/securetty中添加pts类型终端
[root@CentOS7 pam.d]# echo pts/2 >> /etc/securetty
[root@CentOS7 pam.d]# echo pts/3 >> /etc/securetty
[root@CentOS7 pam.d]# telnet 192.168.30.75
Trying 192.168.30.75...
Connected to 192.168.30.75.
Escape character is '^]'.
Kernel 3.10.0-862.el7.x86_64 on an x86_64
CentOS7 login: root #使用root登陆
Password:
Last failed login: Sat May 26 04:09:44 CST 2018 from ::ffff:192.168.30.75 on pts/1
There were 5 failed login attempts since the last successful login.
Last login: Fri May 25 17:24:52 from 192.168.30.1 #登陆成功
pam_nologin.so 模块会检查 /etc/nologin 是否存在,如果存在,非root用户将不能登陆,并且会显示 /etc/nologin 中的内容。
[root@CentOS7 pam.d]#⮀grep pam_nologin.so /etc/pam.d/* #查看使用pam_nologin.so的程序
/etc/pam.d/gdm-autologin:account required pam_nologin.so
/etc/pam.d/gdm-fingerprint:account required pam_nologin.so
/etc/pam.d/gdm-password:account required pam_nologin.so
/etc/pam.d/gdm-pin:account required pam_nologin.so
/etc/pam.d/gdm-smartcard:account required pam_nologin.so
/etc/pam.d/login:account required pam_nologin.so
/etc/pam.d/pluto:account required pam_nologin.so
/etc/pam.d/ppp:account required pam_nologin.so
/etc/pam.d/remote:account required pam_nologin.so
/etc/pam.d/sshd:account required pam_nologin.so
[root@CentOS7 pam.d]# echo "I don't welcome you here" > /etc/nologin #创建/etc/nologin文件
[root@CentOS7 pam.d]# cat /etc/nologin #查看/etc/nologin文件中的内容
I don't welcome you here
pam_limits.so 模块会控制用户可用资源的限制。
[root@CentOS7 pam.d]#⮀grep pam_limits.so /etc/pam.d/*
/etc/pam.d/fingerprint-auth:session required pam_limits.so
/etc/pam.d/fingerprint-auth-ac:session required pam_limits.so
/etc/pam.d/password-auth:session required pam_limits.so
/etc/pam.d/password-auth-ac:session required pam_limits.so
/etc/pam.d/runuser:session required pam_limits.so
/etc/pam.d/smartcard-auth:session required pam_limits.so
/etc/pam.d/smartcard-auth-ac:session required pam_limits.so
/etc/pam.d/sudo:session required pam_limits.so
/etc/pam.d/sudo-i:session required pam_limits.so
/etc/pam.d/system-auth:session required pam_limits.so
/etc/pam.d/system-auth-ac:session required pam_limits.so
在 pam_limits.so 模块的配置文件 /etc/security/limits.conf 中设置指定用户的资源限制。
语法:对象 资源类型 资源 数值
对象:UserName 单用户;@GroupName 用户组;*所有用户
资源类型:Soft 软限制,用户可以调整;Hard 硬限制,用户不能限制;- 二者同时设定
资源:nofile 所能够同时打开的最大文件数量,默认为1024
nproc 所能够同时运行的进程的最大数量,默认为1024....(具体查看官方文档)
也可以通过 ulimit 命令进行限制用户的资源
查看当前资源的限制[root@CentOS7 pam.d]#⮀ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 5438
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024 #当前最大打开文件数为默认1024个
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 5438
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
使用 ab 工具向192.168.30.75发起1025个并发连接
[root@CentOS7 pam.d]# ab -c 1025 -n 2000 http://192.168.30.75/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.30.75 (be patient)
socket: Too many open files (24) #套接字文件提示文件数量太多
通过 -n 选项调整打开文件的数量
[root@CentOS7 pam.d]# ulimit -n 1200 #将打开文件数量的最大值调整为1200
[root@CentOS7 pam.d]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 5438
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1200 #调整成功
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 5438
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
[root@CentOS7 pam.d]#⮀ab -c 1025 -n 2000 http://192.168.30.75/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.30.75 (be patient) #连接成功
Completed 200 requests
Completed 400 requests
Completed 600 requests
Completed 800 requests
Completed 1000 requests
Completed 1200 requests
Completed 1400 requests
Completed 1600 requests
pam_limits.so 模块可以限制的系统资源,与对应 ulinmit 命令的选项