3.7su命令
su命令用来切换用户,比如在root用户下,我想切换到lhy01用户下就可以使用这个命令。
[root@localhost ~]# whoami
root
[root@localhost ~]# su - lhy01
Last login: Tue Jun 12 19:30:32 CST 2018 on pts/0
[lhy01@localhost ~]$ whoami
lhy01
su后面的的-选项(-l,--login)的意思是完全切换到目标用户下,加载目标用户家目录下的配置文件。
[lhy01@localhost ~]$ logout
[root@localhost ~]# su lhy01
[lhy01@localhost root]$ ls
ls: cannot open directory .: Permission denied
[lhy01@localhost root]$ pwd
/root
如果不使用-选项,是不会切换目录的。
-c选项可以以目标用户的身份执行某些命令。
[root@localhost ~]#
[root@localhost ~]# su - -c "touch /tmp/lhy01_su.111" lhy01
[root@localhost ~]# ls /tmp/lhy01_su.111 -lt
-rw-rw-r--. 1 lhy01 lhy01 0 Jun 14 13:00 /tmp/lhy01_su.111su切换用户之后也可以再次切换用户
[root@localhost ~]# su - lhy01
Last login: Thu Jun 14 13:01:32 CST 2018 on pts/0
[lhy01@localhost ~]$ id
uid=1000(lhy01) gid=1000(lhy01) groups=1000(lhy01) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[lhy01@localhost ~]$ su - lhy05
Password:
Last failed login: Tue Jun 12 19:22:41 CST 2018 on pts/0
There was 1 failed login attempt since the last successful login.
su: warning: cannot change directory to /home/lhy05: No such file or directory
-bash-4.2$ 最后前缀变成了-bash-4.2$ 是因为之前创建lhy05用户的时候是没有创建家目录的,导致其配置文件无法加载,前缀就显示成bash了。
[root@localhost ~]# ls /home/
lhy01 lhy02 lhy03 lhy06 lhy07 lhy111
[root@localhost ~]# cat /etc/passwd | grep lhy05
lhy05:x:1011:1011::/home/lhy05:/bin/bash
下列方法可以自主创建,复制/etc/skel/目录下的模板配置文件并更改属主属组即可。
[root@localhost ~]# id lhy05
uid=1011(lhy05) gid=1011(lhy05) groups=1011(lhy05)
[root@localhost ~]# mkdir /home/lhy05
[root@localhost ~]# chown lhy05.lhy05 /home/lhy05
[root@localhost ~]# ll -d /home/lhy05
drwxr-xr-x. 2 lhy05 lhy05 6 Jun 14 13:06 /home/lhy05
[root@localhost ~]# cp /etc/skel/.bash* /home/lhy05/
[root@localhost ~]# chown lhy05.lhy05 /home/lhy05 -R
[root@localhost ~]# su - lhy05
Last login: Thu Jun 14 13:02:39 CST 2018 on pts/0
[lhy05@localhost ~]$
[lhy05@localhost ~]$ 普通用户su到root用户,只要知道root密码即可。
[root@localhost ~]# su - lhy05
Last login: Thu Jun 14 13:10:52 CST 2018 on pts/0
[lhy05@localhost ~]$ su -
Password:
Last login: Thu Jun 14 13:11:08 CST 2018 from 192.168.16.1 on pts/0
[root@localhost ~]#
root用户切换到别的用户是不需要密码的。
3.8sudo命令
当希望某些普通用户可以执行root用户才能执行的命令的时候,并不希望普通用户可以知道root的密码,这时候就可以用到sudo命令。可以想想为什么set_uid和set_gid不能完成这个任务。
sudo命令可以让其他用户临时拥有目标用户权限去执行某一条命令。
首先看一下配置文件(比较重要的文件,不推荐vi打开/etc/sudoers,可以使用visudo命令(打开的是/etc/sudoers.tmp),visudo命令会检查语法错误)。
[root@localhost ~]# visudo
>>> /etc/sudoers: syntax error near line 93 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)
What now?
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
上述是配置文件中最核心的部分,意思就是允许root用户在任何目录下执行任何命令,关于每一部分的含义可以参考下述引用。
https://www.garron.me/en/linux/visudo-command-sudoers-file-sudo-default-editor.html
You can also create aliases for: users -> User_Alias, run commands as other users -> Runas_Alias, host -> Host_Alias and command -> Cmnd_Alias
User_Alias OPERATORS = joe, mike, jude Runas_Alias OP = root, operator Host_Alias OFNET = 10.1.2.0/255.255.255.0 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprmAs you can see the alias OPERATORS includes the users joe, mike and jude, the alias OP includes the users root and operator, alias OFNET includes the network 10.1.2.0 (all the C class), and the command alias PRINTING includes the commands lpc and lprm.
So, a typical sudoers file may look like this:
User_Alias OPERATORS = joe, mike, jude Runas_Alias OP = root, operator Host_Alias OFNET = 10.1.2.0/255.255.255.0 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm OPERATORS ALL=ALL #The users in the OPERATORS group can run any command from any terminal. linus ALL=(OP) ALL # The user linus can run any command from any terminal as any user in the OP group (root or operator). user2 OFNET=(ALL) ALL # user user2 may run any command from any machine in the OFNET network, as any user. user3 ALL= PRINTING # user user3 may run lpc and lprm from any machine. go2linux ALL=(ALL) ALL # user go2linux may run any command from any machine acting as any user. (like Ubuntu)
如果想让用户lhy01临时拥有root权限去执行ls,mv,cat命令,可以添加一行
#(命令必须是绝对路径)
lhy01 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat这样使用sudo命令就能够拥有root权限执行ls,mv,cat了/
[root@localhost ~]# su - lhy01
Last login: Thu Jun 14 13:37:10 CST 2018 on pts/0
[lhy01@localhost ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[lhy01@localhost ~]$ sudo ls /root/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for lhy01:
anaconda-ks.cfg xxx
[lhy01@localhost ~]$ cat /root/xxx
cat: /root/xxx: Permission denied
[lhy01@localhost ~]$ sudo cat /root/xxx
u0dL"c4nX
K99L%ywto
=lLVi0lt9
[lhy01@localhost ~]$
#因为本身是没有权限的查看/root目录的,所以即使用了sudo命令你也不能够tab补全文件名。
这样就不需要给普通用户root的密码了。
使用sudo命令的时候,不需要root密码,但是反而要确认当前用户的密码,有时候为了避免麻烦也可以在配置文件里这样更改。
lhy05 ALL=(ALL) NOPASSWD:/usr/bin/ls, /usr/bin/mv, /usr/bin/cat其他还有一些alias的设置,比如Host_Alias,User_Alias,Cmnd_Alias。使用这三个关键字可以给一系列的主机、用户、命令设置别名,例如
Host_Alias FILESERVERS = fs1, fs2
User_Alias ADMINS = jsmith, mikem
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool针对用户组也可以设置sudo权限。
使用的语法和用户相同,使用%标记它的组名即可。
%wheel ALL=(ALL) ALL
#最后,可以使用export VISUAL=vim来改变默认的visudo的编辑器。
3.9限制root远程登录
在配置文件/etc/ssh/sshd_config中,打开PermitRootLogin选项即可(删掉'#'),改完配置文件重新启动服务即可。
[root@localhost ~]$ vim /etc/ssh/sshd_config
........
#PermitRootLogin no
..........
[root@localhost ~]# systemctl restart sshd.service
这一节讲解普通用户使用sudo命令在不输入密码的情况下,切换到root用户。
利用的知识点是sudo和root下的su不输入密码。
首先在visudo中,创建一个用户组别名,它包括了你希望的用户。之后添加一段配置即可。
User_Alias ROOTLOGIN = lhy01, lhy02, lhy05
ROOTLOGIN ALL=(ALL) NOPASSWD: /usr/bin/su
结果如下
[root@localhost ~]# su - lhy06
Last login: Tue Jun 12 19:22:18 CST 2018 on pts/0
[lhy06@localhost ~]$ su -
Password:
[lhy06@localhost ~]$ logout
[lhy05@localhost ~]$ sudo su -
Last login: Thu Jun 14 14:25:04 CST 2018 on pts/0
[root@localhost ~]#
下列补充链接:
sudo与su比较 http://www.apelearn.com/bbs/thread-7467-1-1.html
sudo配置文件样例 http://www.opensource.apple.com/source/sudo/sudo-16/sudo/sample.sudoers
sudo不错的教程 http://www.jianshu.com/p/51338e41abb7
sudo -i 也可以登录到root吗? http://www.apelearn.com/bbs/thread-6899-1-1.html
392
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
