3. 收回root 账号, 新建管理员账号

笔者认为,安装完linux 系统之后, 应该第一时间创建管理员用户,尽量避免使用root用户进行操作,这主要是因为root 用户权限过大, 如果不小心执行了一个 rm -rf / 的操作, 那么整个系统就崩溃了. 尤其是在工作中, 大家技术参差不齐, 更应该把root账户收回,为每个人建立起独立的账户.

1. 新建管理员用户

1.1 创建管理员用户admin, 并添加到root 组

[root@localhost ~]# useradd admin

1.2 设置密码

[root@localhost ~]# passwd admin
Changing password for user admin.
New password:
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

1.3 将admin 添加到 root 组中

[root@localhost ~]# usermod -aG root admin

1.4 查看管理员账号

[root@localhost ~]# id admin
uid=500(admin) gid=500(admin) groups=500(admin),0(root)

2. 修改分区权限

[root@localhost ~]# chmod 775 /opt/ /usr/etc /usr/local/ /var/data /var/logs /var/run
[root@localhost ~]# ll -d /opt/ /usr/etc /usr/local/ /var/data /var/logs /var/run
drwxrwxr-x. 7 root root 4096 May 21 06:43 /opt/
drwxrwxr-x. 2 root root 4096 Sep 23 2011 /usr/etc
drwxrwxr-x. 13 root root 4096 May 21 04:50 /usr/local/
drwxrwxr-x. 5 root root 4096 May 21 07:20 /var/data
drwxrwxr-x. 4 root root 4096 May 21 07:24 /var/logs
drwxrwxr-x. 21 root root 4096 May 22 22:13 /var/run

3. 修改sudo 文件

[root@localhost ~]# visudo

## Sudoers allows particular users to run various commands as  
## the root user, without needing the root password.  
## 
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig 

## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home

Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"

Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
admin ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
%root ALL=/bin/mount, /bin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

4. 测试

4.1 使用admin 用户登录服务器,查看防火墙状态

默认情况下, admin 是不能执行 service命令的, 纵使dmin 添加到了root 组中.

[admin@localhost ~]$ service iptables status
iptables: Only usable by root.

4.2 使用 sudo 命令查看

第一次使用sudo 时,需要输入 admin 密码, 此时就可以使用service 命令了

[admin@localhost ~]$ sudo service iptables status
[sudo] password for admin:
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[admin@localhost ~]$

转载于:https://my.oschina.net/zongf/blog/906908