有时候普通用户需要超级用户权限去执行一些命令,如mount等,但是又不想将全部的命令暴露给普通用户,此时就需要定制sudo了。
配置文件
此处只介绍定制部分,更详细的,请参考sudo及其配置文件详解
定制功能需要用到以下选项
Host_Alias
Cmnd_Alias
User_Alias
Runas_Alias
-
配置Host_Alias:就是主机的列表(可以填本机ip地址)
Host_Alias HOST_FLAG = hostname1, hostname2, hostname3 -
配置Cmnd_Alias:就是允许执行的命令的列表
Cmnd_Alias COMMAND_FLAG = command1, command2, command3 -
配置User_Alias:就是具有sudo权限的用户的列表
User_Alias USER_FLAG = user1, user2, user3 -
配置Runas_Alias:就是用户以什么身份执行(例如root,或者oracle)的列表
Runas_Alias RUNAS_FLAG = operator1, operator2, operator3
HOST_FLAG 、COMMAND_FLAG 、USER_FLAG 、RUNAS_FLAG 这些可自定义,可以认为是定义的变量,下面要用到。
配置权限的格式如下:
USER_FLAG HOST_FLAG=(RUNAS_FLAG) COMMAND_FLAG
如果不需要密码验证的话,则按照这样的格式来配置
USER_FLAG HOST_FLAG=(RUNAS_FLAG) NOPASSWD: COMMAND_FLAG
配置示例如下:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
Host_Alias HOST_FLAG = 172.17.0.2
# User alias specification
User_Alias USER_FLAG = gdy
Runas_Alias RUNAS_FLAG = root
# Cmnd alias specification
Cmnd_Alias COMMAND_FLAG = /bin/mount,/bin/umount
# User privilege specification
root ALL=(ALL:ALL) ALL
USER_FLAG HOST_FLAG=(RUNAS_FLAG) COMMAND_FLAG
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d