3.7 su命令

·        su切换用户但不切换当前工作目录以及 HOME,SHELL,USER,LOGNAME;仅仅拥有了root的权限

[root@24centos7-01~]# su vitus

[vitus@24centos7-01root]$ pwd

/root

·        su-su-lsu--login 命令改变身份时,也同时变更工作目录,以及HOMESHELLUSERLOGNAME。此外,也会变更PATH变量

[root@24centos7-01~]# su - vitus

上一次登录:四 10 26 20:09:48 CST 2689pxs/0

[vitus@24centos7-01~]$ pwd

/home/vitus

·        su- -c 指定用户的身份去执行命令

[root@24centos7-01~]# su - -c "touch /tmp/vitus.txt" vitus

[root@24centos7-01~]# ls -l /tmp/

总用量 1

-rw-rw-r--1 vitus vitus  0 10 26 21:31 vitus.txt

 

·        root切换至其它普通用户时无需密码,普通用户切换至用户时需要输入目标用户的密码

3.8 sudo命令让普通用户临时拥有root用户的身份,方便执行某些操作,避免将root用户的密码分发给过多员工

·        visudo打开sudoer的配置文件

[root@24centos7-01~]# visudo

 

##Sudoers allows particular users to run various commands as

## theroot user, without needing the root password.

##

##Examples are provided at the bottom of the file for collections

## ofrelated commands, which can then be delegated out to particular

## usersor groups.

##

## Thisfile must be edited with the 'visudo' command.

 

## HostAliases     --主机别名授权

## Groupsof machines. You may prefer to use hostnames (perhaps using

##wildcards for entire domains) or IP addresses instead.

#Host_Alias     FILESERVERS = fs1, fs2

#Host_Alias     MAILSERVERS = smtp, smtp2

 

## UserAliases     --用户别名授权

## Thesearen't often necessary, as you can use regular groups

## (ie,from files, LDAP, NIS, etc) in this file - just use %groupname

## ratherthan USERALIAS

#User_Alias ADMINS = jsmith, mikem

 

 

##Command Aliases

## Theseare groups of related commands...

 

##Networking

 

##Installation and management of software

#Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

 

##Services

 

##Updating the locate database

#Cmnd_Alias LOCATE = /usr/bin/updatedb

 

##Storage

#Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe,/bin/mount, /bin/umount

 

##Delegating permissions

#Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

 

##Processes

#Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

 

##Drivers

#Cmnd_Alias DRIVERS = /sbin/modprobe

 

#Defaults specification

 

#

# Refuseto run if unable to disable echo on the tty.

#

Defaults   !visiblepw

 

#

#Preserving HOME has security implications since many programs

# use itwhen searching for configuration files. Note that HOME

# isalready set when the the env_reset option is enabled, so

# thisoption is only effective for configurations where either

#env_reset is disabled or HOME is present in the env_keep list.

#

Defaults    always_set_home

 

Defaults    env_reset

Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"

Defaults    env_keep += "MAIL PS1 PS2 QTDIRUSERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults    env_keep += "LC_COLLATELC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults    env_keep += "LC_MONETARY LC_NAMELC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults    env_keep += "LC_TIME LC_ALL LANGUAGELINGUAS _XKB_CHARSET XAUTHORITY"

 

#

# AddingHOME to env_keep may enable a user to run unrestricted

#commands via sudo.

#

#Defaults   env_keep += "HOME"

 

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

 

## Next comesthe main part: which users can run what software on

## whichmachines (the sudoers file can be shared between multiple

##systems).

##Syntax:

##

##      user   MACHINE=COMMANDS

##

## TheCOMMANDS section may have other options added to it.

##

## Allowroot to run any commands anywhere

root    ALL=(ALL)       ALL                                         --允许root用户在任何地方运行所有的命令

vitus   ALL=(ALL)       /usr/bin/ls, /usr/bin/mv,/usr/bin/cat      --为普通用户添加lsmvcat权限

 

## Allowsmembers of the 'sys' group to run networking, software,

##service management apps and more.

# %sysALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE,DRIVERS

 

## Allowspeople in group wheel to run all commands

%wheel  ALL=(ALL)       ALL                                         --group成员添加权限

 

## Samething without a password

#%wheel        ALL=(ALL)       NOPASSWD: ALL

 

## Allowsmembers of the users group to mount and unmount the

## cdromas root

#%users  ALL=/sbin/mount /mnt/cdrom,/sbin/umount /mnt/cdrom

 

## Allowsmembers of the users group to shutdown this system

#%users  localhost=/sbin/shutdown -h now

 

## Readdrop-in files from /etc/sudoers.d (the # here does not mean a comment)

#includedir/etc/sudoers.d

 

·        测试普通用户vitusls,mv,cat的是否可以使用

[root@24centos7-01~]# su - vitus

上一次登录:四 10 26 21:50:40 CST 2689pxs/0

[vitus@24centos7-01~]$ ls /root/

ls: 无法打开目录/root/: 权限不够

[vitus@24centos7-01~]$ sudo ls /root/

[sudo]password for vitus:

anaconda-ks.cfg  showtime.txt test

[vitus@24centos7-01~]$ mv /root/showtime.txt /root/showtime_1.txt

mv:failed to access "/root/showtime_1.txt": 权限不够

[vitus@24centos7-01~]$ sudo mv /root/showtime.txt /root/showtime_1.txt

[vitus@24centos7-01~]$ sudo ls /root/

anaconda-ks.cfg  showtime_1.txt  test

[vitus@24centos7-01~]$ sudo mv /root/showtime_1.txt /root/showtime.txt

[vitus@24centos7-01~]$ cat /root/showtime.txt

cat:/root/showtime.txt: 权限不够

[vitus@24centos7-01~]$ sudo cat /root/showtime.txt

linux

learninglinux

 

3.9 限制root远程登录

1.修改/etc/ssh/sshd_config配置文件,将#PermitRootLogin yes改为PermitRootLogin no

[root@24centos7-01~]# vim /etc/ssh/sshd_config

#PermitRootLoginyes    --将其修改,去掉注释#,将yes改为no,保存退出

 

[root@24centos7-01~]# systemctl restart sshd.service   --重启ssh服务

 

login as:root

root@10.0.0.26'spassword:

Accessdenied

root@10.0.0.26'spassword:

Accessdenied

root@10.0.0.26'spassword:              --这时使用密码无法登录root

 

2.修改visudo,添加

vitus   ALL=(ALL)       NOPASSWD: /bin/su, /bin/sudo

3.使用普通用户登录然后通过sudo su - root切换至root用户下

[vitus@24centos7-01~]$ sudo su - root

上一次登录:四 10 26 22:37:43 CST 2689pxs/0

[root@24centos7-01~]# whoami

root