3.7 su命令

[root@localhost ~]# su - lsx //加上-切换到自己的家目录下

 

[root@localhost ~]# su - -c "touch /tmp/lsx.txt" lsx //以指定用户的身份执行命令

[root@localhost ~]# su - lsx -c "touch /tmp/lsx.txt" //以指定用户的身份执行命令

 

[root@localhost ~]# ll /tmp/

-rw-rw-r--. 1 lsx   lsx     0 1021 11:56 lsx.txt

 

[root@localhost user6]# su - user8

su: 警告:无法更改到 /home/user8 目录: 没有那个文件或目录

-bash-4.2$   //因为没有家目录,没有家目录里的文件

[root@localhost ~]# mkdir /home/user8

[root@localhost ~]# chown user8:user8 /home/user8

[root@localhost ~]# ls -la /etc/skel/

drwxr-xr-x.  2 root root   59 1015 22:36 .

drwxr-xr-x. 73 root root 8192 1021 12:09 ..

-rw-r--r--.  1 root root   18 6月  10 2014 .bash_logout

-rw-r--r--.  1 root root  193 6月  10 2014 .bash_profile

-rw-r--r--.  1 root root  231 6月  10 2014 .bashrc

[root@localhost ~]# cp /etc/skel/.bash* /home/user8

[root@localhost ~]# chown user8:user8 /home/user8 -R

[root@localhost ~]# su - user8

上一次登录:六 1021 12:13:33 CST 2689pxs/0

[user8@localhost ~]$

 

3.8 sudo命令

Sudo:让普通用户临时执行命令以指定身份执行(一般授权root身份)

[root@localhost ~]# visudo //这种方式执行可以检测错误

 

## Allow root to run any commands anywhere

ALL=(ALL)  前面ALL表示Ip、主机。 右边ALL(指授予哪个用户身份)

ALL  后边ALL表示所有命令

root    ALL=(ALL)       ALL

lsx     ALL=(ALL)       /usr/bin/ls,/usr/bin/mv,/usr/bin/cat

user1   ALL=(ALL)     NOPASSWD: /usr/bin/ls,/usr/bin/mv,/usr/bin/cat

 

[lsx@localhost ~]$ sudo /usr/bin/ls /root/

 

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

 

    #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.

 

[sudo] password for lsx:

11. txt1.txt  2.txt  anaconda-ks.cfg  lsx  lsx.txt  qq.jpg

 

[lsx@localhost ~]$ ls /root/

ls: 无法打开目录/root/: 权限不够

[lsx@localhost ~]$ sudo /usr/bin/ls /root/

11.txt1.txt  2.txt  anaconda-ks.cfg  lsx  lsx.txt  qq.jpg

[lsx@localhost ~]$ sudo /usr/bin/cat /root/1.txt

 

[root@localhost ~]# su - user1

[user1@localhost ~]$ id

uid=1006(user1) gid=1006(user1) =1006(user1),1003(user3) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[user1@localhost ~]$ sudo /usr/bin/ls /root/  //NOPASSWD不需要密码

11. txt1.txt  2.txt  anaconda-ks.cfg  lsx  lsx.txt  qq.jpg

 

# User_Alias ADMINS = jsmith, mikem

User_Alias LSHX = lsx,user1,user2  //用户组

 

# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

Cmnd_Alias LSHX_CMD = /usr/bin/ls,/usr/bin/cat,/usr/bin/mv  //密码组

 

## Allow root to run any commands anywhere

root    ALL=(ALL)       ALL

##lsx     ALL=(ALL)       /usr/bin/ls,/usr/bin/mv,/usr/bin/cat

##user1   ALL=(ALL)     NOPASSWD: /usr/bin/ls,/usr/bin/mv,/usr/bin/cat

LSHX    ALL=(ALL)       NOPASSWD: LSHX_CMD

 

3.9 限制root远程登录

Root不允许登录,只允许登录普通用户,(root密码保密),sudo /usr/bin/su,就不需要密码了。(前提限制root用户远程登录)

# User_Alias ADMINS = jsmith, mikem

User_Alias LSHX = lsx,user1,user2

 

# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

Cmnd_Alias LSHX_CMD = /usr/bin/ls,/usr/bin/cat,/usr/bin/mv,/usr/bin/su

 

## Allow root to run any commands anywhere

root    ALL=(ALL)       ALL

##lsx     ALL=(ALL)       /usr/bin/ls,/usr/bin/mv,/usr/bin/cat

##user1   ALL=(ALL)     NOPASSWD: /usr/bin/ls,/usr/bin/mv,/usr/bin/cat

LSHX    ALL=(ALL)       NOPASSWD: LSHX_CMD  //执行这个命令时不要输入密码

 

[root@localhost ~]# su - lsx

上一次登录:六 1021 13:17:01 CST 2689pxs/0

[lsx@localhost ~]$ sudo /usr/bin/su - root

上一次登录:六 1021 13:18:28 CST 2689pxs/0

 

限制root远程登录配置文件

[root@localhost ~]# vi /etc/ssh/sshd_config

# Authentication:

 

#LoginGraceTime 2m

#PermitRootLogin yes  //需要修改去掉#yes改为no

#StrictModes yes

#MaxAuthTries 6

[root@localhost ~]# systemctl restart sshd.service