1、创建一个普通帐号,让此帐号通过sudo可以执行fdisk命令分区
[root@Read4 ~]# useradd
MX # 创建一个用户
[root@Read4 ~]# echo
chm123456 | passwd --stdin
MX # 添加密码
Changing password for user MX.
passwd: all authentication tokens updated
successfully.
[root@Read4 ~]# vim
/etc/sudoers # 修改MX用户的权限
MX ALL=(root) /sbin/fdisk
[root@Read4 ~]# su –
MX # 切换用户
[MX@Read4 ~]$ sudo
fdisk –l
We trust you have received the usual lecture from
the local System
Administrator. It usually boils down to these
three things:
#1)
Respect the privacy of others.
#2)
Think before you type.
#3)
With great power comes great responsibility.
[sudo] password for MX: #
输入MX用户密码:chm123456
Disk /dev/sda: 21.5 GB, 21474836480
bytes
255 heads, 63 sectors/track, 2610
cylinders
Units = cylinders of 16065 * 512 = 8225280
bytes
Sector size (logical/physical): 512 bytes / 512
bytes
I/O size (minimum/optimal): 512 bytes / 512
bytes
Disk identifier: 0x0003ee72
Device
Boot Start End Blocks Id System
/dev/sda1 * 1 26 204800 83 Linux
Partition 1 does not end on cylinder
boundary.
/dev/sda2 26 1332 10485760 83 Linux
/dev/sda3 1332 1587 2048000 82 Linux swap / Solaris
[MX@Read4 ~]$ sudo
fdisk /dev/sda
# 用sudo执行fdisk命令分区
WARNING: DOS-compatible mode is deprecated. It's
strongly recommended to
switch off the mode (command 'c') and change display units
to
sectors (command 'u').
Command (m for
help):
# 分区过程省略
2、拒绝MX用户从tty2登录本机
[root@Read4 ~]# vim
/etc/pam.d/login # 添加访问控制功能模块
account required pam_access.so
# 修改文件实现MX不能登录tty2
[root@Read4 ~]# vim
/etc/security/access.conf
- : MX : tty2# 从最后一行添加
# 测试:切换到tty2,登录后查看日志文件
[root@Read4 ~]# tail
-f /var/log/secure
Aug 24 10:55:14 Read4 login:
pam_access(login:account): access denied for user `MX' from
`tty2'
Aug 24 10:55:14 Read4 login: Permission
denied
3、拒绝从10.10.2.30使用MX用户登录本机的sshd服务(选做,可以不做)
两台机器:服务端Read4 31 客户端
Director 30
[root@Director ~]# ssh #
实验前测试登录情况
The authenticity of host '10.10.2.31 (10.10.2.31)'
can't be established.
RSA key fingerprint is
8c:35:59:e3:be:6d:89:71:7e:4e:ae:71:66:5d:36:5e.
Are you sure you want to continue connecting
(yes/no)?yes
[MX@Read4 ~]$
# 修改服务端配置文件
[root@Read4 ~]# vim
/etc/pam.d/sshd
# 添加访问控制模块
account required pam_access.so
[root@Read4 ~]# vim
/etc/security/access.conf # 最后一行添加限制条件
- : MX : 10.10.2.30
[root@Director ~]# ssh
# 测试结果
Address 10.10.2.31 maps to localhost, but this
does not map back to the address - POSSIBLE BREAK-IN
ATTEMPT!
MX@10.10.2.31's password:
chm123456
Connection closed by
10.10.2.31
# 访问被拒绝,实验成功