步骤一:
vim /etc/pam.d/su
将如下行打开
auth required pam_wheel.so use_uid
步骤二:
vim /etc/login.defs
文件末尾追加:
SU_WHEEL_ONLY yes
步骤三:
vim /etc/sudoers
注意:此文件权限默认440,修改的时候需要先改成777,修改后再改回440,否则报错
chmod 777 /etc/sudoers
文件末尾追加:
Cmnd_Alias USERADMINCMNDS =!/usr/bin/passwd, !/usr/bin/passwd root, !/usr/bin/passwd root --stdin
zwx1048177 ALL=(ALL:ALL) ALL,USERADMINCMNDS,!/bin/su,!/bin/bash
测试:
[zwx1048177@node2 ~]$ su -
-bash: /bin/su: Permission denied
[zwx1048177@node2 ~]$ su - root
-bash: /bin/su: Permission denied
[zwx1048177@node2 ~]$ sudo su -
Sorry, user zwx1048177 is not allowed to execute '/bin/su -' as root on node2.
[zwx1048177@node2 ~]$ sudo su - root
Sorry, user zwx1048177 is not allowed to execute '/bin/su - root' as root on node2.
[zwx1048177@node2 ~]$ sudo passwd
Sorry, user zwx1048177 is not allowed to execute '/bin/passwd' as root on node2.
[zwx1048177@node2 ~]$ sudo passwd root
Sorry, user zwx1048177 is not allowed to execute '/bin/passwd root' as root on node2.
[zwx1048177@node2 ~]$ echo "hello" | sudo passwd root --stdin
Sorry, user zwx1048177 is not allowed to execute '/bin/passwd root --stdin' as root on node2.
[zwx1048177@node2 ~]$ sudo -i
Sorry, user zwx1048177 is not allowed to execute '/bin/bash' as root on node2.
可以看到直接登录root或者修改root密码都不行,完成!!!