linux中如何給普通用戶提升權限?

指定個別用戶可以切換到root

切換用戶:su - 目標用戶
密碼驗證

  • root --> 其他用戶,不需要密碼驗證
  • 普通用戶 -->其他用戶,需要目標用戶密碼

su的優缺點
su 命令的確爲管理帶來方便,但通過su切換到root後,也有不安全因素。
默認情況下,任何用戶都允許使用 su 命令,(如 root)的登錄密碼,這樣帶來了安全風險

解決方法
藉助於 pamwheel認證模塊,只允許極個別用戶使用 su 命令進行切換

  • 實現過程:將授權使用 su 命令的用戶添加到 wheel 組,修改/etc/pam.d/su 認證配置以啓用 pamwheel 認證
[root@xiaoagiao /]# groups user1
user1 : user1

[root@xiaoagiao /]# gpasswd -a user1 wheel     # 爲user1添加附加組 wheel
Adding user user1 to group wheel

[root@xiaoagiao /]# groups user1
user1 : user1 wheel
[root@xiaoagiao /]# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid                           #將這一行的前邊井號去掉,wheel用戶安全模塊就開啓了
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so

這樣之後,只有在wheel中的用戶纔可以切換到root用戶。

指定用戶提升權限

通過 su 命令可以非常方便地切換爲另一個用戶,但前提條件是必須知道目標用戶的登錄密碼,多一個人知道root密碼就多一個風險,使用sudo命令就可以提升執行權限。
這樣需要管理員提前進項授權,指定允許哪些用戶以超級用戶(或其他普通用戶)的身份來執行哪些命。

配置文件位置

/etc/sudoers 或者直接使用 visudo打開

配置文件

[root@xiaoagiao /]# cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases                                                     #主機別名
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases                                                     #用戶別名
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases                                                   #命令別名
## These are groups of related commands...

## Networking                                            #網絡連接
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
 
## Services                #服務
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes               #進程
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers      #驅動
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

…………
…………
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL                 #root用戶可以執行任何命令

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL       #在wheel組中的,任何用戶可以執行任何命令

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

文件配製方法

別名規則
AliasType NAME = item1, item2, …
或者
AliasType NAME = item1, item2, item3 : NAME = item4, item5

AliasType 別名類型 HostAlias、UserAlias、RunasAlias和Cmnd_Alias
NAME 別名 的命名是包含大寫字母、下劃線以及數字,但必須以一個大寫字母開頭

別名類型:

  1. 主機別名:Host_Alias
 Host_Alias HT1=localhost,ztg,192.168.0.0/24 
 主機別名是HT1,“=”號右邊是成員。 
 Host_Alias HT1= localhost,ztguang,192.168.10.0/24:HT2=ztg2,ztg3
  1. 用戶別名:User_Alias
#用戶別名,別名成員可以是用戶,用戶組(前面要加%號)。 
User_Alias ADMIN=ztg,ztguang 
#定義用戶別名ADMIN,有兩個成員ztg和ztguang,這兩個成員要在系統中確實存在。 
  1. 命令別名:Cmnd_Alias
#定義命令的別名,這些命令必須是系統存在的文件,要用絕對路徑,文件名可以用通配符表示。 
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig 
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
  1. Runas_Alias
#用來定義runas別名,這個別名是指sudo允許切換到的用戶; 
Runas_Alias RUN_AS = root 
#定義runas別名RUN_AS,有一個成員root

授權規則:
格式:

  1. 授權用戶 主機=命令動作
  2. 授權用戶 主機=[(切換到哪些用戶或用戶組)] [是否需要密碼驗證] 命令1,[(切換到哪些用戶或用戶組)] [是否需要密碼驗證] [命令2],………………

舉例:
其實不用直接在/etc/sudoers裏直接修改,可以在/etc/sudoers.d/下創建一個文件修改。

  1. 使用戶use1能夠有權限掛載/dev/sr0到/media目錄下

user1 ALL=(ALL) /bin/mount /dev/sr0 /media

[user1@xiaoagiao ~]$ mount /dev/sr0 /media/
mount: only root can do that

[user1@xiaoagiao ~]$ su - root
Password:
Last login: Wed May 13 18:27:32 CST 2020 from 192.168.126.1 on pts/0
[root@xiaoagiao ~]# vim /etc/sudoers.d/user1               #將授權的規則寫入
[root@xiaoagiao ~]# cat /etc/sudoers.d/user1
user1 ALL=(ALL) /bin/mount /dev/sr0 /media

[root@xiaoagiao ~]# su - user1                    #切換到user1下
Last login: Wed May 13 22:26:29 CST 2020 on pts/0
[user1@xiaoagiao ~]$ sudo mount /dev/sr0 /media/      #可以執行
[sudo] password for user1:
mount: /dev/sr0 is write-protected, mounting read-only
mount: /dev/sr0 is already mounted or /media busy
       /dev/sr0 is already mounted on /media
  1. 使user1和user2用戶能夠有權限修改IP,使用別名實現,且不需要輸入密碼

User_Alias NETUSER=user1,user2
Cmnd_Alias IP=/sbin/ip
NETUSER ALL=(root) NOPASSWD: IP

  1. 使user2用戶能夠有權限使用/user/sbin/下的所有命令,除了/use/sbin/userdel

user2 ALL=(root) /usr/sbin/,!/usr/sbin/userdel

[user2@xiaoagiao ~]$ sudo useradd user3               #在user2下添加用戶

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for user2:
[user2@xiaoagiao ~]$ sudo cat /etc/passwd            #添加成功
user3:x:1002:1002::/home/user3:/bin/bash
[user2@xiaoagiao ~]$ sudo userdel -r user3           #刪除user3,發現可以刪除。
[root@xiaoagiao ~]# vim /etc/sudoers.d/user2         #寫入規定限制
[root@xiaoagiao ]# cat /etc/sudoers.d/user2
user2 ALL=(root) /usr/sbin/,!/usr/sbin/userdel
[root@xiaoagiao ]# su - user2
Last login: Wed May 13 22:43:35 CST 2020 on pts/0

[user2@xiaoagiao ~]$ sudo useradd user3                #添加用戶可以實現
[user2@xiaoagiao ~]$ sudo cat /etc/passwd
user3:x:1002:1002::/home/user3:/bin/bash
[user2@xiaoagiao ~]$ sudo userdel user3           # 不可以刪除用戶
Sorry, user user2 is not allowed to execute '/sbin/userdel user3' as root on xiaoagiao.
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章