sudo實現管理授權詳解

sudo實現管理授權詳解

sudo：

Linux sudo命令以系統管理者的身份執行指令，也就是說，經由 sudo 所執行的指令就好像是 root 親自執行。

使用權限：在 /etc/sudoers 中有出現的使用者。

參數說明：

• -V 顯示版本編號
• -h 會顯示版本編號及指令的使用方式說明
• -l 顯示出自己（執行 sudo 的使用者）的權限
• -v 因爲 sudo 在第一次執行時或是在 N 分鐘內沒有執行（N 預設爲五）會問密碼，這個參數是重新做一次確認，如果超過 N 分鐘，也會問密碼
• -k 將會強迫使用者在下一次執行 sudo 時問密碼（不論有沒有超過 N 分鐘）
• -b 將要執行的指令放在背景執行
• -p prompt 可以更改問密碼的提示語，其中 %u 會代換爲使用者的帳號名稱， %h 會顯示主機名稱
• -u username/#uid 不加此參數，代表要以 root 的身份執行指令，而加了此參數，可以以 username 的身份執行指令（#uid 爲該 username 的使用者號碼）
• -s 執行環境變數中的 SHELL 所指定的 shell ，或是 /etc/passwd 裏所指定的 shell
• -H 將環境變數中的 HOME （家目錄）指定爲要變更身份的使用者家目錄（如不加 -u 參數就是系統管理者 root ）
• command 要以系統管理者身份（或以 -u 更改爲其他人）執行的指令

sudo包信息：

[root@localhost ~]#rpm -qi sudo
Name        : sudo
Version     : 1.8.23
Release     : 4.el7
Architecture: x86_64
Install Date: Fri 27 Dec 2019 03:39:34 AM CST
Group       : Applications/System
Size        : 3195829
License     : ISC
Signature   : RSA/SHA256, Fri 23 Aug 2019 05:44:10 AM CST, Key ID 24c6a8a7f4a80eb5
Source RPM  : sudo-1.8.23-4.el7.src.rpm
Build Date  : Fri 09 Aug 2019 10:58:23 AM CST
Build Host  : x86-02.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.courtesan.com/sudo/
Summary     : Allows restricted root access for specified users
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis.  It is not a replacement for the shell.  Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.

sudo文件列表：

[root@localhost ~]#rpm -ql sudo
/etc/pam.d/sudo
/etc/pam.d/sudo-i
/etc/sudo-ldap.conf
/etc/sudo.conf
/etc/sudoers
# sudo授權文件,定義了授權規則
/etc/sudoers.d
/usr/bin/cvtsudoers
/usr/bin/sudo
/usr/bin/sudoedit
/usr/bin/sudoreplay
/usr/lib/tmpfiles.d/sudo.conf
...

sudoers:

[root@localhost ~]#vim /etc/sudoers


## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##  user    MACHINE=COMMANDS
##	用戶		當前主機=(代表ALL)	執行ALL命令
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 

# 授權格式範例：
root    ALL=(ALL)   ALL
# 仿寫：授權flamenca在本機下代表root 執行/bin/mount /dev/sr0 /mnt命令時有權限(掛光盤)
flamenca	192.168.33.128=(root) /bin/mount /dev/sr0 /mnt

## 注意該文件是隻讀的。修改這個文件後直接存不了，請使用visudo形式修改

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

## 在wheel組裏也能實現授權效果
%wheel  ALL=(ALL)   ALL

## Same thing without a password
# %wheel    ALL=(ALL)   NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
## 授權信息也可以放到下列文件夾中
#includedir /etc/sudoers.d

flamenca的sudo權限設置好後測試掛載功能：

[root@localhost ~]#su - flamenca
Last login: Sat May 16 16:56:17 CST 2020 on pts/0
[flamenca@localhost ~]$mount /dev/sr0 /mnt
mount: only root can do that
[flamenca@localhost ~]$sudo mount /dev/sr0 /mnt

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for flamenca: 

[flamenca@localhost ~]$sudo mount /dev/sr0 /mnt
mount: /dev/sr0 is write-protected, mounting read-only

[flamenca@localhost ~]$df
Filesystem              1K-blocks     Used Available Use% Mounted on
...
/dev/sr0                 10767514 10767514         0 100% /mnt

sudo也能按分組授權：

爲什麼root也要寫入sudoers文件中？

如果root用戶UID不是0時（名爲root其實權限是普通用戶），這是sudoers配置的作用是給名爲root的用戶留了個“後門”

sudo命令默認在一段時間內不用輸口令：默認時間爲5分鐘

關於配置文件中 #includedir /etc/sudoers.d文件中的內容：

• 寫在這個文件中的用戶也可以具有相應的權限

  flamenca ALL=	ALL
  # 這種寫法是默認爲ALL=(root)
  
  # 授權flamenca可以修改sudoers文件
  flamenca ALL=	sudoedit
  
  # 修改命令爲
  [flamenca@localhost ~]$sudoedit
  # 或者改/etc/sudoers.d中的文件
  

• visudo -c格式修改

• visudo -f FILE單獨修改一個文件

sudo別名：

• 別名種類 ：User_Alias,Runas_Alias, Host_Alias,Cmnd_Alias

• 別名格式：[A-Z]([A-Z][0-9]_)*別名要求必須大寫嗷

• 示例：

  • User_Alias NETADMIN=netuser1,netuser2
  • Cmnd_Alias NETCMD=/usr/sbin/ip
  • NETDMIN ALL=(root) NETCMD

• %whell ALL=(ALL) NOPASSWD:ALL執行命令時不再需要輸入密碼