search

lihongjie0209 / myblog

4 stars 0 forks source link

Linux: sudo #59

Open lihongjie0209 opened 4 years ago

lihongjie0209 commented 4 years ago

sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The real and effective uid and gid are set to match those of the target user, as specified in the password database, and the group vector is initialized based on the group database (unless the -P option was specified).

简单的来说就是 切换用户并执行

lihongjie0209 commented 4 years ago

一个简单的示例

[root@centos ~]# useradd li
[root@centos ~]# sudo -u li touch li.txt
[root@centos tmp]# ll
total 0
-rw-r--r--. 1 li   li    0 Jul 19 09:36 li.txt

可以看到当我们切换到 li 用户的时候创建的文件也是属于 li 用户的.

lihongjie0209 commented 4 years ago

配置文件详解

定义用户变量

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem

定义HOST变量

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

定义命令变量

## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

配置sudo规则


## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
lihongjie0209 commented 4 years ago

sudo 规则的格式


The fourth line, which dictates the root user’s sudo privileges, is different from the preceding lines. Let’s take a look at what the different fields mean:

root   ALL=(ALL:ALL) ALL
The first field indicates the username that the rule will apply to (root).
root ALL=(ALL:ALL) ALL
The first “ALL” indicates that this rule applies to all hosts.
root ALL=(ALL:ALL) ALL
This “ALL” indicates that the root user can run commands as all users.
root ALL=(ALL:ALL) ALL
This “ALL” indicates that the root user can run commands as all groups.
root ALL=(ALL:ALL) ALL
The last “ALL” indicates these rules apply to all commands.

总结来说就是

user host:(toUser:toGroup) cmd

cmd 还可以添加标签, 比如说不需要密码验证

GROUPTWO    ALL = NOPASSWD: /usr/bin/updatedb, PASSWD: /bin/kill