二、用户身份与文件权限( 九 )


那个 ALL 是特殊的关键字,代表任何身份、主机或指令的意思 。
[root@LB-nginx-01 ~]# visudo99 ## Allow root to run any commands anywhere100 rootALL=(ALL)ALL101 centosALL=(ALL)ALL
在填写完毕后记得要先保存再退出,然后切换至指定的普通用户身份,此时就可以用 sudo-l 命令查看到所有可执行的命令了(下面的命令中,验证的是该普通用户的密码,而不是 root管理员的密码
[root@localhost ~]# su - centosLast login: Thu Jan 14 12:04:12 EST 2021 on pts/0[centos@localhost ~]$ sudo -lWe trust you have received the usual lecture from the local SystemAdministrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for centos: Matching Defaults entries for centos on localhost:!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAMELANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALLLANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binUser centos may run the following commands on localhost:(ALL) ALL
接下来是见证奇迹的时刻!作为一名普通用户,是肯定不能看到 root 管理员的家目录(/root)中的文件信息的,但是,只需要在想执行的命令前面加上 sudo 命令就可以了:
[centos@localhost ~]$ ls /root/ls: cannot open directory /root/: Permission denied[centos@localhost ~]$ sudo ls /root/anaconda-ks.cfg
生产环境中不允许某个普通用户拥有整个系统中所有命令的最高执行权(即尽可能少地赋予权限),因此 ALL 参数就有些不合适了 。因此只能赋予普通用户具体的命令以满足工作需求,这也受到了必要的权限约束 。如果需要让某个用户只能使用 root 管理员的身份执行指定的命令,切记一定要给出该命令的绝对路径,否则系统会识别不出来 。我们可以先使用命令找出命令所对应的保存路径,然后把配置文件第 99 行的用户权限参数修改成对应的路径即可:
[centos@localhost ~]$ exitlogout[root@localhost ~]# whereis catcat: /usr/bin/cat /usr/share/man/man1/cat.1.gz[root@localhost ~]# visudo## Allow root to run any commands anywhererootALL=(ALL)ALLcentosALL=(ALL)/usr/bin/cat[root@localhost ~]# su - centosLast login: Sat Jan 16 04:07:18 EST 2021 on pts/0[centos@localhost ~]$ cat /etc/shadowcat: /etc/shadow: Permission denied[centos@localhost ~]$ sudo cat /etc/shadowroot:$6$TVNmLLTWOGbLirnN$rG/yMtbr94uSukoeMmCmlNS8twpoEaxK03eu0lozTKUgdkH/dVGGYCDllYORfMlMCiBD8vL2WpiXhoT67duBt/::0:99999:7:::bin:*:17834:0:99999:7:::daemon:*:17834:0:99999:7:::adm:*:17834:0:99999:7:::lp:*:17834:0:99999:7:::sync:*:17834:0:99999:7:::
Ⅰ.实现,,这三个用户通过群组的功能让这三个人可以管理系统
[root@localhost ~]# visudo107 ## Allows people in group wheel to run all commands108 %wheelALL=(ALL)ALL# 在最左边加上 %,代表后面接的是一个“群组”之意[root@localhost ~]# usermod -G wheel centos1#加入 wheel 的支持[root@localhost ~]# id centos1uid=1001(centos1) gid=1001(centos1) groups=1001(centos1),10(wheel)
上面的设置值会造成“任何加入 wheel 这个群组的使用者,就能够使用 sudo 切换任何身份来操作任何指令”的意思 。你当然可以将 wheel 换成你自己想要的群组名 。接下来,请分别切换身份成为及 试看看 sudo 的运行 。
[root@localhost ~]# su - centos1#切换到centos1用户[centos1@localhost ~]$ sudo ls /root/#使用sudo可以查看root家目录,说明已设置上权限We trust you have received the usual lecture from the local SystemAdministrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for centos1: anaconda-ks.cfg[centos1@localhost ~]$ exitlogout[root@localhost ~]# su - centos2#切换到centos2用户[centos2@localhost ~]$ sudo ls /rootWe trust you have received the usual lecture from the local SystemAdministrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.[sudo] password for centos2: centos2 is not in the sudoers file.This incident will be reported.##使用sudo查看root家目录,显示不在sudoers file