3.7 su命令
3.8 sudo命令
3.9 限制root远程登录
3.7 su命令
1、su 和 su - 的区别
加- 切换的更彻底(连家目录和shell)
[[email protected] ~]$ sudo
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s]
[<command>]
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
[[email protected] ~]$ su root
密码:
[[email protected] user1]#
2、以指定用户的身份,去执行一条命令
[[email protected] ~]# su - -c "touch /tmp/xqiang.001" user1
touch: 无法创建"/tmp/xqiang.001": 权限不够
[[email protected] ~]# su - -c "touch /tmp/xqiang.002" user1
[[email protected] ~]# su - -c "touch /tmp/xqiang.001" user1
touch: 无法创建"/tmp/xqiang.001": 权限不够
[[email protected] ~]# su - -c "touch /tmp/xqiang.001" root
3、如果一个用户没有家目录,那么如何给一个用户创建家目录
[[email protected] ~]# useradd -M user3 ## 创建一个没有家目录的用户
[[email protected] ~]# ls /home/
aming awk.txt tom user1 user2
[[email protected] ~]# su - user3
su: 警告:无法更改到 /home/user3 目录: 没有那个文件或目录
-bash-4.2$ 登出
[[email protected] ~]# 登出
[[email protected] user1]# exit
[[email protected] ~]$ su - root
密码:
上一次登录:三 6月 13 22:32:23 CST 2018pts/1 上
[[email protected] ~]# id user3
uid=1003(user3) gid=1004(user3) 组=1004(user3)
[[email protected] ~]# mkdir /home/user3
[[email protected] ~]# chown user3:user3 /home/user3
[[email protected] ~]# su - user3
上一次登录:三 6月 13 22:39:01 CST 2018pts/1 上
-bash-4.2$ 登出
[[email protected] ~]# su - user3
上一次登录:三 6月 13 22:42:29 CST 2018pts/1 上
-bash-4.2$ ls -la
总用量 0
drwxr-xr-x. 4 user3 user3 35 6月 13 22:42 .
drwxr-xr-x. 7 root root 84 6月 13 22:41 ..
drwxrwxr-x. 3 user3 user3 18 6月 13 22:42 .cache
drwxrwxr-x. 3 user3 user3 18 6月 13 22:42 .config
-bash-4.2$ 登出
[[email protected] ~]# ls -la
总用量 40
dr-xr-x---. 5 root root 220 4月 22 19:35 .
dr-xr-xr-x. 17 root root 245 6月 1 15:58 ..
-rw-------. 1 root root 1418 3月 27 05:31 anaconda-ks.cfg
-rw-------. 1 root root 7696 6月 13 22:40 .bash_history
-rw-r--r--. 1 root root 18 12月 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 12月 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 12月 29 2013 .bashrc
drwx------. 3 root root 18 3月 26 22:32 .cache
drwxr-xr-x. 3 root root 18 3月 26 22:32 .config
-rw-r--r--. 1 root root 100 12月 29 2013 .cshrc
-rw-r--r--. 1 root root 1466 3月 26 22:28 initial-setup-ks.cfg
-rw-------. 1 root root 44 4月 22 19:36 .lesshst
drwx------. 2 root root 108 6月 1 15:51 .ssh
-rw-r--r--. 1 root root 129 12月 29 2013 .tcshrc
[[email protected] ~]# ls -la /etc/skel/ ##模板目录
总用量 24
drwxr-xr-x. 3 root root 78 3月 26 22:17 .
drwxr-xr-x. 138 root root 8192 6月 13 22:38 ..
-rw-r--r--. 1 root root 18 8月 3 2017 .bash_logout
-rw-r--r--. 1 root root 193 8月 3 2017 .bash_profile
-rw-r--r--. 1 root root 231 8月 3 2017 .bashrc
drwxr-xr-x. 4 root root 39 3月 26 22:17 .mozilla
[[email protected] ~]# cp /etc/skel/.bash* /home/user3/
[[email protected] ~]# chown -R user3:user3 /home/user3/
[[email protected] ~]# su - user3
上一次登录:三 6月 13 22:42:55 CST 2018pts/1 上
[[email protected] ~]$
3.8sudo
1、利用 visudo来给某一个用户,某几个具体命令的使用权限(root)
[[email protected] ~]# visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults match_group_by_gid
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
user1 ALL=(ALL) ls,mv,cat,head,tail##这行最后报错了,所以用了下面这行
user1 ALL=(ALL) /usr/bin/ls, /user/bin/mv, /user/bin/cat, /user/bin/head, /user/bin/tail
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
:wq
set nu ##在VI里显示编号
2、用sudo可以让一个普通用户临时拥有root的身份
[[email protected] ~]# chmod u-s /bin/ls
[[email protected] ~]# su - user1
Last login: Thu Jun 14 02:52:31 UTC 2018 on pts/0
[[email protected] ~]$ ls /root/
11.txt 12.txt 13.txt anaconda-ks.cfg.1 a.txt dir1 PUTTY.CHM
[[email protected] ~]$ logout
[[email protected] ~]# ls -l /usr/bin/ls
-rwxr-sr-x 1 root root 117656 Nov 5 2016 /usr/bin/ls
[[email protected] ~]# chmod g-s /usr/bin/ls
[[email protected] ~]# ls -l /usr/bin/ls
-rwxr-xr-x 1 root root 117656 Nov 5 2016 /usr/bin/ls
[[email protected] ~]# su - user1
Last login: Thu Jun 14 02:53:58 UTC 2018 on pts/0
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
用sudo就可以查看了
[[email protected] ~]$ sudo /usr/bin/ls /root/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user1:
11.txt 12.txt 13.txt anaconda-ks.cfg.1 a.txt dir1 PUTTY.CHM
3、visudo 中修改一下,可以试sudo不要密码
user1 ALL=(ALL) NOPASSWD: /usr/bin/ls, /user/bin/mv, /user/bin/cat, /user/bin/head, /user/bin/tail
[[email protected] ~]$ sudo ls /root/
11.txt 12.txt 13.txt anaconda-ks.cfg.1 a.txt dir1 PUTTY.CHM
4、针对组也可以做visudo 设置
3.9 限制root远程登录
1、修改visudo 来设置禁止
[[email protected] ~]# vi /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no ##这里去掉#号,并且yes改成no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
-- INSERT --
[[email protected] ~]# systemctl restart sshd.service ##重启
重新用root登录
2、修改visudo来允许指定用户拥有临时获得root权限级别的su 命令
[[email protected] ~]# visudo
。
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
user1 ALL=(ALL) NOPASSWD: /usr/bin/su
。
3、用user1远程登录linux,并且用sudo su - 切换到 root用户
[[email protected] ~]$ sudo su - root
上一次登录:四 6月 14 14:27:24 CST 2018从 192.168.171.1pts/0 上
最后一次失败的登录:四 6月 14 17:34:50 CST 2018从 192.168.171.1ssh:notty 上
最有一次成功登录后有 4 次失败的登录尝试。
[[email protected] ~]#
转载于:https://my.oschina.net/u/3873515/blog/1830727
![更改LYNC SIP地址[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)