利用sudo实现授权

范例1：对kobe用户实现挂载 /deev/cdrom /mnt 和取消挂载的授权

[root@centos8 ~]#su - kobe
Last login: Tue Sep  8 17:18:50 CST 2020 on pts/1
[kobe@centos8 ~]$sudo mount /dev/cdrom /mnt
[sudo] password for kobe: 
kobe is not in the sudoers file.  This incident will be reported.

[root@centos8 ~]#vim /etc/sudoers
#在root  ALL=(ALL)   ALL行下添加：
kobe 10.0.0.8=(root) /usr/bin/mount /dev/cdrom /mnt,/usr/bin/umount

[kobe@centos8 ~]$sudo mount /dev/cdrom /mnt
mount: /mnt: WARNING: device write-protected, mounted read-only.
[kobe@centos8 ~]$df
Filesystem          1K-blocks    Used Available Use% Mounted on
devtmpfs               393084       0    393084   0% /dev
tmpfs                  408636       0    408636   0% /dev/shm
tmpfs                  408636    5800    402836   2% /run
tmpfs                  408636       0    408636   0% /sys/fs/cgroup
/dev/mapper/cl-root 104806400 2237032 102569368   3% /
/dev/sda1              999320  129212    801296  14% /boot
tmpfs                   81724       0     81724   0% /run/user/0
/dev/sr0              6967726 6967726         0 100% /mnt
[kobe@centos8 ~]$sudo umount /mnt 
[kobe@centos8 ~]$df
Filesystem          1K-blocks    Used Available Use% Mounted on
devtmpfs               393084       0    393084   0% /dev
tmpfs                  408636       0    408636   0% /dev/shm
tmpfs                  408636    5800    402836   2% /run
tmpfs                  408636       0    408636   0% /sys/fs/cgroup
/dev/mapper/cl-root 104806400 2237032 102569368   3% /
/dev/sda1              999320  129212    801296  14% /boot
tmpfs                   81724       0     81724   0% /run/user/0
[kobe@centos8 ~]$

范例：

[root@centos8 ~]#usermod -aG wheel kobe
[root@centos8 ~]#id kobe
uid=1000(kobe) gid=1000(kobe) groups=1000(kobe),10(wheel)
#注销登录并重新登录
[root@centos8 ~]#exit
[root@centos8 ~]#su - kobe
Last login: Tue Sep  8 17:35:26 CST 2020 on pts/0
[kobe@centos8 ~]$cat /etc/shadow
cat: /etc/shadow: Permission denied
[kobe@centos8 ~]$sudo cat /etc/shadow
[sudo] password for kobe: 
Sorry, try again.
[sudo] password for kobe: 
root:$6$//yuML3PjCxyds8S$mRTjPDogceYwOK5EufloYFzNK1CyyQmPhlzE7cZ45HcSqyRbX9fu1yEuaPOYLx6XCTm4GMlkjb5L.gJMA0q5p/:18499:0:99999:7:::
bin:*:18027:0:99999:7:::
daemon:*:18027:0:99999:7:::
adm:*:18027:0:99999:7:::
lp:*:18027:0:99999:7:::
sync:*:18027:0:99999:7:::
shutdown:*:18027:0:99999:7:::
halt:*:18027:0:99999:7:::
mail:*:18027:0:99999:7:::
operator:*:18027:0:99999:7:::
games:*:18027:0:99999:7:::
ftp:*:18027:0:99999:7:::
nobody:*:18027:0:99999:7:::
dbus:!!:18492::::::
systemd-coredump:!!:18492::::::
systemd-resolve:!!:18492::::::
tss:!!:18492::::::
polkitd:!!:18492::::::
unbound:!!:18492::::::
sssd:!!:18492::::::
sshd:!!:18492::::::
tcpdump:!!:18499::::::
postfix:!!:18499::::::
kobe:$6$/RTzdJfOM2Qc4cla$dJpooqR//0CiSDjE1xwqFsA3vCt5OTeX6QVFtaX9r0YbNBtPXvhrtT3Obh.BUKX5tvyJvVNb5mkUWak3OmwSI/:18502:0:99999:7:::

[root@centos8 ~]#groupmems -d kobe -g wheel
[root@centos8 ~]#id kobe
uid=1000(kobe) gid=1000(kobe) groups=1000(kobe)

范例：

[root@centos8 ~]#visudo -f /etc/sudoers.d/test
[root@centos8 ~]#cat /etc/sudoers.d/test 
kobe ALL=(xu) /usr/bin/cat /data/test.txt
[root@centos8 ~]#ll /etc/sudoers
-r--r----- 1 root root 4327 Sep  8 17:33 /etc/sudoers
[root@centos8 ~]#ll /etc/sudoers.d/test 
-rw-r--r-- 1 root root 42 Sep  8 17:41 /etc/sudoers.d/test
[root@centos8 ~]#chmod 440 /etc/sudoers.d/test 
[root@centos8 ~]#su - kobe
[kobe@centos8 ~]$sudo -u xu cat /data/test.txt 
[sudo] password for kobe: 

#
# /etc/fstab
# Created by anaconda on Wed Aug 19 06:30:38 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/cl-root     /                       xfs     defaults        0 0
UUID=72567fe9-b708-40fa-ba72-bcf5d38734a7 /boot                   ext4    defaults        1 2
/dev/mapper/cl-data     /data                   xfs     defaults        0 0
/dev/mapper/cl-swap     swap                    swap    defaults        0 0

[root@centos8 ~]#visudo -f /etc/sudoers.d/test
[root@centos8 ~]#cat /etc/sudoers.d/test 
kobe ALL=(xu) /usr/bin/cat /data/test.txt
xu ALL=(ALL) NOPASSWD:ALL
[root@centos8 ~]#su - xu
[xu@centos8 ~]$sudo useradd hehe
[xu@centos8 ~]$sudo getent passwd hehe
hehe:x:1002:1002::/home/hehe:/bin/bash

[root@centos8 ~]#visudo -f /etc/sudoers.d/test 
[root@centos8 ~]#cat /etc/sudoers.d/test 
kobe ALL=(xu) /usr/bin/cat /data/test.txt
xu ALL=(ALL) sudoedit 
[xu@centos8 ~]$sudoedit /etc/sudoers
[sudo] password for xu: 
sudoedit: /etc/sudoers unchanged

案例8：问题如下，如何解决?

 %operator ALL = /bin/cat /var/log/messages*

     will allow command like:

         $ sudo cat /var/log/messages.1

     It will also allow:

         $ sudo cat /var/log/messages /etc/shadow

     which is probably not what was intended.  In most cases it is better to
     do command line processing outside of the sudoers file in a scripting
     language.

方法：
[root@centos8 ~]#visudo -f /etc/sudoers.d/test
xu ALL=(ALL) /usr/bin/cat /var/log/messages*,!/usr/bin/cat /var/log/messages* *

验证：
[xu@centos8 ~]$sudo cat /var/log/messages /etc/shadow
Sorry, user xu is not allowed to execute '/bin/cat /var/log/messages /etc/shadow' as root on centos8.kobe.com.

[xu@centos8 ~]$sudo cat /var/log/messages |less
[xu@centos8 ~]$sudo cat /etc/shadow
Sorry, user xu is not allowed to execute '/bin/cat /etc/shadow' as root on centos8.kobe.com.

范例：ubuntu 默认用户具有sudo权限

root@ubuntu1804:~# grep %sudo /etc/sudoers
%sudo ALL=(ALL:ALL) ALL
root@ubuntu1804:~# id kobe
uid=1000(kobe) gid=1000(kobe)
groups=1000(kobe),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpa
dmin),114(sambashare)
#默认的用户kobe 属于此sudo组，所以kobe有所有权限