范例1:对kobe用户实现挂载 /deev/cdrom /mnt 和取消挂载的授权
[root@centos8 ~]#su - kobe
Last login: Tue Sep 8 17:18:50 CST 2020 on pts/1
[kobe@centos8 ~]$sudo mount /dev/cdrom /mnt
[sudo] password for kobe:
kobe is not in the sudoers file. This incident will be reported.
[root@centos8 ~]#vim /etc/sudoers
#在root ALL=(ALL) ALL行下添加:
kobe 10.0.0.8=(root) /usr/bin/mount /dev/cdrom /mnt,/usr/bin/umount
[kobe@centos8 ~]$sudo mount /dev/cdrom /mnt
mount: /mnt: WARNING: device write-protected, mounted read-only.
[kobe@centos8 ~]$df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 393084 0 393084 0% /dev
tmpfs 408636 0 408636 0% /dev/shm
tmpfs 408636 5800 402836 2% /run
tmpfs 408636 0 408636 0% /sys/fs/cgroup
/dev/mapper/cl-root 104806400 2237032 102569368 3% /
/dev/sda1 999320 129212 801296 14% /boot
tmpfs 81724 0 81724 0% /run/user/0
/dev/sr0 6967726 6967726 0 100% /mnt
[kobe@centos8 ~]$sudo umount /mnt
[kobe@centos8 ~]$df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 393084 0 393084 0% /dev
tmpfs 408636 0 408636 0% /dev/shm
tmpfs 408636 5800 402836 2% /run
tmpfs 408636 0 408636 0% /sys/fs/cgroup
/dev/mapper/cl-root 104806400 2237032 102569368 3% /
/dev/sda1 999320 129212 801296 14% /boot
tmpfs 81724 0 81724 0% /run/user/0
[kobe@centos8 ~]$
范例:
[root@centos8 ~]#usermod -aG wheel kobe
[root@centos8 ~]#id kobe
uid=1000(kobe) gid=1000(kobe) groups=1000(kobe),10(wheel)
#注销登录并重新登录
[root@centos8 ~]#exit
[root@centos8 ~]#su - kobe
Last login: Tue Sep 8 17:35:26 CST 2020 on pts/0
[kobe@centos8 ~]$cat /etc/shadow
cat: /etc/shadow: Permission denied
[kobe@centos8 ~]$sudo cat /etc/shadow
[sudo] password for kobe:
Sorry, try again.
[sudo] password for kobe:
root:$6$//yuML3PjCxyds8S$mRTjPDogceYwOK5EufloYFzNK1CyyQmPhlzE7cZ45HcSqyRbX9fu1yEuaPOYLx6XCTm4GMlkjb5L.gJMA0q5p/:18499:0:99999:7:::
bin:*:18027:0:99999:7:::
daemon:*:18027:0:99999:7:::
adm:*:18027:0:99999:7:::
lp:*:18027:0:99999:7:::
sync:*:18027:0:99999:7:::
shutdown:*:18027:0:99999:7:::
halt:*:18027:0:99999:7:::
mail:*:18027:0:99999:7:::
operator:*:18027:0:99999:7:::
games:*:18027:0:99999:7:::
ftp:*:18027:0:99999:7:::
nobody:*:18027:0:99999:7:::
dbus:!!:18492::::::
systemd-coredump:!!:18492::::::
systemd-resolve:!!:18492::::::
tss:!!:18492::::::
polkitd:!!:18492::::::
unbound:!!:18492::::::
sssd:!!:18492::::::
sshd:!!:18492::::::
tcpdump:!!:18499::::::
postfix:!!:18499::::::
kobe:$6$/RTzdJfOM2Qc4cla$dJpooqR//0CiSDjE1xwqFsA3vCt5OTeX6QVFtaX9r0YbNBtPXvhrtT3Obh.BUKX5tvyJvVNb5mkUWak3OmwSI/:18502:0:99999:7:::
[root@centos8 ~]#groupmems -d kobe -g wheel
[root@centos8 ~]#id kobe
uid=1000(kobe) gid=1000(kobe) groups=1000(kobe)
范例:
[root@centos8 ~]#visudo -f /etc/sudoers.d/test
[root@centos8 ~]#cat /etc/sudoers.d/test
kobe ALL=(xu) /usr/bin/cat /data/test.txt
[root@centos8 ~]#ll /etc/sudoers
-r--r----- 1 root root 4327 Sep 8 17:33 /etc/sudoers
[root@centos8 ~]#ll /etc/sudoers.d/test
-rw-r--r-- 1 root root 42 Sep 8 17:41 /etc/sudoers.d/test
[root@centos8 ~]#chmod 440 /etc/sudoers.d/test
[root@centos8 ~]#su - kobe
[kobe@centos8 ~]$sudo -u xu cat /data/test.txt
[sudo] password for kobe:
#
# /etc/fstab
# Created by anaconda on Wed Aug 19 06:30:38 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/cl-root / xfs defaults 0 0
UUID=72567fe9-b708-40fa-ba72-bcf5d38734a7 /boot ext4 defaults 1 2
/dev/mapper/cl-data /data xfs defaults 0 0
/dev/mapper/cl-swap swap swap defaults 0 0
[root@centos8 ~]#visudo -f /etc/sudoers.d/test
[root@centos8 ~]#cat /etc/sudoers.d/test
kobe ALL=(xu) /usr/bin/cat /data/test.txt
xu ALL=(ALL) NOPASSWD:ALL
[root@centos8 ~]#su - xu
[xu@centos8 ~]$sudo useradd hehe
[xu@centos8 ~]$sudo getent passwd hehe
hehe:x:1002:1002::/home/hehe:/bin/bash
[root@centos8 ~]#visudo -f /etc/sudoers.d/test
[root@centos8 ~]#cat /etc/sudoers.d/test
kobe ALL=(xu) /usr/bin/cat /data/test.txt
xu ALL=(ALL) sudoedit
[xu@centos8 ~]$sudoedit /etc/sudoers
[sudo] password for xu:
sudoedit: /etc/sudoers unchanged
案例8:问题如下,如何解决?
%operator ALL = /bin/cat /var/log/messages*
will allow command like:
$ sudo cat /var/log/messages.1
It will also allow:
$ sudo cat /var/log/messages /etc/shadow
which is probably not what was intended. In most cases it is better to
do command line processing outside of the sudoers file in a scripting
language.
方法:
[root@centos8 ~]#visudo -f /etc/sudoers.d/test
xu ALL=(ALL) /usr/bin/cat /var/log/messages*,!/usr/bin/cat /var/log/messages* *
验证:
[xu@centos8 ~]$sudo cat /var/log/messages /etc/shadow
Sorry, user xu is not allowed to execute '/bin/cat /var/log/messages /etc/shadow' as root on centos8.kobe.com.
[xu@centos8 ~]$sudo cat /var/log/messages |less
[xu@centos8 ~]$sudo cat /etc/shadow
Sorry, user xu is not allowed to execute '/bin/cat /etc/shadow' as root on centos8.kobe.com.
范例:ubuntu 默认用户具有sudo权限
root@ubuntu1804:~# grep %sudo /etc/sudoers
%sudo ALL=(ALL:ALL) ALL
root@ubuntu1804:~# id kobe
uid=1000(kobe) gid=1000(kobe)
groups=1000(kobe),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpa
dmin),114(sambashare)
#默认的用户kobe 属于此sudo组,所以kobe有所有权限