su命sudo命令限制root远程登录
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了su命sudo命令限制root远程登录相关的知识,希望对你有一定的参考价值。
3.7 su命令
· su切换用户但不切换当前工作目录以及 HOME,SHELL,USER,LOGNAME;仅仅拥有了root的权限
[[email protected]~]# su vitus
[[email protected]]$ pwd
/root
· su-,su-l或su--login 命令改变身份时,也同时变更工作目录,以及HOME,SHELL,USER,LOGNAME。此外,也会变更PATH变量
[[email protected]~]# su - vitus
上一次登录:四 10月 26 20:09:48 CST 2689pxs/0 上
[[email protected]~]$ pwd
/home/vitus
· su- -c 指定用户的身份去执行命令
[[email protected]~]# su - -c "touch /tmp/vitus.txt" vitus
[[email protected]~]# ls -l /tmp/
总用量 1
-rw-rw-r--1 vitus vitus 0 10月 26 21:31 vitus.txt
· root切换至其它普通用户时无需密码,普通用户切换至用户时需要输入目标用户的密码
3.8 sudo命令让普通用户临时拥有root用户的身份,方便执行某些操作,避免将root用户的密码分发给过多员工
· visudo打开sudoer的配置文件
[[email protected]~]# visudo
##Sudoers allows particular users to run various commands as
## theroot user, without needing the root password.
##
##Examples are provided at the bottom of the file for collections
## ofrelated commands, which can then be delegated out to particular
## usersor groups.
##
## Thisfile must be edited with the ‘visudo‘ command.
## HostAliases --主机别名授权
## Groupsof machines. You may prefer to use hostnames (perhaps using
##wildcards for entire domains) or IP addresses instead.
#Host_Alias FILESERVERS = fs1, fs2
#Host_Alias MAILSERVERS = smtp, smtp2
## UserAliases --用户别名授权
## Thesearen‘t often necessary, as you can use regular groups
## (ie,from files, LDAP, NIS, etc) in this file - just use %groupname
## ratherthan USERALIAS
#User_Alias ADMINS = jsmith, mikem
##Command Aliases
## Theseare groups of related commands...
##Networking
##Installation and management of software
#Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
##Services
##Updating the locate database
#Cmnd_Alias LOCATE = /usr/bin/updatedb
##Storage
#Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe,/bin/mount, /bin/umount
##Delegating permissions
#Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
##Processes
#Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
##Drivers
#Cmnd_Alias DRIVERS = /sbin/modprobe
#Defaults specification
#
# Refuseto run if unable to disable echo on the tty.
#
Defaults !visiblepw
#
#Preserving HOME has security implications since many programs
# use itwhen searching for configuration files. Note that HOME
# isalready set when the the env_reset option is enabled, so
# thisoption is only effective for configurations where either
#env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIRUSERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATELC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAMELC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGELINGUAS _XKB_CHARSET XAUTHORITY"
#
# AddingHOME to env_keep may enable a user to run unrestricted
#commands via sudo.
#
#Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comesthe main part: which users can run what software on
## whichmachines (the sudoers file can be shared between multiple
##systems).
##Syntax:
##
## user MACHINE=COMMANDS
##
## TheCOMMANDS section may have other options added to it.
##
## Allowroot to run any commands anywhere
root ALL=(ALL) ALL --允许root用户在任何地方运行所有的命令
vitus ALL=(ALL) /usr/bin/ls, /usr/bin/mv,/usr/bin/cat --为普通用户添加ls,mv,cat权限
## Allowsmembers of the ‘sys‘ group to run networking, software,
##service management apps and more.
# %sysALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE,DRIVERS
## Allowspeople in group wheel to run all commands
%wheel ALL=(ALL) ALL --为group成员添加权限
## Samething without a password
#%wheel ALL=(ALL) NOPASSWD: ALL
## Allowsmembers of the users group to mount and unmount the
## cdromas root
#%users ALL=/sbin/mount /mnt/cdrom,/sbin/umount /mnt/cdrom
## Allowsmembers of the users group to shutdown this system
#%users localhost=/sbin/shutdown -h now
## Readdrop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir/etc/sudoers.d
· 测试普通用户vitus下ls,mv,cat的是否可以使用
[[email protected]~]# su - vitus
上一次登录:四 10月 26 21:50:40 CST 2689pxs/0 上
[[email protected]~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[[email protected]~]$ sudo ls /root/
[sudo]password for vitus:
anaconda-ks.cfg showtime.txt test
[[email protected]~]$ mv /root/showtime.txt /root/showtime_1.txt
mv:failed to access "/root/showtime_1.txt": 权限不够
[[email protected]~]$ sudo mv /root/showtime.txt /root/showtime_1.txt
[[email protected]~]$ sudo ls /root/
anaconda-ks.cfg showtime_1.txt test
[[email protected]~]$ sudo mv /root/showtime_1.txt /root/showtime.txt
[[email protected]~]$ cat /root/showtime.txt
cat:/root/showtime.txt: 权限不够
[[email protected]~]$ sudo cat /root/showtime.txt
linux
learninglinux
3.9 限制root远程登录
1.修改/etc/ssh/sshd_config配置文件,将#PermitRootLogin yes改为PermitRootLogin no
[[email protected]~]# vim /etc/ssh/sshd_config
#PermitRootLoginyes --将其修改,去掉注释#,将yes改为no,保存退出
[[email protected]~]# systemctl restart sshd.service --重启ssh服务
login as:root
[email protected]‘spassword:
Accessdenied
[email protected]‘spassword:
Accessdenied
[email protected]‘spassword: --这时使用密码无法登录root
2.修改visudo,添加
vitus ALL=(ALL) NOPASSWD: /bin/su, /bin/sudo
3.使用普通用户登录然后通过sudo su - root切换至root用户下
[[email protected]~]$ sudo su - root
上一次登录:四 10月 26 22:37:43 CST 2689pxs/0 上
[[email protected]~]# whoami
root
以上是关于su命sudo命令限制root远程登录的主要内容,如果未能解决你的问题,请参考以下文章