su 切换用户命令
使用:su - username
中间要加上“-” ,如果不加切换不彻底。
[[email protected] ~]# pwd /root [[email protected] ~]# su user1 [[email protected] root]$ pwd /root [[email protected] root]$ su - user1 密码: 上一次登录:四 8月 17 09:24:20 CST 2017pts/0 上 [[email protected] ~]$ pwd /home/user1 [[email protected] ~]$
以指定用户的身份创建文件 su - -c "touch 文件名" username
[[email protected] ~]# su - -c "touch /tmp/aming.112" user3 [[email protected] ~]# ls -lt /tmp/ |head 总用量 4 -rw-r--r--. 1 user3 grp1 0 8月 17 09:28 aming.112 drwx------. 3 root root 17 8月 17 09:17 systemd-private-962282525abe4fc2ab6e64178898e746-vmtoolsd.service-QxhA0G drwx------. 3 root root 17 8月 16 09:41 systemd-private-b722b0a8816847f48d10110cb8143b36-vmtoolsd.service-i4Qxrz drwx------. 3 root root 17 8月 15 19:02 systemd-private-120e72494534457f832c658a3c0fe839-vmtoolsd.service-TjInFD drwx------. 3 root root 17 8月 15 00:18 systemd-private-2a54bfd43862496f9954bc45a0ed32f5-vmtoolsd.service-dGG7hc drwx------. 3 root root 17 8月 15 00:04 systemd-private-782e234483844c55bea315a060f5d536-vmtoolsd.service-xP7CVe -rwx------. 1 root root 836 8月 15 00:03 ks-script-qSyJ_w -rw-------. 1 root root 0 8月 14 23:56 yum.log [[email protected] ~]# date 2017年 08月 17日 星期四 09:29:26 CST [[email protected] ~]# id user3 uid=1005(user3) gid=1000(grp1) 组=1000(grp1)
sudo 临时赋予指定用户的权限
为了更加安全,可以用sudo命令来进行临时赋予指定用户的权限,一般情况下赋予root权限。
先看看sudo的配置文件
要用visudo命令来进行查看,这样可以检测到有没有语法错误,此文件是非常重要的,如果用vi 改错了, 也不会有提示。这样比较危险和麻烦。
[[email protected] ~]# visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the ‘visudo‘ command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren‘t often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
"/etc/sudoers.tmp" 111L, 3907C
这个配置文件里最重要的配置在这条:允许root用户在任何地方运行所有命令
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
如果让user1用户也在所有地方运行某些命令,也是可以得。
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
user1 ALL=(ALL) ls,mv,cat **或者写ALL代表可以运行所有目录**
**:wq**保存后有报错
visudo:>>> /etc/sudoers:syntax error 在行 92 附近<<<
现在做什么?
选项有:
重新编辑 sudoers 文件(e)
退出,不保存对 sudoers 文件的更改(x)
退出并将更改保存到 sudoers 文件(危险!)(Q)
**这个就是visudo命令的好处,提示92行有语法错误。按“e”重新编辑**
**输入:set nu来查看行数**
88 ## The COMMANDS section may have other options added to it.
89 ##
90 ## Allow root to run any commands anywhere
91 root ALL=(ALL) ALL
92 user1 ALL=(ALL) ls,mv,cat
93 ## Allows members of the ‘sys‘ group to run networking, software,
**正确的语法如下**
90 ## Allow root to run any commands anywhere
91 root ALL=(ALL) ALL
92 user1 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
93 ## Allows members of the ‘sys‘ group to run networking, software,
普通ls命令是查看不了root目录的,更改完配置文件,用sudo就可以了。第一次需要输入用户的密码。
[[email protected] ~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[[email protected] ~]$ sudo ls /root/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user1:
anaconda-ks.cfg
[[email protected] ~]$
如果想用sudo 第一次不输入密码,需要在visudo里配置“NOPASSWD:”
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
user1 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
user2 ALL=(ALL) NOPASSWD: /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
## Allows members of the ‘sys‘ group to run networking, software,
已经不用输入密码了
[[email protected] ~]# su - user2
[[email protected] ~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[[email protected] ~]$ sudo ls /root/
anaconda-ks.cfg
[[email protected] ~]$
限制root 远程登陆linux
如果公司每个人用root密码来进行远程登陆,这样就非常危险的。如果密码泄露,其他人就可以远程登陆到root下。
所以要限制root用户进行远程登陆
限制之后可以使用sudo su - 来进行切换root用户
首先在visudo里面设置用户组别名,把用户都加入进去
# User_Alias ADMINS = jsmith, mikem
User_Alias AMINGS = user1, user2, user3
然后设置输入sudo su -命令不用输入密码。
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
user1 ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
user2 ALL=(ALL) NOPASSWD: /usr/bin/ls, /usr/bin/mv, /usr/bin/cat
AMINGS ALL=(ALL) NOPASSWD: /usr/bin/su
测试下结果,没问题
[[email protected] ~]# su - user1
上一次登录:四 8月 17 10:34:39 CST 2017pts/0 上
[[email protected] ~]$ sudo su -
上一次登录:四 8月 17 10:36:13 CST 2017pts/0 上
[[email protected] ~]# whoami
root
设置完成后,开始禁用root远程登陆
修改配置文件/etc/ssh/sshd_config
在文件中找到#PermitRootLogin yes
修改为PermitRootLogin no (去掉#号)
保存配置文件后重启服务
# systemctl restart sshd.service