3.7 su命令
- su切换用户但不切换当前工作目录以及 HOME,SHELL,USER,LOGNAME;仅仅拥有了root的权限
[root@24centos7-01 ~]# su vitus
[vitus@24centos7-01 root]$ pwd
/root
- su -,su -l或su --login 命令改变身份时,也同时变更工作目录,以及HOME,SHELL,USER,LOGNAME。此外,也会变更PATH变量
[root@24centos7-01 ~]# su - vitus
上一次登录:四 10月 26 20:09:48 CST 2017pts/0 上
[vitus@24centos7-01 ~]$ pwd
/home/vitus
- su - -c 指定用户的身份去执行命令
[root@24centos7-01 ~]# su - -c "touch /tmp/vitus.txt" vitus
[root@24centos7-01 ~]# ls -l /tmp/
总用量 1
-rw-rw-r-- 1 vitus vitus 0 10月 26 21:31 vitus.txt
- root切换至其它普通用户时无需密码,普通用户切换至用户时需要输入目标用户的密码
3.8 sudo命令 让普通用户临时拥有root用户的身份,方便执行某些操作,避免将root用户的密码分发给过多员工
- visudo打开sudoer的配置文件
[root@24centos7-01 ~]# visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases --主机别名授权
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases --用户别名授权
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL --允许root用户在任何地方运行所有的命令
vitus ALL=(ALL) /usr/bin/ls, /usr/bin/mv, /usr/bin/cat --为普通用户添加ls,mv,cat权限
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL --为group成员添加权限
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
- 测试普通用户vitus下ls,mv,cat的是否可以使用
[root@24centos7-01 ~]# su - vitus
上一次登录:四 10月 26 21:50:40 CST 2017pts/0 上
[vitus@24centos7-01 ~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[vitus@24centos7-01 ~]$ sudo ls /root/
[sudo] password for vitus:
anaconda-ks.cfg showtime.txt test
[vitus@24centos7-01 ~]$ mv /root/showtime.txt /root/showtime_1.txt
mv: failed to access "/root/showtime_1.txt": 权限不够
[vitus@24centos7-01 ~]$ sudo mv /root/showtime.txt /root/showtime_1.txt
[vitus@24centos7-01 ~]$ sudo ls /root/
anaconda-ks.cfg showtime_1.txt test
[vitus@24centos7-01 ~]$ sudo mv /root/showtime_1.txt /root/showtime.txt
[vitus@24centos7-01 ~]$ cat /root/showtime.txt
cat: /root/showtime.txt: 权限不够
[vitus@24centos7-01 ~]$ sudo cat /root/showtime.txt
linux
learning linux
3.9 限制root远程登录
1.修改/etc/ssh/sshd_config配置文件,将#PermitRootLogin yes改为PermitRootLogin no
[root@24centos7-01 ~]# vim /etc/ssh/sshd_config
#PermitRootLogin yes --将其修改,去掉注释#,将yes改为no,保存退出
[root@24centos7-01 ~]# systemctl restart sshd.service --重启ssh服务
login as: root
[email protected]'s password:
Access denied
[email protected]'s password:
Access denied
[email protected]'s password: --这时使用密码无法登录root
2.修改visudo,添加
vitus ALL=(ALL) NOPASSWD: /bin/su, /bin/sudo
3.使用普通用户登录然后通过sudo su - root切换至root用户下
[vitus@24centos7-01 ~]$ sudo su - root
上一次登录:四 10月 26 22:37:43 CST 2017pts/0 上
[root@24centos7-01 ~]# whoami
root