visudo(/etc/sudoers) 配置别名应用

Read

环境基本配置如下：

[root@byrd ~]# groupadd sa -g 9087    #建立一个组sa，且组ID为9087
[root@byrd ~]# tail -1 /etc/group
sa:x:9087:
[root@byrd ~]# useradd leo    #建立用户leo
[root@byrd ~]# useradd maya
[root@byrd ~]# useradd zuma
[root@byrd ~]# tail -4 /etc/passwd
ett:x:503:504::/home/ett:/bin/bash
leo:x:504:9088::/home/leo:/bin/bash
maya:x:505:505::/home/maya:/bin/bash
zuma:x:506:506::/home/zuma:/bin/bash
[root@byrd ~]# passwd ett    #设置ett密码
Changing password for user ett.
New password: 
BAD PASSWORD: it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@byrd ~]# passwd leo
Changing password for user leo.
New password: 
BAD PASSWORD: it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@byrd ~]# passwd maya
Changing password for user maya.
New password: 
BAD PASSWORD: it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@byrd ~]# passwd zuma
Changing password for user zuma.
New password: 
BAD PASSWORD: it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.

[root@byrd ~]# groupadd sa -g 9087 #建立一个组sa，且组ID为9087

[root@byrd ~]# tail -1 /etc/group

sa:x:9087:

[root@byrd ~]# useradd leo #建立用户leo

[root@byrd ~]# useradd maya

[root@byrd ~]# useradd zuma

[root@byrd ~]# tail -4 /etc/passwd

ett:x:503:504::/home/ett:/bin/bash

leo:x:504:9088::/home/leo:/bin/bash

maya:x:505:505::/home/maya:/bin/bash

zuma:x:506:506::/home/zuma:/bin/bash

[root@byrd ~]# passwd ett #设置ett密码

Changing password for user ett.

New password:

BAD PASSWORD: it is based on a dictionary word

Retype new password:

passwd: all authentication tokens updated successfully.

[root@byrd ~]# passwd leo

Changing password for user leo.

New password:

BAD PASSWORD: it is based on a dictionary word

Retype new password:

passwd: all authentication tokens updated successfully.

[root@byrd ~]# passwd maya

Changing password for user maya.

New password:

BAD PASSWORD: it is based on a dictionary word

Retype new password:

passwd: all authentication tokens updated successfully.

[root@byrd ~]# passwd zuma

Changing password for user zuma.

New password:

BAD PASSWORD: it is based on a dictionary word

Retype new password:

passwd: all authentication tokens updated successfully.

用户别名下增加：

[root@byrd ~]# visudo 
## User Aliases
# User_Alias ADMINS = jsmith, mikem
User_Alias ADMIN = byrd, ett, %sa    #管理组，用户包括byrd，ett，和所有sa组成员
User_Alias NETWORKER = leo, maya    #网络工程师组
User_Alias USERADMINS = zuma    #用户管理组
[root@byrd ~]# visudo 
visudo: Warning: unused User_Alias ADMIN
visudo: Warning: unused User_Alias NETWORKER
visudo: Warning: unused User_Alias USERADMINS

[root@byrd ~]# visudo

## User Aliases

# User_Alias ADMINS = jsmith, mikem

User_Alias ADMIN = byrd, ett, %sa #管理组，用户包括byrd，ett，和所有sa组成员

User_Alias NETWORKER = leo, maya #网络工程师组

User_Alias USERADMINS = zuma #用户管理组

[root@byrd ~]# visudo

visudo: Warning: unused User_Alias ADMIN

visudo: Warning: unused User_Alias NETWORKER

visudo: Warning: unused User_Alias USERADMINS

命令别名增加：

[root@byrd ~]# visudo 
Cmnd_Alias USERCMD = /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [A-Za-z]*    #用户命令
Cmnd_Alias DISKCMD = /sbin/fdisk, /sbin/parted    #硬盘管理命令
Cmnd_Alias NETWORKOP = /sbin/ifconfig, /etc/inin.d/network    #网络维护命令
[root@byrd ~]# visudo 
visudo: Warning: unused User_Alias ADMIN
visudo: Warning: unused Cmnd_Alias DISKCMD
visudo: Warning: unused User_Alias NETWORKER
visudo: Warning: unused Cmnd_Alias NETWORKOP
visudo: Warning: unused User_Alias USERADMINS
visudo: Warning: unused Cmnd_Alias USERCMD

[root@byrd ~]# visudo

Cmnd_Alias USERCMD = /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [A-Za-z]* #用户命令

Cmnd_Alias DISKCMD = /sbin/fdisk, /sbin/parted #硬盘管理命令

Cmnd_Alias NETWORKOP = /sbin/ifconfig, /etc/inin.d/network #网络维护命令

[root@byrd ~]# visudo

visudo: Warning: unused User_Alias ADMIN

visudo: Warning: unused Cmnd_Alias DISKCMD

visudo: Warning: unused User_Alias NETWORKER

visudo: Warning: unused Cmnd_Alias NETWORKOP

visudo: Warning: unused User_Alias USERADMINS

visudo: Warning: unused Cmnd_Alias USERCMD

匹配配置：

[root@byrd ~]# visudo 
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
byrd    ALL=(ALL)       NETWORKOP, USERCMD, DISKCMD    #byrd用户拥有NETWORKOP,USERCMD,DISKCMD权限
ADMIN    ALL=(ALL)       ALL    #ADMIN组拥有所有权限
NETWORKER    ALL=(ALL)       NETWORKOP    #网络工程师组用户网络维护命令
USERADMINS    ALL=(ALL)       USERCMD    #用户管理组用户用户命令

[root@byrd ~]# visudo

## Allow root to run any commands anywhere

root ALL=(ALL) ALL

byrd ALL=(ALL) NETWORKOP, USERCMD, DISKCMD #byrd用户拥有NETWORKOP,USERCMD,DISKCMD权限

ADMIN ALL=(ALL) ALL #ADMIN组拥有所有权限

NETWORKER ALL=(ALL) NETWORKOP #网络工程师组用户网络维护命令

USERADMINS ALL=(ALL) USERCMD #用户管理组用户用户命令

测试下效果：

[root@byrd ~]# su - ett    #ADMIN组，拥有所有权限
[ett@byrd ~]$ /etc/init.d/network restart
[ett@byrd ~]$ sudo /etc/init.d/network restart

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for ett: 
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
[ett@byrd ~]$ useradd kkkk
-bash: /usr/sbin/useradd: Permission denied
[ett@byrd ~]$ sudo useradd kkkk
[ett@byrd ~]$ sudo su -
[root@byrd ~]# exit
logout
[ett@byrd ~]$ su - maya    #网络工程师组
Password: 
[maya@byrd ~]$ whoami
maya
[maya@byrd ~]$ sudo useradd lllll    #没有建立用户权限

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for maya: 
Sorry, user maya is not allowed to execute '/usr/sbin/useradd lllll' as root on byrd.
[maya@byrd ~]$ sudo /etc/init.d/network restart    #有NETWORKOP权限
[sudo] password for maya: 
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
[maya@byrd ~]$ su - zuma    #zuma用户修改用户密码建立用户等权限
Password: 
[zuma@byrd ~]$ sudo /etc/init.d/network restart    #没有网络管理命令权限

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for zuma: 
Sorry, user zuma is not allowed to execute '/etc/init.d/network restart' as root on byrd.
[zuma@byrd ~]$ useradd lllll
-bash: /usr/sbin/useradd: Permission denied
[zuma@byrd ~]$ sudo useradd lllll    #用户用户管理权限
[sudo] password for zuma: 
[zuma@byrd ~]$ tail -1 /etc/passwd
lllll:x:508:508::/home/lllll:/bin/bash
[zuma@byrd ~]$ passwd ett
passwd: Only root can specify a user name.
[zuma@byrd ~]$ sudo passwd ett
[sudo] password for zuma: 
Changing password for user ett.
New password: 
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.
[zuma@byrd ~]$

[root@byrd ~]# su - ett #ADMIN组，拥有所有权限

[ett@byrd ~]$ /etc/init.d/network restart

[ett@byrd ~]$ sudo /etc/init.d/network restart

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for ett:

Shutting down interface eth0: [ OK ]

Shutting down loopback interface: [ OK ]

Bringing up loopback interface: [ OK ]

Bringing up interface eth0: [ OK ]

[ett@byrd ~]$ useradd kkkk

-bash: /usr/sbin/useradd: Permission denied

[ett@byrd ~]$ sudo useradd kkkk

[ett@byrd ~]$ sudo su -

[root@byrd ~]# exit

logout

[ett@byrd ~]$ su - maya #网络工程师组

Password:

[maya@byrd ~]$ whoami

maya

[maya@byrd ~]$ sudo useradd lllll #没有建立用户权限

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for maya:

Sorry, user maya is not allowed to execute '/usr/sbin/useradd lllll' as root on byrd.

[maya@byrd ~]$ sudo /etc/init.d/network restart #有NETWORKOP权限

[sudo] password for maya:

Shutting down interface eth0: [ OK ]

Shutting down loopback interface: [ OK ]

Bringing up loopback interface: [ OK ]

Bringing up interface eth0: [ OK ]

[maya@byrd ~]$ su - zuma #zuma用户修改用户密码建立用户等权限

Password:

[zuma@byrd ~]$ sudo /etc/init.d/network restart #没有网络管理命令权限

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for zuma:

Sorry, user zuma is not allowed to execute '/etc/init.d/network restart' as root on byrd.

[zuma@byrd ~]$ useradd lllll

-bash: /usr/sbin/useradd: Permission denied

[zuma@byrd ~]$ sudo useradd lllll #用户用户管理权限

[sudo] password for zuma:

[zuma@byrd ~]$ tail -1 /etc/passwd

lllll:x:508:508::/home/lllll:/bin/bash

[zuma@byrd ~]$ passwd ett

passwd: Only root can specify a user name.

[zuma@byrd ~]$ sudo passwd ett

[sudo] password for zuma:

Changing password for user ett.

New password:

BAD PASSWORD: it is too simplistic/systematic

BAD PASSWORD: is too simple

Retype new password:

passwd: all authentication tokens updated successfully.

[zuma@byrd ~]$

增加用户组：

[root@byrd ~]# useradd hello -g sa    #新增加用户，且主组为sa
[root@byrd ~]# id hello
uid=510(hello) gid=9087(sa) groups=9087(sa)
[root@byrd ~]# useradd hanxiaoer -G sa    增加用户hanxiaoer，且主组为hanxiaoer，从组为sa
[root@byrd ~]# id hanxiaoer
uid=511(hanxiaoer) gid=511(hanxiaoer) groups=511(hanxiaoer),9087(sa)

[root@byrd ~]# useradd hello -g sa #新增加用户，且主组为sa

[root@byrd ~]# id hello

uid=510(hello) gid=9087(sa) groups=9087(sa)

[root@byrd ~]# useradd hanxiaoer -G sa 增加用户hanxiaoer，且主组为hanxiaoer，从组为sa

[root@byrd ~]# id hanxiaoer

uid=511(hanxiaoer) gid=511(hanxiaoer) groups=511(hanxiaoer),9087(sa)

用户组测试

[root@byrd ~]# su - hanxiaoer
[hanxiaoer@byrd ~]$ sudo useradd luyt
[sudo] password for hanxiaoer: 
[hanxiaoer@byrd ~]$ sudo tail -1 /etc/passwd
luyt:x:512:512::/home/luyt:/bin/bash
[hanxiaoer@byrd ~]$ sudo passwd luyt
Changing password for user luyt.
New password: 
BAD PASSWORD: it is based on a dictionary word
Retype new password: 
passwd: all authentication tokens updated successfully.
[hanxiaoer@byrd ~]$ su - luyt
Password: 
[luyt@byrd ~]$ whoami
luyt
[luyt@byrd ~]$

[root@byrd ~]# su - hanxiaoer

[hanxiaoer@byrd ~]$ sudo useradd luyt

[sudo] password for hanxiaoer:

[hanxiaoer@byrd ~]$ sudo tail -1 /etc/passwd

luyt:x:512:512::/home/luyt:/bin/bash

[hanxiaoer@byrd ~]$ sudo passwd luyt

Changing password for user luyt.

New password:

BAD PASSWORD: it is based on a dictionary word

Retype new password:

passwd: all authentication tokens updated successfully.

[hanxiaoer@byrd ~]$ su - luyt

Password:

[luyt@byrd ~]$ whoami

luyt

[luyt@byrd ~]$

其他权限没有测试：

[root@byrd ~]# su - byrd
[byrd@byrd ~]$ sudo -l
User byrd may run the following commands on this host:
    (ALL) /sbin/ifconfig, /etc/init.d/network, (ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [A-Za-z]*, /bin/chown,
    /bin/chmod, (ALL) /sbin/fdisk, /sbin/parted
    (ALL) ALL
[byrd@byrd ~]$ whoami
byrd
[byrd@byrd ~]$ su - ett
Password: 
[ett@byrd ~]$ whoami
ett
[ett@byrd ~]$ sudo -l
[sudo] password for ett: 
User ett may run the following commands on this host:
    (ALL) ALL
[ett@byrd ~]$ su - maya
Password: 
[maya@byrd ~]$ whoami
maya
[maya@byrd ~]$ sudo -l
[sudo] password for maya: 
User maya may run the following commands on this host:
    (ALL) /sbin/ifconfig, /etc/init.d/network
[maya@byrd ~]$ su - hanxiaoer
Password: 
[hanxiaoer@byrd ~]$ whoami
hanxiaoer
[hanxiaoer@byrd ~]$ sudo -l
[sudo] password for hanxiaoer: 
User hanxiaoer may run the following commands on this host:
    (ALL) ALL
[hanxiaoer@byrd ~]$

[root@byrd ~]# su - byrd

[byrd@byrd ~]$ sudo -l

User byrd may run the following commands on this host:

(ALL) /sbin/ifconfig, /etc/init.d/network, (ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/passwd [A-Za-z]*, /bin/chown,

/bin/chmod, (ALL) /sbin/fdisk, /sbin/parted

(ALL) ALL

[byrd@byrd ~]$ whoami

byrd

[byrd@byrd ~]$ su - ett

Password:

[ett@byrd ~]$ whoami

ett

[ett@byrd ~]$ sudo -l

[sudo] password for ett:

User ett may run the following commands on this host:

(ALL) ALL

[ett@byrd ~]$ su - maya

Password:

[maya@byrd ~]$ whoami

maya

[maya@byrd ~]$ sudo -l

[sudo] password for maya:

User maya may run the following commands on this host:

(ALL) /sbin/ifconfig, /etc/init.d/network

[maya@byrd ~]$ su - hanxiaoer

Password:

[hanxiaoer@byrd ~]$ whoami

hanxiaoer

[hanxiaoer@byrd ~]$ sudo -l

[sudo] password for hanxiaoer:

User hanxiaoer may run the following commands on this host:

(ALL) ALL

[hanxiaoer@byrd ~]$

申明：本文由BYRD原创(基于Centos6.4 X64)，未经许可禁止转载！SourceByrd's Weblog-https://note.t4x.org/system/visudo-alias-config/ SourceByrd's Weblog-https://note.t4x.org/system/visudo-alias-config/

Today in History

April

2015yum和编译安装 MariaDB 数据库

申明：除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!

Today in History

Comment

Login