一、sudo授权工具

授权工具;能够实现把有限的管理操作授权给某普通用户;且还能限定其仅能够在某些主机上执行此类的命令;操作过程还会被记录与日志中;以便于日后审计。


1、定义sudo授权;保存/etc/sudoers

visudo:编辑sudoers命令

格式:who which_host=(whom) command

添加删除用户

[root@localhost ~]# visudo
jerry   ALL=(root) /usr/sbin/useradd, /usr/sbin/userdel
[root@localhost ~]# su - jerry
[jerry@localhost ~]$ sudo useradd tom
[sudo] password for jerry:
[jerry@localhost ~]$ tail -1 /etc/passwd
tom:x:503:503::/home/tom:/bin/bash
[jerry@localhost ~]$ sudo userdel tom
[jerry@localhost ~]$ tail -1 /etc/passwd
jerry:x:502:502::/home/jerry:/bin/bash
[jerry@localhost ~]$
#测试可以删除添加账户


别名:

Host_Alias  FILESERVERS = fs1, fs2 #主机别名
User_Alias ADMINS = jsmith, mikem  #用户别名
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig...#命令别名
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
[root@localhost ~]# visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel
USERADMIN ALL=(root) USERCMND
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
[root@localhost ~]# su - jerry
[sudo] password for jerry:
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[jerry@localhost ~]$
[root@localhost ~]# su - tom
[tom@localhost ~]$ sudo userdel -r jerry
[sudo] password for tom:
[tom@localhost ~]$ tail -3 /etc/passwd
mockbuild:x:500:500::/home/mockbuild:/bin/bash
soul:x:501:501::/home/soul:/bin/bash
tom:x:503:503::/home/tom:/bin/bash
[tom@localhost ~]$


命令取反

[root@localhost ~]# visudo
#includedir /etc/sudoers.d
User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/
usr/bin/passwd root    #命令取反
USERADMIN ALL=(root) USERCMND
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
[root@localhost ~]# su - jerry
[jerry@localhost ~]$ sudo passwd tom
[sudo] password for jerry:
Changing password for user tom.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[jerry@localhost ~]$ sudo passwd root
Sorry, user jerry is not allowed to execute '/usr/bin/passwd root' as root on localhost.localdomain.
[jerry@localhost ~]$


以哪些身份执行以及密码控制

[root@localhost ~]# visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/usr/bin/passwd root
Runas_Alias ADMIN = root   #已哪些身份运行
soul ALL=(ALL) ALL
USERADMIN ALL=(ADMIN) NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,#前面的不需要输入密码
PASSWD: /usr/bin/passwd,!/usr/bin/passwd root #这几个需要输入密码
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
[root@localhost ~]# su - jerry
[jerry@localhost ~]$ sudo useradd tom2
[jerry@localhost ~]$ sudo passwd tom2
[sudo] password for jerry:
Changing password for user tom2.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[jerry@localhost ~]$


让普通用户执行管理员所有的命令

[root@localhost ~]# useradd -g wheel soul
[root@localhost ~]# id soul
uid=501(soul) gid=501(soul) groups=501(soul),10(wheel)
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL
%wheel  ALL=(ALL)       ALL    #该组用户可以执行所有权限
## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
%wheel  ALL=(ALL)       NOPASSWD: ALL    #执行时无需输入密码
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
[soul@localhost ~]$ sudo useradd tom
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[soul@localhost ~]$ sudo userdel tom
[soul@localhost ~]$


2、常用选项

-V 显示版本编号
-h 会显示版本编号及指令的使用方式说明
-l 显示出自己(执行sudo的使用者)的权限
-v 因为sudo在第一次执行时或是在N分钟内没有执行(N预设为五)会询问密码;这个参数是重新做一次确认;如果超过N分钟;也会问密码
-k
强迫使用者在下一次执行sudo时询问密码(不论有没有超过N分钟)
-b 将要执行的指令放在后台执行


二、tcp_wrapper(tcp包装器)基于主机的访问控制

tcp工作于tcp/ip协议栈中的tcp的协议上;守护进程tcpd。

配置文件:/etc/hosts.allow; /etc/hosts.deny

1、并非所有服务均能由tcp_wrapper控制

2、判断某服务程序是否能够由tcp_wrapper控制

动态编译:

ldd命令检测其是否链接至libwrap库上即可

libwrap.so.0 => /lib64/libwrap.so.0

静态编译:

strings /path/to/program如果有以下内容

hosts.allow

hosts.deny


配置文件语法格式:daemon_list:client_list [:options]

deamon_list:

  • 应用程序名称;

  • 应用程序列表;多个以逗号分隔;

  • ALL:匹配所有进程

1、hosts.allow;如果被允许;直接放行

2、hosts.deny;如果被匹配;则禁止访问

3、二者都无匹配;则默认放行

[:options]

在allow文件中使用deny选项:在allow文件中定义拒绝规则

在deny文件中使用allow选项:在deny文件中定义允许规则

[root@localhost ~]# vim /etc/hosts.allow
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#详细可以man     See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
vsftpd :        172.16.254.28    #放行这台机器;
[root@localhost ~]# vim /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
# 详细可以man    See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
vsftpd:         ALL : spawn echo `date` login attempts from %c to %s >> /var/log/deny.log
#拒绝未Allow的所有主机;并对访问服务的机器记入日志
#spawn:发起一条命令
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
[root@dns ~]# lftp 172.16.251.85/pub
Interrupt                                               
[root@dns ~]# lftp 172.16.251.85/pub
Interrupt                                               
[root@dns ~]#
[root@localhost ~]# tail /var/log/deny.log
Mon Mar 31 22:50:18 CST 2014 login attempts from 172.16.251.84 to [email protected]
Mon Mar 31 22:50:48 CST 2014 login attempts from 172.16.251.84 to [email protected]
Mon Mar 31 22:57:58 CST 2014 login attempts from 172.16.251.84 to [email protected]
Mon Mar 31 22:58:43 CST 2014 login attempts from 172.16.251.84 to [email protected]
Mon Mar 31 22:59:50 CST 2014 login attempts from 172.16.251.84 to [email protected]
Mon Mar 31 23:00:31 CST 2014 login attempts from 172.16.251.84 to [email protected]
Mon Mar 31 23:00:44 CST 2014 login attempts from 172.16.251.84 to [email protected]
Mon Mar 31 23:01:14 CST 2014 login attempts from 172.16.251.84 to [email protected]

内置的Macro

client_list

  • ALL

  • KNOWN

  • UNKOWN

  • PARANOID    

daemon_list:ALL

EXCEPT:可以用于client和daemon之中;起到排除功能


三、pam模块


1、认证模块和配置文件存放位置

[root@localhost ~]# ls /lib64/security/
pam_access.so        pam_faillock.so       pam_localuser.so   pam_rootok.so          pam_tty_audit.so
pam_cap.so           pam_filter            pam_loginuid.so    pam_securetty.so       pam_umask.so
pam_chroot.so        pam_filter.so         pam_mail.so        pam_selinux_permit.so  pam_unix_acct.so
pam_ck_connector.so  pam_fprintd.so        pam_mkhomedir.so   pam_selinux.so         pam_unix_auth.so
pam_console.so       pam_ftp.so            pam_motd.so        pam_sepermit.so        pam_unix_passwd.so
pam_cracklib.so      pam_gnome_keyring.so  pam_namespace.so   pam_shells.so          pam_unix_session.so
pam_debug.so         pam_group.so          pam_nologin.so     pam_smbpass.so         pam_unix.so
pam_deny.so          pam_issue.so          pam_passwdqc.so    pam_stress.so          pam_userdb.so
pam_echo.so          pam_keyinit.so        pam_permit.so      pam_succeed_if.so      pam_warn.so
pam_env.so           pam_lastlog.so        pam_postgresok.so  pam_tally2.so          pam_wheel.so
pam_exec.so          pam_limits.so         pam_pwhistory.so   pam_time.so            pam_winbind.so
pam_faildelay.so     pam_listfile.so       pam_rhosts.so      pam_timestamp.so       pam_xauth.so
[root@localhost ~]#
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
[root@localhost ~]# ls /etc/pam.d/
atd             fingerprint-auth     passwd            setup              system-auth
authconfig      fingerprint-auth-ac  password-auth     smartcard-auth     system-auth-ac
authconfig-gtk  gdm                  password-auth-ac  smartcard-auth-ac  system-config-authentication
authconfig-tui  gdm-autologin        polkit-1          smtp               system-config-date
chfn            gdm-fingerprint      poweroff          smtp.postfix       system-config-kdump
chsh            gdm-password         ppp               sshd               system-config-keyboard
config-util     gnome-screensaver    reboot            ssh-keycat         system-config-network
crond           halt                 remote            su                 system-config-network-cmd
cups            login                run_init          sudo               system-config-users
cvs             newrole              runuser           sudo-i             xserver
eject           other                runuser-l         su-l
[root@localhost ~]#


格式:/etc/pam.d/service

type control module-path [module-arguments]


TYPE: 栈;每项可以有多条
account 跟认证无关的账号检测机制;例如账号是否过期等
auth 认证和授权
password 用户在修改密码是要完成的检测
session 建立会话前/后需要做一些侦测机制;例如有没有足够的内存等


control:在某个模块认证成功或失败时应该采取的行为;分为简单类型的control和复杂类型control

简单类型的control
substack 与include相同,也是调用一个新的配置文件进行验证;
required 过滤不通过;仍需检测同一个栈中的其他模块;最后返回failure;认证失败;拥有参考其他模块意见基础之上的一票否决权
requisite 一票否决;过滤不通过;立即返回failure;后续的不用再检查;
sufficient 一票通过;过滤条件通过;立即返回OK;后续无需检查
optional 可选模块;
include 包含其他指定的配置文件中同名栈中的规则;并对此进行检测;


2、模块

模块是由模块路径和模块的参数组成的。可以使用绝对路径和相对路径;参数是用来定义和调整模块的工作行为的。/etc/pam.d/*

pam_unix 传统意义上的账号密码的认证方式{nullok|shadow|md5}
pam_permit 允许访问
pam_deny 拒绝访问;other文件为其他每一个服务中栈提供默认策略
pam_cracklib
在用户更改密码是限定密码策略的;
pam_shells 检查用户登录时的安全shells;远程是需要更改的是sshd配置文件
pam_securetty 限定管理员只能通过安全tty登录;/etc/securetty文件中包含的
pam_listfile 限定listfile文件中的用户可以登录;
pam_rootok 如果是root;su到其他用户不需要输入密码;wheel组中的也可以无需密码
pam_succeed_if 指定条件的符合;su到其他用户也无需密码
pam_limits /etc/security/limits.conf|limits.d/*;{hard|soft}/{nofile|nproc}


3、例子


pam_shells
[Linux85]#useradd -s /bin/cshgentoo
[Linux85]#passwd gentoo
[Linux85]#vim /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/bin/tcsh
#暂时去掉csh
                                                                                                                                                                                                                                                                                      
[Linux85]#vim sshd
#%PAM-1.0
auth       required     pam_shells.so    #添加一行
auth       required     pam_sepermit.so
                                                                                                                                                                                                                                                                          
#测试
[Linux86]#ssh [email protected]
[email protected]'s password:
Permission denied, please try again.



pam_securetty
[Linux85]#cat /etc/securetty
console
tty1
tty2
tty3....
[Linux85]#cp /etc/securetty /etc/securetty.bak
[Linux85]#vim /etc/securetty
#仅留下面两项
console
tty1
tty2
[Linux85]#vim sshd
#%PAM-1.0
auth       required     pam_shells.so
auth       required     pam_securetty.so    #启用这项ssh无法登陆
                                                                                                                                                                                                                                            
[Linux86]#ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
#此时测试只有tty1/tty2可以在终端登陆

pam_listfile
itme={tty|user|rhost|ruser|group|shell} sense={allow|deny} file=/path/to/filename onerr={succeed|fail} [apply=[user|@group]] [quiet]
                                                                                                                                                                          
[Linux85]#groupadd soul
[Linux85]#vim sshd
#%PAM-1.0
auth       required     pam_listfile.so item=group sense=allow file=/etc/allowgroup
                                                                                                                                                                          
#测试
[Linux85]#useradd -G soul centos
[Linux85]#passwd centos
[Linux86]#ssh [email protected]
[email protected]'s password:
Permission denied, please try again
                                                                                                                                                                          
[Linux86]#ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Last login: Sun Apr  6 10:15:46 2014 from 172.16.254.28
[centos@soul ~]$

pam_rootok
                                                                                                                            
[Linux85]#vim su
#%PAM-1.0
#auth           sufficient      pam_rootok.so 注释这项
[Linux85]#su - gentoo
Password:
[gentoo@soul ~]$
[Linux85]#vim su
#%PAM-1.0
auth           sufficient      pam_rootok.so #定义root用户su到其他用户是否需要密码
auth         sufficient      pam_succeed_if.so uid = 500 use_uid quiet #定义uid=500的用户可以不用密码su到其他用户
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid #组中的用户可以执行root权限
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet #uid = N的用户su到其他用户也是无需密码的;前面的type需要更改为认证auth
#
#
#[Linux85]#vim su
#%PAM-1.0
#auth           sufficient      pam_rootok.so    #注释后root也需要密码
auth            sufficient      pam_succeed_if.so uid = 500 use_uid quiet    #uid=500的用户不需要密码
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth            sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
#
#测试
[Linux85]#id gentoo
uid=500(gentoo) gid=500(gentoo) groups=500(gentoo)
[Linux85]#su - gentoo    #root用户su到gentoo
Password:
[gentoo@soul ~]$ su - root    #gentoo用户su到root
[root@soul ~]# whoami
root
#测试正常

pam_limits
/etc/security/limits.d/* | /etc/security/limits.conf
                                                                                                                         
[Linux85]#vim /etc/security/limits.conf
# /etc/security/limits.conf
                                                                                                                         
#            
#
#Where:
# can be:
#        - an user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#        - the wildcard %, can be also used with %group syntax,
#                 for maxlogin limit
                                                                                                                         
# can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
                                                                                                                         
# can be one of the following:    常用几项
#        - core - limits the core file size (KB)    **核心文件大小
#        - data - max data size (KB)    数据大小;进程访问内存数据段
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open files    ***所能打开的文件个数
#        - rss - max resident set size (KB)    常驻内存集大小
#        - stack - max stack size (KB)    进程栈空间大小
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes    ***所能打开的进程数
#        - as - address space limit (KB)    线性物理空间
#        - maxlogins - max number of logins for this user
#        - maxsyslogins - max number of logins on the system
#        - priority - the priority to run user process with
#        - locks - max number of file locks the user can hold
#        - sigpending - max number of pending signals
#        - msgqueue - max memory used by POSIX message queues (bytes)
#        - nice - max nice priority allowed to raise to values: [-20, 19]
#        - rtprio - max realtime priority