Linux 之 用户管理权限visudo

用户管理权限visudo

实例：创建用户kang，授于yum 权限,useradd 权限
[root@localhost ~]# useradd kang
[root@localhost ~]# passwd kang
Changing password for user kang.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@localhost ~]# tail -1 /etc/passwd
kang:x:501:502::/home/kang:/bin/bash
[root@localhost ~]# visudo                                 #开通yum与useradd权限，如需开通所有权限请用ALL
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
zabbix  ALL=(ALL)       ALL
kang    ALL=(ALL)      /usr/sbin/useradd,/usr/bin/yum
[kang@localhost ~]$ sudo reboot               #reboot 没有权限
[sudo] password for kang: 
Sorry, user kang is not allowed to execute '/sbin/reboot' as root on localhost.localdomain.
[kang@localhost ~]$ sudo useradd test
[sudo] password for kang: 
[kang@localhost ~]$ tail -2 /etc/passwd
kang:x:501:502::/home/kang:/bin/bash
test:x:502:503::/home/test:/bin/bash

[root@localhost ~]# visudo -c      #配置文语法检查
/etc/sudoers: parsed OK

---

用户别名，命令别名使用技巧

[root@localhost ~]# visudo 
User_Alias ADMIN = kang, test                 #ADMIN包括了用户kang, test 
Cmnd_Alias USERCMD = /usr/sbin/useradd                  #USERCMD包括可用useradd命令权限
Cmnd_Alias NETWORKCMD = /sbin/ifconfig,/etc/init.d/network           #NETWORKCMD命令包括ifconfig/network命令

ADMIN       ALL=(ALL)     USERCMD, NETWORKCMD               #授权用户命令使用

备注：
root                     ALL=(ALL)                    ALL
用户/组               机器=角色                    命令

---

sudo 审计日志，记录所有sudo使用的命令

[root@localhost ~]# echo "Defaults  logfile=/var/log/sudo.log" >> /etc/sudoers              #为sudo添加日志审计
实例过程：
[kang@localhost ~]$ sudo useradd test222
[sudo] password for kang: 
[kang@localhost ~]$ sudo useradd test222
[kang@localhost ~]$ sudo useradd test223
[root@localhost ~]# tail -10 /var/log/sudo.log 
May 15 18:56:16 : kang : TTY=pts/0 ; PWD=/home/kang ; USER=root ;
        COMMAND=/usr/sbin/useradd test222
May 15 18:56:22 : kang : TTY=pts/0 ; PWD=/home/kang ; USER=root ;
        COMMAND=/usr/sbin/useradd test222
May 15 18:56:26 : kang : TTY=pts/0 ; PWD=/home/kang ; USER=root ;
        COMMAND=/usr/sbin/useradd test223