如何让系统更安全
Linux权限体系, rwx permission denied

作业:
批量添加用户 exam1..exam3,并设置固定的密码1 (要求不能使用循环 for while)
批量添加用户 exam1..exam3,并设置8位随机密码 (要求不能使用循环 for while)

[root@manager ~]$ useradd exam1 ;echo 1 |passwd --stdin exam1
[root@manager ~]$ useradd exam2 ;echo 1 |passwd --stdin exam2
[root@manager ~]$ useradd exam3 ;echo 1 |passwd --stdin exam3

[root@manager /exam]$ ll
total 20
drwxr-xr-x. 3 root root   18 Nov 21 07:18 ceo
-rw-r--r--. 1 root root  465 Nov 21 10:23 fstab
-rw-r--r--. 1 root root  158 Nov 21 10:25 hosts
-rw-r--r--. 1 root root  352 Nov 19 10:51 reg.txt
-rw-r--r--. 1 root root   86 Nov 19 12:29 sed.txt
drwxr-xr-x. 6 root root 4096 Nov 21 10:23 sysconfig
[root@manager /exam]$ ll ceo/
total 0
drwxr-xr-x. 2 root root 24 Nov 21 07:19 yoyo
[root@manager /exam]$ ll -d /exam/
drwxr-xr-x. 4 root root 90 Nov 21 10:30 /exam/

添加一个虚拟用户 mysql 指定用户的 uid gid 为12306

[root@manager /exam]$ useradd -u 12306 -s  /sbin/nologin -M mysql
[root@manager /exam]$ id mysql
uid=12306(mysql) gid=12306(mysql) groups=12306(mysql)
[root@manager /exam]$ useradd yuyu
[root@manager /exam]$ id yuyu
uid=12307(yuyu) gid=12307(yuyu) groups=12307(yuyu)
[root@manager /exam]$ w
 13:56:04 up 16 min,  1 user,  load average: 0.00, 0.01, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    10.74.144.165    13:41    4.00s  0.05s  0.01s w

date -s 完整日期时间(YYYY-MM-DD hh:mm[:ss]):修改日期、时间

[root@manager /exam]$ date -s '2019-12-2 19:15:50'
Mon Dec  2 19:15:50 EST 2019
[root@manager /exam]$ date
Mon Dec  2 19:15:53 EST 2019

21-Linux核心知识-用户管理-下部-sudo授权_第1张图片

[root@manager /exam]$ w
 19:17:20 up 25 min,  1 user,  load average: 0.00, 0.01, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    10.74.144.165    13:41    0.00s  0.04s  0.00s w
[root@manager /exam]$ uptime
 19:17:45 up 25 min,  1 user,  load average: 0.00, 0.01, 0.02
[root@manager /exam]$ 

21-Linux核心知识-用户管理-下部-sudo授权_第2张图片

自动对比
1、记录文件的指纹 police.md5

[root@manager /exam]$ md5sum exam.txt 
924684b0d8ad52fd16ea0030122be50a  exam.txt
[root@manager /exam]$ echo uouo >exam.txt 
[root@manager /exam]$ md5sum exam.txt 
7a9ac8bf65a46efebaf8b81f13124c25  exam.txt
[root@manager /exam]$ md5sum exam.txt 
924684b0d8ad52fd16ea0030122be50a  exam.txt
[root@manager /exam]$ echo uouo >exam.txt 
[root@manager /exam]$ md5sum exam.txt 
7a9ac8bf65a46efebaf8b81f13124c25  exam.txt
[root@manager /exam]$ md5sum exam.txt >police.md5
[root@manager /exam]$ cat police.md5 
7a9ac8bf65a46efebaf8b81f13124c25  exam.txt
[root@manager /exam]$ md5sum exam.txt >>police.md5
[root@manager /exam]$ cat police.md5 
7a9ac8bf65a46efebaf8b81f13124c25  exam.txt
7a9ac8bf65a46efebaf8b81f13124c25  exam.txt

2、根据库指纹进行对比

[root@manager /exam]$ md5sum --check police.md5 
exam.txt: OK
exam.txt: OK
[root@manager /exam]$ echo 11111 >>exam.txt 
[root@manager /exam]$ md5sum --check police.md5 
exam.txt: FAILED
exam.txt: FAILED
md5sum: WARNING: 2 computed checksums did NOT match
[root@manager /exam]$ find /exam/ -type f |xargs md5sum
15e2278b038244708bae6cf3468015ff  /exam/reg.txt
cd36a10d8421743acd1e2c88ca83de46  /exam/sed.txt
d41d8cd98f00b204e9800998ecf8427e  /exam/ceo/yoyo/youyou.txt
8fa3246990109d2ac5f1835bd2a04d2d  /exam/sysconfig/ip6tables-config
13f6028cd7c8d8d6400ade9003d219c9  /exam/sysconfig/iptables-config
de08f397138caf0c99bda7e7322b2172  /exam/sysconfig/cbq/avpkt
760fb2971fb9b19e62564169e0bd94f9  /exam/sysconfig/cbq/cbq-0000.example
52b80b4ab7cafb63b53013edb769037c  /exam/sysconfig/rdisc
62f39cb6e6ced2b374af6955bda3ed8f  /exam/sysconfig/init
[root@manager /exam]$ md5sum -c /root/police2.md5 
/exam/reg.txt: OK
/exam/sed.txt: OK
/exam/ceo/yoyo/youyou.txt: OK
/exam/sysconfig/ip6tables-config: OK
/exam/sysconfig/iptables-config: OK
/exam/sysconfig/cbq/avpkt: OK
/exam/sysconfig/cbq/cbq-0000.example: OK
/exam/sysconfig/rdisc: OK
/exam/sysconfig/init: OK

sodu 给普通用户临时成为 root 的权限,普通用户可以临时以root 身份运行某个命令

sudo -l   查看当前有哪些可以执行的命令

[yuyu@manager /root]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for yuyu: 
Sorry, user yuyu may not run sudo on manager.

给yuyu 用户授权两个命令 ls touch

90 ##
 91 ## Allow root to run any commands anywhere
 92 root    ALL=(ALL)       ALL
 93 
 94 yuyu    ALL=(ALL)   /bin/ls, /bin/touch
[root@manager /]$ su yuyu
[yuyu@manager /]$ 
[yuyu@manager /root]$ sudo touch exam
[yuyu@manager /root]$ ls
ls: cannot open directory .: Permission denied
[yuyu@manager /root]$ sudo ls
anaconda-ks.cfg  df.txt  exam  police2.md5
[yuyu@manager /root]$ sudo ll
sudo: ll: command not found
[yuyu@manager /root]$ pwd
/root

visodu == vi /etc/sudoers
visodu 自带检查功能

[root@manager /]$ visudo
#>>> /etc/sudoers: syntax error near line 93 <<<
What now? 

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

给yuyu  用户授权/bin 下所有命令,排除某个命令或参数
yuyu    ALL=(ALL)   /bin/*
yuyu    ALL=(ALL)   /bin/*    !/bin/mkdir
#yuyu    ALL=(ALL)   /bin/ls, /bin/touch
!## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL

yuyu    ALL=(ALL)   /bin/*
yuyu    ALL=(ALL)   ALL
yuyu    ALL=(ALL)   /bin/*, !/bin/rm
yuyu    ALL=(ALL)   NOPASSWD: ALL
#yuyu    ALL=(ALL)   /bin/ls, /bin/touch

应按需授权,需要什么命令给什么命令
用户 可以在所有服务器使用sudo=(你可以成为谁)

总结:
w 每一部分含义
如何让系统更安全
sudo 临时让用户获得 root权限