第二十一章 用户管理(二)

一、用户提权

 

1. su 使用普通用户登录,然后执行su命令切换到root用户 优点:简单 缺点:需要知道root密码

2. sudo 使用普通用户管理,当需要使用root的权限的时候,进行提权 优点:安全、方便 缺点:复杂


shell的分类及执行的过程


交互式shell #终端操作 输入一条指令,需要等待系统的处理及返回结果

非交互式shell #脚本的执行方式就是 用户执行完指令 不需要跟系统进行交互

登录式shell #通过用户名和密码的方式进行登录的

非登录式shell #不是通过用户名和密码的方式进行登录的 执行一个bash,就是一个非登录式shell


[root@jindada ~]# yum install -y psmisc

[root@jindada ~]# pstree    #用户的工作环境相关文件
systemd─┬─NetworkManager───2*[{NetworkManager}]
├─VGAuthService
├─agetty
├─auditd───{auditd}
├─crond
├─dbus-daemon
├─firewalld───{firewalld}
├─master─┬─pickup
│ └─qmgr
├─nginx───nginx
├─polkitd───6*[{polkitd}]
├─rsyslogd───2*[{rsyslogd}]
├─sshd─┬─sshd───bash───pstree
│ └─sshd───bash───bash
├─systemd-journal
├─systemd-logind
├─systemd-udevd
├─tuned───4*[{tuned}]
└─vmtoolsd───{vmtoolsd}


二、用户工作的相关环境

#个人配置文件

/root/.bash_profile

/root/.bashrc

#全局配置文件

/etc/bashrc

/etc/profile

/etc/profile.d/*.sh

 

profile #环境变量配置文件 系统登录前执行的一些命令或者脚本

bashrc # 本地变量 别名

执行顺序

#在5个文件的第二行加入echo输出

[root@jindada ~]# vim .bashrc
[root@jindada ~]# vim .bash_profile
[root@jindada ~]# vim /etc/bashrc
[root@jindada ~]#
[root@jindada ~]# vim /etc/profile
[root@jindada ~]# vim /etc/profile.d/test.sh


#登录式Shell执行顺序

/etc/profile ---》 /etc/profile.d/*.sh ---》 .bash_profile ---》 .bashrc ---》 /etc/bashrc


#非登录式shell执行顺序

.bashrc ---》 /etc/bashrc ---》 /etc/profile.d/*.sh

 

三、su命令用户提权

su username #非登录式shell

su - username #登录式shell

区别就是加载的配置文件不一样


root用户切换到普通用户是不需要密码的,而普通用户切换到root用户是需要密码的

[root@jindada ~]# useradd test10
[root@jindada ~]# echo "1" |passwd --stdin test10
Changing password for user test10.
passwd: all authentication tokens updated successfully.
[root@jindada ~]# su test10
/etc/bashrc
/etc/profile.d/*.sh
[test10@jindada root]$

[test10@jindada root]$ pwd
/root


su username在切换用户的时候,只执行了
/etc/bashrc
/etc/profile.d/*.sh

切换之后所在的目录是在从哪个用户切换过来的就是谁的家目录

[root@jindada ~]# su - test10
Last login: Wed Jul 22 09:09:58 CST 2020 on pts/0
/etc/profile
/etc/profile.d/*.sh
/etc/bashrc
[test10@jindada ~]$ pwd
/home/test10

su - username 在切换用户的时候属于一种登录式shell 跟su命令直接切换的区别就是是否加载了/etc/profile文件,切换之后,工作环境也已经改变了,是在自己的家目录下面

[root@jindada ~]# su - test10
Last login: Wed Jul 22 09:13:03 CST 2020 on pts/0

[test10@jindada ~]$ su -
Password:
Last login: Wed Jul 22 09:13:25 CST 2020 from 10.0.0.1 on pts/2

[root@jindada ~]# su - test10
Last login: Wed Jul 22 09:16:33 CST 2020 on pts/0


[test10@jindada ~]$ su - root
Password:
Last login: Wed Jul 22 09:16:59 CST 2020 on pts/0
[root@jindada ~]#

 

四、sudo用户提权

#日志审计

[root@jindada ~]# grep 'wheel' /etc/group
wheel:x:10:
[root@jindada ~]# usermod -aG wheel test10
[root@jindada ~]# id test10
uid=1007(test10) gid=1007(test10) groups=1007(test10),10(wheel)

[test10@jindada ~]$ sudo -l
[sudo] password for test10:
Matching Defaults entries for test10 on jindada:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User test10 may run the following commands on jindada:
(ALL) ALL
[test10@jindada ~]$ sudo tail -f /var/log/messages
Jul 22 09:19:49 jindada systemd-logind: Removed session 65.
Jul 22 09:19:56 jindada systemd: Created slice User Slice of test10.
Jul 22 09:19:56 jindada systemd: Started Session 66 of user test10.
Jul 22 09:19:56 jindada systemd-logind: New session 66 of user test10.
Jul 22 09:20:11 jindada su: (to root) test10 on pts/2
Jul 22 09:47:08 jindada systemd-logind: Removed session 66.
Jul 22 09:47:08 jindada systemd: Removed slice User Slice of test10.
Jul 22 09:47:12 jindada systemd: Created slice User Slice of test10.
Jul 22 09:47:12 jindada systemd: Started Session 67 of user test10.
Jul 22 09:47:12 jindada systemd-logind: New session 67 of user test10.
^C


[test10@jindada ~]$ rm -rf /opt/
rm: cannot remove ‘/opt/hostname’: Permission denied
rm: cannot remove ‘/opt/hostnamectl’: Permission denied
rm: cannot remove ‘/opt/test_hostname’: Permission denied
rm: cannot remove ‘/opt/test_hostname.txt’: Permission denied
rm: cannot remove ‘/opt/.hostname.log’: Permission denied
rm: cannot remove ‘/opt/HOSTNAMECTL’: Permission denied
rm: cannot remove ‘/opt/user02’: Permission denied
rm: cannot remove ‘/opt/user01’: Permission denied
[test10@jindada ~]$ sudo rm -rf /opt/
[test10@jindada ~]$ ll /opt
ls: cannot access /opt: No such file or directory


#权限太大 怎么限制权限

visudo #进行设置 默认只能root用户使用sudo命令 普通用户是使用不了的 需要root用户设置


#只给开发人员只读权限

[root@jindada ~]# visudo #简单 有语法检查功能
====
[root@jindada ~]# vi /etc/sudoers

#在100行左右添加此行
test11 ALL=(ALL) /usr/bin/cat,/usr/bin/tail

用户 主机 角色 命令

ALL 所有命令

/usr/bin/cat #单个命令

/usr/bin/cat,/usr/bin/tail #多个用逗号分割

/usr/bin/* #目录下的所有命令

NOPASSWD: #免密执行

test11 ALL=(ALL) NOPASSWD: /usr/bin/tail /var/log/messages #限制某个文件操作


#检查语法
[root@jindada ~]# visudo -c
/etc/sudoers: parsed OK

#普通用户测试

[sudo] password for test11:
Matching Defaults entries for test11 on jindada:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User test11 may run the following commands on jindada:
(ALL) /usr/bin/cat, /usr/bin/tail


[test11@jindada ~]$ tail -f /var/log/messages
tail: cannot open ‘/var/log/messages’ for reading: Permission denied
tail: no files remaining
[test11@jindada ~]$ sudo tail -f /var/log/messages
Jul 22 09:47:12 jindada systemd: Started Session 67 of user test10.
Jul 22 09:47:12 jindada systemd-logind: New session 67 of user test10.
Jul 22 09:52:16 jindada systemd: Created slice User Slice of test11.
Jul 22 09:52:16 jindada systemd: Started Session 68 of user test11.
Jul 22 09:52:16 jindada systemd-logind: New session 68 of user test11.
Jul 22 09:57:26 jindada systemd-logind: Removed session 68.
Jul 22 09:57:26 jindada systemd: Removed slice User Slice of test11.
Jul 22 09:57:35 jindada systemd: Created slice User Slice of test11.
Jul 22 09:57:35 jindada systemd: Started Session 69 of user test11.
Jul 22 09:57:35 jindada systemd-logind: New session 69 of user test11.
^C

[test11@jindada ~]$ rm -rf /mnt/
rm: cannot remove ‘/mnt/’: Permission denied
[test11@jindada ~]$ sudo rm -rf /mnt/
Sorry, user test11 is not allowed to execute '/bin/rm -rf /mnt/' as root on jindada.


#执行sodu命令的时候,不提示输入密码

[root@jindada ~]# visudo
test11 ALL=(ALL) NOPASSWD:/usr/bin/cat,/usr/bin/tail
[root@jindada ~]# visudo -c
/etc/sudoers: parsed OK

[test11@jindada ~]$ sudo -l
Matching Defaults entries for test11 on jindada:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User test11 may run the following commands on jindada:
(ALL) NOPASSWD: /usr/bin/cat, /usr/bin/tail
[test11@jindada ~]$


注意:设置命令权限的时候,多个可以使用逗号分割 也可以是/usr/bin/* ALL

 

五、sudo设置组

两种方法:

利用sudo的自己的组 只在sudo里面生效

利用系统组 是一个真实存在的组


#利用sudo的自己的组

[root@jindada ~]# useradd dev01
[root@jindada ~]# useradd dev02
[root@jindada ~]# echo "1" | passwd --stdin dev01
Changing password for user dev01.
passwd: all authentication tokens updated successfully.
[root@jindada ~]# echo "1" | passwd --stdin dev02
Changing password for user dev02.
passwd: all authentication tokens updated successfully.

 


#用户别名组
User_Alias DEV = dev01,dev02

#命令别名组

Cmnd_Alias READ = /bin/cat,/bin/head,/bin/tail

#调用

DEV ALL=(ALL) NOPASSWD: READ

[root@jindada ~]# visudo -c
/etc/sudoers: parsed OK


#测试

[dev01@jindada ~]$ sudo -l
Matching Defaults entries for dev01 on jindada:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User dev01 may run the following commands on jindada:
(ALL) NOPASSWD: /bin/cat, /bin/head, /bin/tail

[dev01@jindada ~]$ sudo head -1 /etc/shadow
root:$6$SoTZ3L8.5rI4l25X$WAqOKpP8BwpL/evQNV2RfaJnXn6AZepgQcwUjHTUoDSJz7InZPGUZbanfzCVtLUeSX1q6gbPTiP.vnKIVcW1t0::0:99999:7:::
[dev01@jindada ~]$ sudo tail -1 /etc/shadow
dev02:$6$iZSmy0at$iDnyU7dcY1saiseJHT40Qw00.LildePgoG2j3ShODj1s69Z.aVpaj9vvoZLtCcMakQ0BDFdA5Lh3FstbnAKcf1:18465:0:99999:7:::


系统的组 真实组


[root@jindada ~]# groupadd dev_group
[root@jindada ~]# useradd -g dev_group dev11
[root@jindada ~]# useradd -g dev_group dev12
[root@jindada ~]# echo "1" | passwd --stdin dev11
Changing password for user dev11.
passwd: all authentication tokens updated successfully.
[root@jindada ~]# echo "1" | passwd --stdin dev12
Changing password for user dev12.
passwd: all authentication tokens updated successfully.

[root@jindada ~]# visudo


%dev_group ALL=(ALL) NOPASSWD: READ

[root@jindada ~]# visudo -c
/etc/sudoers: parsed OK


#测试

[dev11@jindada ~]$ sudo -l
Matching Defaults entries for dev11 on jindada:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User dev11 may run the following commands on jindada:
(ALL) NOPASSWD: /bin/cat, /bin/head, /bin/tail
[dev11@jindada ~]$ head -1 /var/log/messages
head: cannot open ‘/var/log/messages’ for reading: Permission denied
[dev11@jindada ~]$ sudo head -1 /var/log/messages
Jul 16 04:01:01 jindada systemd: Started Session 61 of user root.
[dev11@jindada ~]$ sudo tail -1 /var/log/messages
Jul 22 10:54:33 jindada systemd-logind: New session 79 of user dev11.

 

六、sudo设置案例

禁止root用户登录,使用普通用户登录,并且普通用户能够免密的切换到root用户

#禁止root登录

[root@jindada ~]# ll /etc/ssh/sshd_config
-rw-------. 1 root root 3907 Apr 11 2018 /etc/ssh/sshd_config
[root@jindada ~]# grep -i 'rootlogin' /etc/ssh/sshd_config
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".

[root@jindada ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

[root@jindada ~]# sed -i '/^#PermitRootLogin/s#.*#PermitRootLogin no#g' /etc/ssh/sshd_config

[root@jindada ~]# grep -i 'rootlogin' /etc/ssh/sshd_config
PermitRootLogin no
# the setting of "PermitRootLogin without-password".

[root@jindada ~]# systemctl restart sshd


[root@jindada ~]# useradd qiudao
[root@jindada ~]# echo "1" | passwd --stdin qiudao
Changing password for user qiudao.
passwd: all authentication tokens updated successfully.


[C:\~]$ ssh [email protected]


Connecting to 10.0.0.100:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Wed Jul 22 09:47:12 2020 from 10.0.0.1
[qiudao@jindada ~]$


[root@jindada ~]# visudo

qiudao ALL=(ALL) NOPASSWD: /bin/su


[root@jindada ~]# visudo -c
/etc/sudoers: parsed OK

#测试

[qiudao@jindada ~]$ sudo su -
Last login: Wed Jul 22 11:08:51 CST 2020 on pts/1
Last failed login: Wed Jul 22 11:09:55 CST 2020 from 10.0.0.1 on ssh:notty
There were 2 failed login attempts since the last successful login.
[root@jindada ~]#

 

七、sudo 执行流程

1.普通用户执行sudo命令, 会检查/var/db/sudo是否存在时间戳缓存

2.如果存在则不需要输入密码, 否则需要输入用户与密码

3.输入密码会检测是否该用户是否拥有该权限

4.如果有则执行,否则报错退出

你可能感兴趣的:(第二十一章 用户管理(二))