- 论坛徽章:
- 13
|
回复 3# clino
小声告诉你个秘密!-
- >man sudoers
- EXAMPLES
- Below are example sudoers entries. Admittedly, some of these are a bit
- contrived. First, we allow a few environment variables to pass and
- then define our aliases:
- # Run X applications through sudo; HOME is used to find the
- # .Xauthority file. Note that other programs use HOME to find
- # configuration files and this may lead to privilege escalation!
- Defaults env_keep += "DISPLAY HOME"
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
- Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
- Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt
- Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
- /usr/local/bin/zsh
- Cmnd_Alias SU = /usr/bin/su
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
- Here we override some of the compiled in default values. We want sudo
- to log via syslog(3) using the auth facility in all cases. We don't
- want to subject the full time staff to the sudo lecture, user millert
- need not give a password, and we don't want to reset the LOGNAME, USER
- or USERNAME environment variables when running commands as root.
- Additionally, on the machines in the SERVERS Host_Alias, we keep an
- additional local log file and make sure we log the year in each log
- line since the log entries will be kept around for several years.
- Lastly, we disable shell escapes for the commands in the PAGERS
- Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less).
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- Defaults!PAGERS noexec
- The User specification is the part that actually determines who may run
- what.
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
- We let root and any user in group wheel run any command on any host as
- any user.
- FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (millert, mikef, and dowdy) may run any command on
- any host without authenticating themselves.
- PARTTIMERS ALL = ALL
- Part time sysadmins (bostley, jwfox, and crawl) may run any command on
- any host but they must authenticate themselves first (since the entry
- lacks the NOPASSWD tag).
- jack CSNETS = ALL
- The user jack may run any command on the machines in the CSNETS alias
- (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
- those networks, only 128.138.204.0 has an explicit netmask (in CIDR
- notation) indicating it is a class C network. For the other networks
- in CSNETS, the local machine's netmask will be used during matching.
- lisa CUNETS = ALL
- The user lisa may run any command on any host in the CUNETS alias (the
- class B network 128.138.0.0).
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
- The operator user may run commands limited to simple maintenance.
- Here, those are commands related to backups, killing processes, the
- printing system, shutting down the system, and any commands in the
- directory /usr/oper/bin/.
- joe ALL = /usr/bin/su operator
- The user joe may only su(1) to operator.
- pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
- %opers ALL = (: ADMINGRP) /usr/sbin/
- Users in the opers group may run commands in /usr/sbin/ as themselves
- with any group in the ADMINGRP Runas_Alias (the adm and oper groups).
- The user pete is allowed to change anyone's password except for root on
- the HPPA machines. Note that this assumes passwd(1) does not take
- multiple user names on the command line.
- bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user bob may run anything on the SPARC and SGI machines as any user
- listed in the OP Runas_Alias (root and operator).
- jim +biglab = ALL
- The user jim may run any command on machines in the biglab netgroup.
- sudo knows that "biglab" is a netgroup due to the '+' prefix.
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the secretaries netgroup need to help manage the printers as
- well as add and remove users, so they are allowed to run those commands
- on all machines.
- fred ALL = (DB) NOPASSWD: ALL
- The user fred can run commands as any user in the DB Runas_Alias
- (oracle or sybase) without giving a password.
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
- On the ALPHA machines, user john may su to anyone except root but he is
- not allowed to specify any options to the su(1) command.
- jen ALL, !SERVERS = ALL
- The user jen may run any command on any machine except for those in the
- SERVERS Host_Alias (master, mail, www and ns).
- jill SERVERS = /usr/bin/, !SU, !SHELLS
- For any machine in the SERVERS Host_Alias, jill may run any commands in
- the directory /usr/bin/ except for those commands belonging to the SU
- and SHELLS Cmnd_Aliases.
- steve CSNETS = (operator) /usr/local/op_commands/
- The user steve may run any command in the directory
- /usr/local/op_commands/ but only as user operator.
- matt valkyrie = KILL
- On his personal workstation, valkyrie, matt needs to be able to kill
- hung processes.
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the WEBMASTERS User_Alias (will, wendy,
- and wim), may run any command as user www (which owns the web pages) or
- simply su(1) to www.
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
- Any user may mount or unmount a CD-ROM on the machines in the CDROM
- Host_Alias (orion, perseus, hercules) without entering a password.
- This is a bit tedious for users to type, so it is a prime candidate for
- encapsulating in a shell script.
- SECURITY NOTES
- It is generally not effective to "subtract" commands from ALL using the
- '!' operator. A user can trivially circumvent this by copying the
- desired command to a different name and then executing that. For
- example:
- bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent bill from running the commands listed in SU or
- SHELLS since he can simply copy those commands to a different name, or
- use a shell escape from an editor or other program. Therefore, these
- kind of restrictions should be considered advisory at best (and
- reinforced by policy).
- Furthermore, if the fast_glob option is in use, it is not possible to
- reliably negate commands where the path name includes globbing (aka
- wildcard) characters. This is because the C library's fnmatch(3)
- function cannot resolve relative paths. While this is typically only
- an inconvenience for rules that grant privileges, it can result in a
- security issue for rules that subtract or revoke privileges.
- For example, given the following sudoers entry:
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
- /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
- User john can still run /usr/bin/passwd root if fast_glob is enabled by
- changing to /usr/bin and running ./passwd root instead.
复制代码 |
|