- 论坛徽章:
- 0
|
Normal
0
7.8 磅
0
2
false
false
false
MicrosoftInternetExplorer4
st1\:*{behavior:url(#ieooui) }
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:普通表格;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
SUDO
The sudoers file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who may run what).
When multiple entries match for a
user, they are applied in order. Where there are multiple matches, the last
match is used (which is not necessarily the most specific match).
Two of the best
advantages about using sudo are:
Restringed privilegesLogs of the actions done by users
Well but in order
to use sudo we first need to configure the sudoers file.
#visodo
Normally visudo
open file /etc/sudoers with vi editor.
As describe
above, sudo support two syntax, aliases and who may run command as what role. Take
example.
User_Alias WEBMASTERS
= will, wendy, wim
Runas_Alias DB
= oracle, sybase
Host_Alias SERVERS
= master, mail, www, ns
Cmnd_Alias SHELLS
= /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
So
WEBMASTERS SERVERS
= (DB) !SHELLS, ALL
Means users in alias WEBMASTERS can run all
command except group of commands in SHELLS aliases as account in DB group.
Well, acording to
this piont read following sample will make you know the setting of SUDO.
# sudo sample file from http://www.gratisoft.us/sudo/sample.sudoers
## Sample /etc/sudoers file.## This file MUST be edited with the 'visudo' command as root.## See the sudoers man page for the details on how to write a sudoers file.# ### User alias specification##User_Alias FULLTIMERS = millert, mikef, dowdyUser_Alias PARTTIMERS = bostley, jwfox, crawlUser_Alias WEBMASTERS = will, wendy, wim ### Runas alias specification##Runas_Alias OP = root, operatorRunas_Alias DB = oracle, sybase ### Host alias specification##Host_Alias SPARC = bigtime, eclipse, moet, anchor:\ SGI = grolsch, dandelion, black:\ ALPHA = widget, thalamus, foobar:\ HPPA = boa, nag, pythonHost_Alias CUNETS = 128.138.0.0/255.255.0.0Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0Host_Alias SERVERS = master, mail, www, nsHost_Alias CDROM = orion, perseus, hercules ### Cmnd alias specification##Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ /usr/sbin/rrestore, /usr/bin/mtCmnd_Alias KILL = /usr/bin/killCmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprmCmnd_Alias SHUTDOWN = /usr/sbin/shutdownCmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthaltCmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastbootCmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zshCmnd_Alias SU = /usr/bin/suCmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ /usr/bin/chfn ### Override built-in defaults##Defaults syslog=authDefaults:FULLTIMERS !lectureDefaults:millert !authenticateDefaults@SERVERS log_year, logfile=/var/log/sudo.log ### User specification## # root and users in group wheel can run anything on any machine as any userroot ALL = (ALL) ALL%wheel ALL = (ALL) ALL # full time sysadmins can run anything on any machine without a passwordFULLTIMERS ALL = NOPASSWD: ALL # part time sysadmins may run anything but need a passwordPARTTIMERS ALL = ALL # jack may run anything on machines in CSNETSjack CSNETS = ALL # lisa may run any command on any host in CUNETS (a class B network)lisa CUNETS = ALL # operator may run maintenance commands and anything in /usr/oper/bin/operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\ /usr/oper/bin/ # joe may su only to operatorjoe ALL = /usr/bin/su operator # pete may change passwords for anyone but root on the hp snakespete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root # bob may run anything on the sparc and sgi machines as any user# listed in the Runas_Alias "OP" (ie: root and operator)bob SPARC = (OP) ALL : SGI = (OP) ALL # jim may run anything on machines in the biglab netgroupjim +biglab = ALL # users in the secretaries netgroup need to help manage the printers# as well as add and remove users+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser # fred can run commands as oracle or sybase without a passwordfred ALL = (DB) NOPASSWD: ALL # on the alphas, john may su to anyone but root and flags are not allowedjohn ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* # jen can run anything on all machines except the ones# in the "SERVERS" Host_Aliasjen ALL, !SERVERS = ALL # jill can run any commands in the directory /usr/bin/, except for# those in the SU and SHELLS aliases.jill SERVERS = /usr/bin/, !SU, !SHELLS # steve can run any command in the directory /usr/local/op_commands/# as user operator.steve CSNETS = (operator) /usr/local/op_commands/ # matt needs to be able to kill things on his workstation when# they get hung.matt valkyrie = KILL # users in the WEBMASTERS User_Alias (will, wendy, and wim)# may run any command as user www (which owns the web pages)# or simply su to www.WEBMASTERS www = (www) ALL, (root) /usr/bin/su www # anyone can mount/unmount a cd-rom on the machines in the CDROM aliasALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/52953/showart_1904027.html |
|
免费注册
发表于 2009-04-19 19:02