- 论坛徽章:
- 0
|
Sudo 是一个允许系统管理员授权让普通用户执行部分或全部root命令的工具。这样可以减少root登陆提高系统安全性。
Sudo特点:
1.可以限制特定的用户在特定的主机上运行指定的命令
2.有非常详细的日志纪录
3.sudo使用时间戳文件来执行类似"检票"系统。当用户使用sudo并且输入密码后,用户默认获得了一张存活期为5分钟的票(这个数值可以在编译的时候更改),超过5分钟不用的话就需要重新输入密码才能使用
sudo安装过程(略):一般系统都默认有安装
配置文件/etc/sudoers:
以下简略介绍该文件的配置项(root使用visudo编辑该文件)
第一部分:# Host alias specification(主机别名定义,用于定义多台住机)
格式:Host_Alias SERVER = 192.168.0.1/255.255.255.0
Host_Alias SERVER1 = 172.17.1.1
第二部分:# User alias specification(用户别名定义,用于定义多组用户)
格式:User_Alias ADMIN = test,jack,tom
User_Alias TEST = user1
第三部分:# Cmnd alias specification (命令别名定义,定义用户执行命令列表)
格式:Cmnd_Alias CAT = /bin/cat /etc/sudoers
Cmnd_Alias Ls = /bin/ls /root
第四部分:# Override built in defaults(增加日志纪录功能)
Defaults@SERVER log_host, logfile=/var/log/sudo.log
#为host alise里的主机增加一个附加日志,如果这个日志需要保存多年,则可使用log_year,这样在日
志纪录的时候将纪录详细的年份
下面详细解释配置实例:
[test@redflag test]$ sudo cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
Host_Alias SERVER = 172.17.196.10 #配置主机172.17.196.10别名SERVER;Host_Alias前不能有空格
# User alias specification
User_Alias ADMIN = test,jack #配置用户组ADMIN,所属用户test,jack
# Cmnd alias specification
Cmnd_Alias CT = /bin/cat /etc/sudoers,/bin/cat /etc/shadow
Cmnd_Alias CA = /bin/ls /root
#配置命令别名CT,可以执行cat etc/sudoers,cat /etc/shadow 命令,CA可执行 la /root命令
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
test SERVER=CT,CA #配置test用户可以在SERVER执行cat /etc/sudoers,/cat /etc/shadow,ls
/root 命令
# test ALL=(ALL) NOPASSWD: ALL(配置test可以执行所有的root命令,且使用sudo时不需要输入密码)
# Override built in defaults
Defaults@SERVER log_host, logfile=/var/log/sudo.log
#配置日志纪录到主机SERVER的/var/log/sudo.log文件
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
日志文件:
截取/var/log/sudo.log的一段纪录如下:
Mar 3 15:13:14 : test : HOST=redflag : command not allowed ; TTY=pts/0 ;
PWD=/home/test ; USER=root ; COMMAND=/bin/ls /root
Mar 3 15:13:18 : test : HOST=redflag : command not allowed ; TTY=pts/0 ;
PWD=/home/test ; USER=root ; COMMAND=/bin/su -
Mar 3 15:13:56 : test : HOST=redflag : TTY=pts/0 ; PWD=/home/test ; USER=root ;
COMMAND=/bin/cat /etc/sudoers
Mar 3 15:14:10 : test : HOST=redflag : TTY=pts/0 ; PWD=/home/test ; USER=root ;
COMMAND=/bin/ls /root
Mar 3 16:27:30 : test : HOST=redflag : TTY=pts/0 ; PWD=/home/test ; USER=root ;
COMMAND=/bin/cat /etc/sudoers
Mar 3 16:29:47 : test : HOST=redflag : command not allowed ; TTY=pts/0 ;
PWD=/home/test ; USER=root ; COMMAND=/bin/cat /var/log/sudo.log
配置中碰到的问题:
1、主机名配置错误导致sudo不能执行和日志纪录。
错误提示:Sorry, user test is not allowed to execute '/bin/cat /etc/sudoers' as root on
localhost.localdomain.
解决:将其中的localhost改为真实主机名字或IP即可
test localhost=/sbin/cat /etc/sudoers
Defaults@localhost log_host /var/log/sudo.log
2、命令别名列表中命令错误导致sudo不能执行
错误提示:[jackyu@localhost jackyu]$ sudo cat /etc/sudoers
Sorry, user jackyu is not allowed to execute '/bin/cat /etc/sudoers' as root on
localhost.localdomain.
解决:由于在Cmnd alias里定义的时候命令书写有误(Cmnd_Alias CAT = /bin/cat -n /etc/sudoers).
执行:sudo cat -n /etc/sudoers
[注]:不管在Cmnd alias里还是在# User privilege specification中指定命令,使用sudo运行时必须一
摸一样,否则将出错。比如在Cmnd alias里指定某用户职能运行 /bin/cat /etc/sudoers,如果该用户登
陆后运行 sudo /cat -n /etc/sudoers将会出错.
另增加网上收集到的 FAQ and Troubleshooting Tips以供参考:
Troubleshooting tips and FAQ for Sudo
=====================================
Q) When I run configure, it says "C compiler cannot create executables".
A) This usually means you either don't have a working compiler. This
could be due to the lack of a license or that some component of the
compiler suite could not be found. Check config.log for clues as
to why this is happening. On many systems, compiler components live
in /usr/ccs/bin which may not be in your PATH environment variable.
Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
and sudo quits.
A) Sudo must be setuid root to do its work. You need to do something like
`chmod 4111 /usr/local/bin/sudo'. Also, the file system sudo resides
on must *not* be mounted (or exported) with the nosuid option or sudo
will not be able to work. Another possibility is you may have '.' in
your $PATH before the directory containing sudo. If you are going
to have '.' in your path you should make sure it is at the end.
Q) Sudo compiles but when I run it I get "seteuid(0) failed, your operating
system may have broken POSIX saved ID support\nTry running configure with
--disable-saved-ids" and sudo quits.
A) The operating system you are running probably has broken support for
POSIX saved IDs. You should run configure with the "--disable-saved-ids"
option and rebuild sudo.
Q) Sudo never gives me a chance to enter a password using PAM, it just
says 'Sorry, try again.' three times and exits.
A) You didn't setup PAM to work with sudo. On Redhat Linux or Fedora
Core this generally means installing sample.pam as /etc/pam.d/sudo.
See the sample.pam file for hints on what to use for other Linux
systems.
Q) Sudo says 'Account expired or PAM config lacks an "account"
section for sudo, contact your system administrator' and exits
but I know my account has not expired.
A) Your PAM config lacks an "account" specification. On Linux this
usually means you are missing a line like:
account required pam_unix.so
in /etc/pam.d/sudo.
Q) Sudo is setup to log via syslog(3) but I'm not getting any log
messages.
A) Make sure you have an entry in your syslog.conf file to save
the sudo messages (see the sample.syslog.conf file). The default
log facility is local2 (changeable via configure). Don't forget
to send a SIGHUP to your syslogd so that it re-reads its conf file.
Also, remember that syslogd does *not* create log files, you need to
create the file before syslogd will log to it (ie: touch /var/log/sudo).
Note: the facility ("local2.debug") must be separated from the
destination ("/var/adm/sudo.log" or "@loghost") by
tabs, *not* spaces. This is a common error.
Q) When sudo asks me for my password it never accepts what I enter even
though I know I entered my password correctly.
A) If your system uses shadow passwords, it is possible that sudo
didn't detect this. Take a look at the generated config.h file
and verify that the C function used for shadow password lookups
was detected. For instance, for SVR4-style shadow passwords,
HAVE_GETSPNAM should be defined (you can search for the string
"shadow passwords" in config.h with your editor). Note that
there is no define for 4.4BSD-based shadow passwords since that
just uses the standard getpw* routines.
Q) I don't want the sudoers file in /etc, how can I specify where it
should go?
A) Use the --sysconfdir option to configure. Ie:
configure --sysconfdir=/dir/you/want/sudoers/in
Q) Can I put the sudoers file in NIS/NIS+ or do I have to have a
copy on each machine?
A) There is no support for making an NIS/NIS+ map/table out of
the sudoers file at this time. A good way to distribute the
sudoers file is via rdist(1). It is also possible to NFS-mount
the sudoers file.
Q) I don't run sendmail on my machine. Does this mean that I cannot
use sudo?
A) No, you just need to run use the --without-sendmail argument to configure
or add "!mailerpath" to the Defaults line in /etc/sudoers.
Q) When I run visudo it uses vi as the editor and I hate vi. How
can I make it use another editor?
A) Your best bet is to run configure with the --with-env-editor switch.
This will make visudo use the editor specified by the user's
EDITOR environment variable. Alternately, you can run configure
with the --with-editor=/path/to/another/editor.
Q) Sudo appears to be removing some variables from my environment, why?
A) Sudo removes the following "dangerous" environment variables
to guard against shared library spoofing, shell voodoo, and
kerberos server spoofing.
IFS
LOCALDOMAIN
RES_OPTIONS
HOSTALIASES
NLSPATH
PATH_LOCALE
TERMINFO
TERMINFO_DIRS
TERMPATH
TERMCAP
ENV
BASH_ENV
LC_ (if it contains a '/' or '%')
LANG (if it contains a '/' or '%')
LANGUAGE (if it contains a '/' or '%')
LD_*
_RLD_*
SHLIB_PATH (HP-UX only)
LIBPATH (AIX only)
KRB_CONF (kerb4 only)
KRBCONFDIR (kerb4 only)
KRBTKFILE (kerb4 only)
KRB5_CONFIG (kerb5 only)
VAR_ACE (SecurID only)
USR_ACE (SecurID only)
DLC_ACE (SecurID only)
Q) How can I keep sudo from asking for a password?
A) To specify this on a per-user (and per-command) basis, use the 'NOPASSWD'
tag right before the command list in sudoers. See the sudoers man page
and sample.sudoers for details. To disable passwords completely,
run configure with the --without-passwd option or add "!authenticate"
to the Defaults line in /etc/sudoers. You can also turn off authentication
on a per-user or per-host basis using a user or host-specific Defaults
entry in sudoers.
Q) When I run configure, it dies with the following error:
"no acceptable cc found in $PATH".
A) /usr/ucb/cc was the only C compiler that configure could find.
You need to tell configure the path to the "real" C compiler
via the --with-CC option. On Solaris, the path is probably
something like "/opt/SUNWspro/SC4.0/bin/cc". If you have gcc
that will also work.
Q) When I run configure, it dies with the following error:
Fatal Error: config.cache exists from another platform!
Please remove it and re-run configure.
A) configure caches the results of its tests in a file called
config.cache to make re-running configure speedy. However,
if you are building sudo for a different platform the results
in config.cache will be wrong so you need to remove config.cache.
You can do this by "rm config.cache" or "make realclean".
Note that "make realclean" will also remove any object files
and configure temp files that are laying around as well.
Q) I built sudo on a Solaris >= 2.6 machine but the resulting binary
doesn't work on Solaris = 2.6 machine that
will run on a
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/11169/showart_197133.html |
|