2-用户切换与提权
2016.6.23
使用su命令切换用户
用途及用法
- 用途:Substitute User,切换用户
- 格式:su - 目标用户
查看su操作记录
- 安全日记文件:/var/log/secure
查看/var/log/secure/
[root@test2 jason]# tail /var/log/secure
Jun 23 16:41:32 test2 su: pam_unix(su:session): session closed for user quota
Jun 23 16:41:34 test2 su: pam_unix(su:session): session closed for user root
Jun 23 16:45:04 test2 chage[4465]: changed password expiry for quota
Jun 23 16:49:02 test2 useradd[4581]: new group: name=xiao, GID=508
Jun 23 16:49:02 test2 useradd[4581]: new user: name=xiao, UID=508, GID=508, home=/home/xiao, shell=/bin/bash
Jun 23 16:49:09 test2 passwd: pam_unix(passwd:chauthtok): password changed for xiao
Jun 23 16:49:09 test2 passwd: gkr-pam: couldn't update the 'login' keyring password: no old password was entered
Jun 23 16:55:26 test2 chage[4703]: changed password expiry for xiao
Jun 23 17:14:58 test2 su: pam_unix(su:session): session opened for user jason by jason(uid=0)
Jun 23 17:51:48 test2 su: pam_unix(su:session): session opened for user root by jason(uid=500)
[root@test2 jason]#
使用sudo机制提升权限
- su命令的缺点
- sudo命令的用途及用法
- 用途:以其他用户身份(如root)执行授权的命令
- 用法:sudo授权命令
- 配置sudo授权
- visudo或者vi /etc/sudoers
- 记录格式:用户 主机名列表=命令程序列表
visudo
[root@test2 jason]# visudo
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
jason test2=/sbin/*,!/sbin/reboot
~
:wq
这里给jason在test2上sbin下的所有,但是不包含reboot的sudo权限
测试
sudo fdisk -l
[jason@test2 sbin]$ fdisk -l
[jason@test2 sbin]$ sudo fdisk -l
[sudo] password for jason:
Disk /dev/sdb: 85.9 GB, 85899345920 bytes
255 heads, 63 sectors/track, 10443 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xa8f24694
Device Boot Start End Blocks Id System
/dev/sdb1 1 2612 20980858+ 83 Linux
/dev/sdb2 2613 5224 20980890 8e Linux LVM
/dev/sdb3 5225 10443 41921617+ 83 Linux
Disk /dev/sdc: 85.9 GB, 85899345920 bytes
255 heads, 63 sectors/track, 10443 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x8967e34e
Device Boot Start End Blocks Id System
/dev/sdc1 1 2612 20980858+ 83 Linux
/dev/sdc2 2613 5224 20980890 8e Linux LVM
/dev/sdc3 5225 5486 2104515 fd Linux raid autodetect
Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000d0a36
Device Boot Start End Blocks Id System
/dev/sda1 * 1 64 512000 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 64 2611 20458496 8e Linux LVM
Disk /dev/sde: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xe4b1d138
Device Boot Start End Blocks Id System
/dev/sde1 1 262 2104483+ fd Linux raid autodetect
/dev/sde2 263 524 2104515 fd Linux raid autodetect
/dev/sde3 525 786 2104515 fd Linux raid autodetect
Disk /dev/sdf: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x65c9c4f1
Device Boot Start End Blocks Id System
/dev/sdf1 1 262 2104483+ fd Linux raid autodetect
/dev/sdf2 263 524 2104515 fd Linux raid autodetect
/dev/sdf3 525 786 2104515 fd Linux raid autodetect
Disk /dev/sdd: 107.4 GB, 107374182400 bytes
255 heads, 63 sectors/track, 13054 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xef9a8da9
Device Boot Start End Blocks Id System
/dev/sdd1 1 13054 104856223+ 8e Linux LVM
Disk /dev/sdh: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xdeb9d0d0
Device Boot Start End Blocks Id System
/dev/sdh1 1 262 2104483+ fd Linux raid autodetect
/dev/sdh2 263 524 2104515 fd Linux raid autodetect
/dev/sdh3 525 786 2104515 fd Linux raid autodetect
Disk /dev/sdg: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x37970afa
Device Boot Start End Blocks Id System
/dev/sdg1 1 262 2104483+ fd Linux raid autodetect
/dev/sdg2 263 524 2104515 fd Linux raid autodetect
/dev/sdg3 525 786 2104515 fd Linux raid autodetect
Disk /dev/mapper/vg_jason-lv_root: 18.8 GB, 18798870528 bytes
255 heads, 63 sectors/track, 2285 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Disk /dev/mapper/vg_jason-lv_swap: 2147 MB, 2147483648 bytes
255 heads, 63 sectors/track, 261 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Disk /dev/md1: 6458 MB, 6458179584 bytes
2 heads, 4 sectors/track, 1576704 cylinders
Units = cylinders of 8 * 512 = 4096 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 524288 bytes / 1572864 bytes
Disk identifier: 0x00000000
Disk /dev/mapper/mail_store-mbox: 128.8 GB, 128849018880 bytes
255 heads, 63 sectors/track, 15665 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
[jason@test2 sbin]$
- 查看
sudo操作记录- 需启用Defaults logfile 配置
- 默认日志文件:
/var/log/sudo
- 查询授权的
sudo操作sudo -l
visudo
root@test2 sbin]# visudo
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
jason test2=/sbin/*,!/sbin/reboot
Defaults logfile=/var/log/sudo //在末行当中加入此行来启用日志文件
:wq