获取超级用户访问权限-redhat 7.2

虾米哥 阅读:136 2022-05-23 17:58:53 评论:0

获取超级用户访问权限

Root用户:

       在redhat7.2中root用户特权高于文件系统上的一般特权,用于管理系统,要执行诸如安装或删除软件以及管理系统文件和目录等任务时,必须将特权升级到root用户。

       大多数设备都受root用户控制,但也有些设备并非如此。例如:USB移动设备就可以受一般用户控制,默认情况下只有root用户可以管理“固定”磁盘。

Linux上的root账户大致相当于windows上本地的admin账户。在linux系统中大多数管理员登录到非特权账户(root),然后使用各种工具(su,sudo,polickit)获得root权限。

利用su切换账户:

 SU命令:

   切换用户,未指定用户名即切换到root用户,当普通用户调用root用户时需要输入root用户密码。SU - :切换用户后切换工作目录,环境设置为以该用户登录完全一致,而su 仅以该用户身份使用当前的环境设置启动shell。

su -c : 该命令作用等同与windows里的runas一样,能够用另一个用户身份执行任意程序。

su 缺陷:普通用户使用使用时需要输入root用户密码。

 sudo命令:

     可以使用户根据/etc/sudoers 文件中的设置,而被允许以root或其他用户身份运行命令。sudo 要求用户输入自己的密码进行身份验证,而不是输入root用户密码。这样可以让管理员将细微的权限用户来委派系统管理任务,而无需root用户密码。

例如:如果sudo 已配置为允许redhat用户root身份运行usermod命令,那么redhat就可以运行一下命令锁定用户账户。

sudo都提供了一个编辑该文件的命令:visudo来对该文件进行修改,出现配置错误会有提示,使用方法同vim类似。

vim编辑示例
visudo编辑 fangshi

 /etc/sudoers文件详解

 
  1 ## Sudoers allows particular users to run various commands as 
  2 ## the root user, without needing the root password. 
  3 ##  //无需root用户密码执行各种只有root用户才可以执行的命令 
  4 ## Examples are provided at the bottom of the file for collections 
  5 ## of related commands, which can then be delegated out to particular 
  6 ## users or groups.  //用户所用组 
  7 ##  
  8 ## This file must be edited with the 'visudo' command. 
  9  
 10 ## Host Aliases 
 11 ## Groups of machines. You may prefer to use hostnames (perhaps using  
 12 ## wildcards for entire domains) or IP addresses instead. 
 13 # Host_Alias     FILESERVERS = fs1, fs2 
 14 # Host_Alias     MAILSERVERS = smtp, smtp2 
 15  
 16 ## User Aliases 
 17 ## These aren't often necessary, as you can use regular groups 
 18 ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname  
 19 ## rather than USERALIAS 
 20 # User_Alias ADMINS = jsmith, mikem 
 21  
 22  
 23 # Command Aliases 
 24 ## These are groups of related commands... 
 25  
 26 ## Networking    //网络操作相关命令别名 
 27 # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool 
 28  
 29 ## Installation and management of software 
 30 # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum 
 31  
 32 ## Services  //服务器相关命令别名 
 34  
 35 ## Updating the locate database //本地数据库升级命令别名 
 36 # Cmnd_Alias LOCATE = /usr/bin/updatedb 
 37  
 38 ## Storage 
 39 # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount  //磁盘操作命令别名 
 40  
 41 ## Delegating permissions //代理权限相关别名 
 42 # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp  
 43  
 44 ## Processes 
 45 # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall 
 46  
 47 ## Drivers  //进程相关命令别名 
 48 # Cmnd_Alias DRIVERS = /sbin/modprobe 
 49  
 50 # Defaults specification 
 51  
 52 # 
 53 # Disable "ssh hostname sudo <cmd>", because it will show the password in clear.  
 54 #         You have to run "ssh -t hostname sudo <cmd>". 
 55 # 
 56 Defaults    requiretty 
 57  
 58 # 
 59 # Refuse to run if unable to disable echo on the tty. This setting should also be 
 60 # changed in order to be able to use sudo without a tty. See requiretty above. 
 61 # 
 62 Defaults   !visiblepw 
 63  
 64 # 
 65 # Preserving HOME has security implications since many programs 
 66 # use it when searching for configuration files. Note that HOME 
 67 # is already set when the the env_reset option is enabled, so 
 68 # this option is only effective for configurations where either 
 69 # env_reset is disabled or HOME is present in the env_keep list. 
 70 # 
 71 Defaults    always_set_home 
 72  
 73 Defaults    env_reset 
 74 Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" 
 75 Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" 
 76 Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" 
 77 Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" 
 78 Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" 
 79  
 80 # 
 81 # Adding HOME to env_keep may enable a user to run unrestricted 
 82 # commands via sudo. 
 83 # 
 84 # Defaults   env_keep += "HOME" 
 85  
 86 Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin 
 87  
 88 ## Next comes the main part: which users can run what software on  
 89 ## which machines (the sudoers file can be shared between multiple 
 90 ## systems). 
 91 ## Syntax: 
 92 ## 
 93 ##      user    MACHINE=COMMANDS 
 94 ## 
 95 ## The COMMANDS section may have other options added to it. 
 80 # 
 81 # Adding HOME to env_keep may enable a user to run unrestricted 
 82 # commands via sudo. 
 83 # 
 84 # Defaults   env_keep += "HOME" 
 85  
 86 Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin 
 87  
 88 ## Next comes the main part: which users can run what software on  
 89 ## which machines (the sudoers file can be shared between multiple 
 90 ## systems). 
 91 ## Syntax: //语法 
 92 ## 
 93 ##      user    MACHINE=COMMANDS //用户 登录的主机=(可以变换的身份) 可以执行的命令 
 94 ## 
 95 ## The COMMANDS section may have other options added to it. //命令部分可以附带一些其他选项 
 96 ## 
 97 ## Allow root to run any commands anywhere  
 98 root    ALL=(ALL)       ALL    
 99 redhat  ALL=(ALL)       ALL   //可以使用最高权限 需要输入用户密码 
100 ## Allows members of the 'sys' group to run networking, software,  
101 ## service management apps and more. 
102 # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS 
103  
104 ## Allows people in group wheel to run all commands //允许wheel用户组中的用户执行所有命令 
105 %wheel  ALL=(ALL)       ALL 
106  
107 ## Same thing without a password 
108 # %wheel        ALL=(ALL)       NOPASSWD: ALL  //允许wheel用户组中的用户不输入密码情况下使用所有命     
109  
110 ## Allows members of the users group to mount and unmount the  
111 ## cdrom as root 
112 # %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom 
113  
114 ## Allows members of the users group to shutdown this system 
115 # %users  localhost=/sbin/shutdown -h now //允许普通用户shutdown 
116   
117 ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) 
118 #includedir /etc/sudoers.d 

标签:程序员
声明

1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,请转载时务必注明文章作者和来源,不尊重原创的行为我们将追究责任;3.作者投稿可能会经我们编辑修改或补充。

搜索
排行榜
关注我们

一个IT知识分享的公众号