注释:普通用户进行用户切换时需要输入目标用户的密码;用户root进行用户切换时不需要输入目标用户的密码。
文件 /etc/pam.d/su的默认样子:(没有开启pam_wheel认证)
[root@Zabbix_server_01 ~]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
######
开启pam_wheel认证
方式一,只允许wheel组的用户进行用户切换:(未加入到wheel组的用户将无法使用su命令,尝试进行用户切换时将会按照“密码不正确”来处理;用户root不受影响)
[root@Zabbix_server_01 ~]# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
备注:在文件 /etc/pam.d/su 中修改后,即可生效。
创建测试用户:
[root@Zabbix_server_01 ~]# adduser happy
[root@Zabbix_server_01 ~]# echo '111' | passwd --stdin happy
更改用户 happy 的密码 。
passwd: 所有的身份验证令牌已经成功更新。
[root@Zabbix_server_01 ~]#
[root@Zabbix_server_01 ~]# id happy
uid=504(happy) gid=504(happy) 组=504(happy)
[root@Zabbix_server_01 ~]#
[root@Zabbix_server_01 ~]# groups happy
happy : happy
用户root默认就不属于wheel组:
[root@Zabbix_server_01 ~]# id root
uid=0(root) gid=0(root) 组=0(root)
[root@Zabbix_server_01 ~]#
[root@Zabbix_server_01 ~]# groups root
root : root
测试:
方式二,只允许wheel组中的用户切换为用户root;非wheel组中的用户,不得切换为用户root,但可以切换为其他普通用户:
[root@Zabbix_server_01 ~]# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid root_only
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
备注:在文件 /etc/pam.d/su 中修改命令后,即可生效。
测试:
当用户zhuohua属于wheel组时:
[root@Zabbix_server_01 ~]# id zhuohua
uid=503(zhuohua) gid=503(zhuohua) 组=503(zhuohua),10(wheel)
[root@Zabbix_server_01 ~]# groups zhuohua
zhuohua : zhuohua wheel
使用su命令切换用户的操作都会记录到安全日志 /var/log/secure
[root@Zabbix_server_01 ~]# tail /var/log/secure
Feb 8 12:38:21 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user zhuohua by root(uid=0)
Feb 8 12:38:37 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user happy by root(uid=503)
Feb 8 12:38:53 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user root by root(uid=504)
Feb 8 12:40:47 Zabbix_server_01 gpasswd[3572]: user zhuohua removed by root from group wheel
Feb 8 12:42:00 Zabbix_server_01 su: pam_unix(su-l:session): session closed for user root
Feb 8 12:42:00 Zabbix_server_01 su: pam_unix(su-l:session): session closed for user happy
Feb 8 12:42:00 Zabbix_server_01 su: pam_unix(su-l:session): session closed for user zhuohua
Feb 8 12:42:15 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user zhuohua by root(uid=0)
Feb 8 12:42:37 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user happy by root(uid=503)
Feb 8 12:42:49 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user root by root(uid=504)
######
sudo命令——提升普通用户的权限
基本配置格式: 用户名 主机名=命令 (主机名可以使用ALL代替)
查看sudo的版本信息:
[root@Zabbix_server_01 ~]# sudo -V
Sudo 版本 1.8.6p3
例子一,授予用户happy新建用户、删除用户的权限:
编辑文件 /etc/sudoers
[root@zabbix ~]# visudo
追加:
happy ALL=/usr/sbin/useradd,/usr/sbin/userdel
%wheel ALL=NOPASSWD: ALL
注释:%wheel ALL=NOPASSWD: ALL ##wheel组的用户不需要密码验证即可执行任何命令;