新建用户:
[root@Zabbix_server_01 ~]# useradd zhuohua
[root@Zabbix_server_01 ~]# echo 'mima' | passwd --stdin zhuohua
更改用户 zhuohua 的密码 。
passwd: 所有的身份验证令牌已经成功更新。
[root@Zabbix_server_01 ~]# groups zhuohua
zhuohua : zhuohua
默认情况下,任何用户都可以使用su命令就行用户切换的:
注释:直接su不会切换当前的工作目录; su - 会切换到目标用户的家目录。
注释:普通用户进行用户切换时需要输入目标用户的密码;用户root进行用户切换时不需要输入目标用户的密码。
文件 /etc/pam.d/su的默认样子:(没有开启pam_wheel认证)
[root@Zabbix_server_01 ~]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
######
开启pam_wheel认证
方式一,只允许wheel组的用户进行用户切换:(未加入到wheel组的用户将无法使用su命令,尝试进行用户切换时将会按照“密码不正确”来处理;用户root不受影响)
[root@Zabbix_server_01 ~]# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
备注:在文件 /etc/pam.d/su 中修改后,即可生效。
创建测试用户:
[root@Zabbix_server_01 ~]# adduser happy
[root@Zabbix_server_01 ~]# echo '111' | passwd --stdin happy
更改用户 happy 的密码 。
passwd: 所有的身份验证令牌已经成功更新。
[root@Zabbix_server_01 ~]#
[root@Zabbix_server_01 ~]# id happy
uid=504(happy) gid=504(happy) 组=504(happy)
[root@Zabbix_server_01 ~]#
[root@Zabbix_server_01 ~]# groups happy
happy : happy
用户root默认就不属于wheel组:
[root@Zabbix_server_01 ~]# id root
uid=0(root) gid=0(root) 组=0(root)
[root@Zabbix_server_01 ~]#
[root@Zabbix_server_01 ~]# groups root
root : root
测试:
把用户zhuohua加入到wheel组:(用户的基本组或附加组属于wheel组都可以)
[root@Zabbix_server_01 ~]# gpasswd -a zhuohua wheel
正在将用户“zhuohua”加入到“wheel”组中
[root@Zabbix_server_01 ~]#
[root@Zabbix_server_01 ~]# groups zhuohua
zhuohua : zhuohua wheel
[root@Zabbix_server_01 ~]# id zhuohua
uid=503(zhuohua) gid=503(zhuohua) 组=503(zhuohua),10(wheel)
测试:
更改用户happy的基本组:
[root@Zabbix_server_01 ~]# usermod -g wheel happy
[root@Zabbix_server_01 ~]#
[root@Zabbix_server_01 ~]# id happy
uid=504(happy) gid=10(wheel) 组=10(wheel)
[root@Zabbix_server_01 ~]# groups happy
happy : wheel
用户happy加入wheel组后,可以进行su切换了:
方式二,只允许wheel组中的用户切换为用户root;非wheel组中的用户,不得切换为用户root,但可以切换为其他普通用户:
[root@Zabbix_server_01 ~]# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid root_only
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
备注:在文件 /etc/pam.d/su 中修改命令后,即可生效。
测试:
当用户zhuohua属于wheel组时:
[root@Zabbix_server_01 ~]# id zhuohua
uid=503(zhuohua) gid=503(zhuohua) 组=503(zhuohua),10(wheel)
[root@Zabbix_server_01 ~]# groups zhuohua
zhuohua : zhuohua wheel
当用户zhuohua不属于wheel组时:
[root@Zabbix_server_01 ~]# gpasswd -d zhuohua wheel
正在将用户“zhuohua”从“wheel”组中删除
[root@Zabbix_server_01 ~]# id zhuohua
uid=503(zhuohua) gid=503(zhuohua) 组=503(zhuohua)
[root@Zabbix_server_01 ~]# groups zhuohua
zhuohua : zhuohua
使用su命令切换用户的操作都会记录到安全日志 /var/log/secure
[root@Zabbix_server_01 ~]# tail /var/log/secure
Feb 8 12:38:21 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user zhuohua by root(uid=0)
Feb 8 12:38:37 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user happy by root(uid=503)
Feb 8 12:38:53 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user root by root(uid=504)
Feb 8 12:40:47 Zabbix_server_01 gpasswd[3572]: user zhuohua removed by root from group wheel
Feb 8 12:42:00 Zabbix_server_01 su: pam_unix(su-l:session): session closed for user root
Feb 8 12:42:00 Zabbix_server_01 su: pam_unix(su-l:session): session closed for user happy
Feb 8 12:42:00 Zabbix_server_01 su: pam_unix(su-l:session): session closed for user zhuohua
Feb 8 12:42:15 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user zhuohua by root(uid=0)
Feb 8 12:42:37 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user happy by root(uid=503)
Feb 8 12:42:49 Zabbix_server_01 su: pam_unix(su-l:session): session opened for user root by root(uid=504)
######
sudo命令——提升普通用户的权限
基本配置格式: 用户名 主机名=命令 (主机名可以使用ALL代替)
查看sudo的版本信息:
[root@Zabbix_server_01 ~]# sudo -V
Sudo 版本 1.8.6p3
例子一,授予用户happy新建用户、删除用户的权限:
编辑文件 /etc/sudoers
[root@zabbix ~]# visudo
追加:
happy ALL=/usr/sbin/useradd,/usr/sbin/userdel
%wheel ALL=NOPASSWD: ALL
注释:%wheel ALL=NOPASSWD: ALL ##wheel组的用户不需要密码验证即可执行任何命令;
查看当前用户happy的sudo权限:
[happy@Zabbix_server_01 ~]$ sudo -l
匹配此主机上 happy 的默认条目:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
用户 happy 可以在该主机上运行以下命令:
(root) /usr/sbin/useradd, (root) /usr/sbin/userdel
(root) NOPASSWD: ALL
测试:
sudo useradd mary
sudo userdel -r mary
例子二,授予用户zhuohua执行/usr/sbin/、/usr/bin/、/sbin/目录下的所有命令的权限:
[root@Zabbix_server_01 ~]# groups zhuohua
zhuohua : zhuohua wheel
编辑文件 /etc/sudoers
[root@zabbix ~]# visudo
插入:
zhuohua ALL=/usr/sbin/*,/usr/bin/*,/sbin/*
[root@Zabbix_server_01 ~]# cat /etc/sudoers |tail -4
#includedir /etc/sudoers.d
happy ALL=/usr/sbin/useradd,/usr/sbin/userdel
zhuohua ALL=/usr/sbin/*,/usr/bin/*,/sbin/*
%wheel ALL=NOPASSWD: ALL
查看当前用户zhuohua的sudo权限:
[zhuohua@Zabbix_server_01 ~]$ sudo -l
匹配此主机上 zhuohua 的默认条目:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
用户 zhuohua 可以在该主机上运行以下命令:
(root) /usr/sbin/*, (root) /usr/bin/*, (root) /sbin/*
(root) NOPASSWD: ALL
测试:
使用普通用户重启服务器:
[zhuohua@Zabbix_server_01 ~]$ init 6
init: Need to be root
[zhuohua@Zabbix_server_01 ~]$
[zhuohua@Zabbix_server_01 ~]$ sudo init 6
[zhuohua@Zabbix_server_01 ~]$
使用普通用户关闭服务器:
[zhuohua@Zabbix_server_01 ~]$ which init
/sbin/init
[zhuohua@Zabbix_server_01 ~]$ sudo /sbin/init 0
[zhuohua@Zabbix_server_01 ~]$
相关文章:
用户管理 |