Linux ϵͳ�еĳ��Ȩ�޵Ŀ��-��Linuxϵͳ�Ż�

Ŀ¼��

һ��Գ��û��ͨ�û��⣻

1��ʲô�ǳ��û��
2�� UID ��û��Ķ�Ӧ��ϵ
3��ͨ�û��αװ�û�
��. ��û��Ȩ�ޣ��ϵͳ��е��

1��κ��ļ��Ŀ¼��̽��в��
2��漰ϵͳȫ�ֵ�ϵͳ��
3��Ȩ�޵Ĳ��ԣ�
��ʹ�� su ��ʱ�л��û��ݣ�

1��su ��
2��su ��÷��
3��su �ķ��
4��su ��ȱ��
�ġ�sudo ��Ȩ��ʹ�õ�su��Ҳ��Ƶ�su

1. sudo ��
2��ӱ�д sudo ��ļ�/etc/sudoers��ʼ��
3��/etc/sudoers ��ļ��б��
4��/etc/sudoers�е��Ȩ��
5��/etc/sudoers��δ��
6��sudo��÷��
�塢��ǣ�

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
��
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

��Linux��ϵͳ�У�root��Ȩ��ߵģ�Ҳ��Ϊ��Ȩ�޵�ӵ��ߡ��ͨ�û��޷�ִ�еĲ��root�û��ɣ��Ҳ��֮Ϊ��û��

��ϵͳ�У�ÿ��ļ��Ŀ¼�ͽ��̣��ĳһ��û��û��û��ͨ�û��޷��ģ��root��⡣root�û��Ȩ�Ի��root��Գ�Խ�κ��û��û��ļ��Ŀ¼��ж�ȡ��޸Ļ�ɾ��ϵͳ��ɷ�Χ�ڣ��Կ�ִ�г��ִ�С��ֹ��Ӳ��豸��ӡ��Ƴ��ȣ�Ҳ��Զ��ļ��Ŀ¼��Ȩ�޽��޸ģ��ʺ�ϵͳ��Ҫ��Ϊroot��ϵͳ��Ȩ��ߵ��Ȩ�û��

һ��Գ��û��ͨ�û��⣻

1��ʲô�ǳ��û��

��Linuxϵͳ�У�ϵͳ��ͨ��UID��û�Ȩ�޼��ģ��UIDΪ0��û��ϵͳԼ��Ϊ�Ǿ��г��Ȩ�ޡ��û��ϵͳԼ��Ȩ��԰�ڲ��˵��û��ϵͳ��й��ߣ��ǿ��ͨ��/etc/passwd ��UIDΪ0��û��root��ֻ��root��Ӧ��UIDΪ0��һ��root�û��ϵͳ��޿��ߵ�λ��Ȩ�ޡ�root�û��ϵͳ�о��ǳ��û��

2�� UID ��û��Ķ�Ӧ��ϵ

��ϵͳĬ�ϰ�װʱ��ϵͳ�û��UID ��һ��һ�ĶԹ�ϵ��Ҳ��˵һ��UID ��Ӧһ��û��֪��û��ͨ��UID ��ȷ�ϵģ�� û��user��û��飨group��ļ��⡷�е�UID �Ľ�˵��̸��UID ��ȷ��û�Ȩ�޵ı�ʶ��û��¼ϵͳ��Ľ�ɫ��ͨ��UID ��ʵ�ֵģ��û��Ѽ��û��һ��UID ��Σ�յģ��ǰ��ͨ�û��UID ��Ϊ0��root��һ��UID ��ʵ�Ͼ��ϵͳ��Ȩ�޵Ļ��ҡ��rootȨ�ޣ��ͨ��su��sudo��ʵ�֣��в��һ��û��root��ͬһ��UID ��

��ϵͳ�У��ܲ��UID ��û��һ�Զ�Ĺ�ϵ��ǿ��Եģ��ǿ��԰�һ��UIDΪ0��ֵ��û��ͬʹ�ã��UID ��û��һ�Զ�Ĺ�ϵ��ȷ�е�Σ�գ��ͬUID��û��ͬ��ݺ�Ȩ�ޡ��ϵͳ�а�beinan��ͨ�û��UID��Ϊ0��ʵ��ͨ�û��;��˳��Ȩ�ޣ��Ȩ�޺�root�û�һ��û�beinan��еĲ��ʶΪroot�Ĳ��Ϊbeinan��UIDΪ0,��UIDΪ0��û��root ��ǲ��е��ſڣ�Ҳ��ΪUIDΪ0��û��root ��root�û��UID��0��

UID��û��һ��һ�Ķ�Ӧ��ϵ ��ֻ��Ҫ��Ա��ϵͳ��ʱ��Ҫ��ص�׼��Ϊϵͳ��ȫ��ǵ�һλ�ġ��ǻ��ǰѳ��Ȩ�ޱ��root��Ψһ��û��õ�ѡ��

��ǲ��UID��0ֵ�ķ��û�ʹ�ã�ֻ��root�û��Ψһӵ��UID=0�Ļ��root�û��Ψһ�ĳ��Ȩ��û��

3��ͨ�û��αװ�û�

�볬��û��Եľ��ͨ�û��⣨Ҳ��Ϊαװ�û��ͨ��αװ�û��û��Ϊ��ض��ͨ�û��αװ�û�Ҳ�Ǳ��ģ�Linux��һ��û��Ĳ��ϵͳ��û��Ҫ��û��Ľ�ɫ�Ķ��ԣ��ͬ��û��Ȩ��Ҳ��ͬ��Ҳ��Linuxϵͳ��Windowsϵͳ��Ϊ��ȫ�ı��ڣ��ʹ��°汾��Windows 2003 ��Ҳ�޷�Ĩȥ�䵥�û�ϵͳ��ӡ��

��. ��û��Ȩ�ޣ��ϵͳ��е��

��Ȩ��û��UIDΪ0��û��ϵͳ��ʲô��أ��Ҫ��㣻

1��κ��ļ��Ŀ¼��̽��в��

��ֵ��ע��ֲ��ϵͳ��ɷ�Χ�ڵĲ��Щ��Ǿ��г��Ȩ�޵�rootҲ�޷��ɣ�

��/proc Ŀ¼��/proc ��Ӧϵͳ��е�ʵʱ״̬��Ϣ�ģ��˼��rootҲ��Ϊ��Ȩ��

[root@localhost ~]# pwd
/root
[root@localhost ~]# cd /
[root@localhost /]# ls -ld /proc/
dr-xr-xr-x 134 root root 0 2005-10-27 /proc/

��Ŀ¼��ֻ��Ƕ��ִ��Ȩ�ޣ��û��дȨ�޵ģ��ǰ�/proc Ŀ¼��дȨ�޴򿪸�root��root�û�Ҳ�ǲ��ܽ��д��

[root@localhost ~]# chmod 755 /proc
[root@localhost /]# ls -ld /proc/
drwxr-xr-x 134 root root 0 2005-10-27 /proc/
[root@localhost /]# cd /proc/
[root@localhost proc]# mkdir testdir
mkdir: �޷��Ŀ¼��testdir��: û��Ǹ��ļ��Ŀ¼

2��漰ϵͳȫ�ֵ�ϵͳ��

Ӳ��ļ�ϵͳ��⡢�û��Լ��漰��ϵͳȫ��õȵ�......��ִ��ĳ��򹤾�ʱ��ʾ��Ȩ�ޣ��Ҫ��Ȩ��ɣ�

��adduser��û��ֻ��ͨ��Ȩ�޵��û��ɣ�

3��Ȩ�޵Ĳ��ԣ�

��ڳ��Ȩ��ϵͳ��еĲ��ȱ�ٵ��Ҫ��ã�Ϊ��ϵͳ��Ǳ��õ��Ȩ�ޣ��һ��£�Ϊ��ϵͳ��ȫ��һ�㳣�漶��Ӧ�ã��Ҫroot�û��ɣ�root�û�ֻ�Ǳ��ά��ϵͳ֮�ã��ϵͳ��־�Ĳ鿴��û��Ӻ�ɾ��......

�ڲ��漰ϵͳ��Ĺ��Ļ��£��ͨ�û��ɣ��дһ��ļ��֣��gimp ��һ��ͼƬ��...... ��ͨӦ�ó��ĵ��ã��ͨ�û��Ϳ��ɣ�

��ͨȨ�޵��û��¼ϵͳʱ��Щϵͳ��ü�ϵͳ��ͨ��Ȩ��û��ɣ��ϵͳ��־�Ĺ��Ӻ�ɾ��û��β��ܲ�ֱ��root��¼��ȴ�ܴ��ͨ�û��л��root�û��²��ܽ��в��ϵͳ��Ҫ�Ĺ��漰��Ȩ�޹��⣻

��ȡ��Ȩ�޵Ĺ��̣��л��ͨ�û��ݵ��û��ݵĹ��̣��Ҫ��ͨ��su��sudo ��

��ʹ�� su ��ʱ�л��û��ݣ�

1��su ��

su��л��û��Ĺ��ߣ��ô��أ��ͨ�û�beinan��¼�ģ��Ҫ��û��ִ��useradd ��beinan�û�û��Ȩ�ޣ��Ȩ��ǡǡ��root��ӵ�С��취�޷��һ��˳�beinan�û��root�û��¼��ְ취��õģ��û�б�Ҫ�˳�beinan�û��su��л��root�½��û��Ĺ��ɺ��˳�root��ǿ��Կ��Ȼͨ��su �л��һ�ֱȽϺõİ취��

ͨ��su��û�֮��л��Ȩ��û�root��ͨ��û��л��Ҫ��룬ʲô��Ȩ��ǣ��ͨ�û��л��κ��û��Ҫ��֤��

2��su ��÷��

su [OPTIONѡ��] [�û�]
-, -l, --login ��¼��ı䵽��л��û��
-c, --commmand=COMMAND ִ��һ��Ȼ��˳��л��û��

��ڸ��ϸ�ģ��ο�man su ��

3��su �ķ��

su �ڲ��κβ��Ĭ��Ϊ�л��root�û��û��ת��root�û��Ŀ¼�£�Ҳ��˵��ʱ��Ȼ��л�Ϊroot�û��ˣ��û�иı�root��¼��û�Ĭ�ϵĵ�¼��/etc/passwd �в�õ��Ŀ¼��SHELL��ȣ�

[beinan@localhost ~]$ su
Password:
[root@localhost beinan]# pwd
/home/beinan

su �Ӳ�� - ��ʾĬ��л��root�û��Ҹı䵽root�û��Ļ��

[beinan@localhost ~]$ pwd
/home/beinan
[beinan@localhost ~]$ su -
Password:
[root@localhost ~]# pwd
/root

su �� - �û��

[beinan@localhost ~]$ su - root ע��su - ��һ��Ĺ��ܣ�
Password:
[root@localhost ~]# pwd
/root

[beinan@localhost ~]$ su - linuxsir ע��л�� linuxsir�û�
Password: ע��룻
[linuxsir@localhost ~]$ pwd ע��鿴�û��ǰ��λ�ã�
/home/linuxsir
[linuxsir@localhost ~]$ id ע��鿴�û��UID��GID��Ϣ��Ҫ�ǿ��Ƿ��л��ˣ�
uid=505(linuxsir) gid=502(linuxsir) groups=0(root),500(beinan),502(linuxsir)
[linuxsir@localhost ~]$

[beinan@localhost ~]$ su - -c ls ע��su�Ĳ��ϣ��ʾ�л��root�û��Ҹı䵽root��Ȼ��г�root��Ŀ¼��ļ��Ȼ��˳�root�û��
Password: ע��root��룻
anaconda-ks.cfg Desktop install.log install.log.syslog testgroup testgroupbeinan testgrouproot
[beinan@localhost ~]$ pwd ע��鿴��ǰ�û��λ�ã�
/home/beinan
[beinan@localhost ~]$ id ע��鿴��ǰ�û��Ϣ��
uid=500(beinan) gid=500(beinan) groups=500(beinan)

4��su��ȱ�㣻

su ��ȷΪ��㣬ͨ��л��root�£��ϵͳ��ߣ�ֻҪ��root��뽻��κ�һ��ͨ�û��л��root��е�ϵͳ��

��ͨ��su�л��root��Ҳ�в��ȫ��أ��ϵͳ��10��û��Ҷ��10��û��漰��Ȩ�޵��ã��Ϊ��Ա��û�ͨ��su��л��Ȩ�޵�root��rootȨ��붼��10��û��10��û��rootȨ�ޣ�ͨ��rootȨ�޿��κ��£��һ��̶��ϾͶ�ϵͳ�İ�ȫ��Э��Windows�ɣ��ֱ��Ƕ��Σ�

��û�в��ȫ��ϵͳ��ֻ�в��ȫ��ˡ��Ǿ��Բ��ܱ�֤��10��û��ܰ��ϵͳ��κ�һ�˶�ϵͳ��ش�ʧ�󣬶��ܵ��ϵͳ��ʧ��

��su ��ڶ��˲��ϵͳ��У��õ�ѡ��suֻ��һ��˲��ϵͳ��Ͼ�su��ͨ�û��޵�ʹ�ã�

��û�root��Ӧ��û��У��Լ�Ȩ��εĴ��ڻ��һ��ģ�

�ġ�sudo ��Ȩ��ʹ�õ�su��Ҳ��Ƶ�su

1. sudo ��

��su ��л��Ȩ��û�root��Ȩ�޵��ԣ��su��ܵ��ζ��Ա��ϵͳ��su ��л��û��ϵͳ��Ҳ��ȷ��Щ��ĸ��Ա��еĲ��ر��Ƕ��ڷ��Ĺ��ж��˲��ʱ��ÿ��Ա�ļ��س��͹��Χ��Ե��·Ÿ�Ȩ�ޣ��Լ��ʹ��Щ��صĹ��ʱ��Ǿ��б�Ҫ�õ� sudo��

ͨ��sudo��ܰ�ĳЩ��Ȩ��Ե��·ţ��Ҳ��Ҫ��ͨ�û�֪��root��룬��sudo ��Ȩ��Ե�su��˵��ǱȽϰ�ȫ�ģ��sudo Ҳ�ܱ��Ϊ��Ƶ�su ��sudo ��Ҫ��Ȩ��ɵģ��Ҳ��Ϊ��Ȩ��ɵ�su��

sudo ִ��ǵ�ǰ�û��л��root��ָ��л��û��Ȼ��root��ָ��л��û��ִ��ִ��ɺ�ֱ��˻ص��ǰ�û��Щ��ǰ��Ҫͨ��sudo��ļ�/etc/sudoers��Ȩ��

2��ӱ�д sudo ��ļ�/etc/sudoers��ʼ��

sudo��ļ��/etc/sudoers ��ǿ��ר�ñ༭��visodu ��˹��ߵĺô��ӹ��̫׼ȷʱ��˳�ʱ��ʾ��Ǵ��Ϣ��úú󣬿��л��Ȩ��û��£�ͨ��sudo -l ��鿴��Щ��ǿ��ִ�л��ֹ�ģ�

/etc/sudoers �ļ��ÿ��һ��ǰ��#�ſ��Ե��˵��ݣ��ִ�У��ܳ��һ��в��ʱ��\��У��һ��Ҳ��ӵ�ж��У�

/etc/sudoers �Ĺ��ɷ�Ϊ��ࣻһ��Ǳ��壬��һ��Ȩ��򣻱��岢��Ǳ��ģ��Ȩ��Ǳ��ģ�

3��/etc/sudoers ��ļ��б��

��ʽ��£�

Alias_Type NAME = item1, item2, ...

��

Alias_Type NAME = item1, item2, item3 : NAME = item4, item5

��ͣ�Alias_Type��Ͱ��

Host_Alias ��
User_Alias �û��Ա��û��û��飨ǰ��Ҫ��%�ţ�
Runas_Alias ��runas��ָ��ǡ�Ŀ��û��sudo ��л��û��
Cmnd_Alias ��

NAME ��Ǳ��ˣ�NMAE��ǰ��д��ĸ��»��Լ��֣��һ��д��ĸ��ͷ��SYNADM��SYN_ADM��SYNAD0�ǺϷ��ģ�sYNAMDA��1SYNAD�ǲ��Ϸ��ģ�

item ��ķ��Ŀ��ǿ��ɳ�Ա��һ��ж��Ա��Ա��Ա֮�䣬ͨ��,�ŷָ��Ա�ڱ��Ч��ʵ��ڵġ�ʲô��Ч��أ��ͨ��w�鿴�û��ip��ַ��ֻ�Ǳ��ػ��ֻͨ��hostname ��ܲ鿴��û��Ȼ��ϵͳ�д��ڵģ��/etc/paswd�б��ڣ��ڶ��ԱҲ��ϵͳ��ʵ��ڵ��ļ��Ҫ��·��

item��Ա�ܱ�� Host_Alias��User_Alias��Runas_Alias��Cmnd_Alias ��Լ��ʲô��͵ı��Ҫ��ʲô��͵ĳ�Ա��䡣��Host_Alias��ʱ��Ա��Զ�̵�¼��ip��ַ��Σ��ȣ��û��¼ʱ��ͨ��w��鿴��¼�û��Ϣ��User_Alias��Runas_Alias��ʱ��Ҫ��ϵͳ�û��Ϊ��Ա��Cmnd_Alias ��ִ��ı��ʱ��ϵͳ��ڵ��ļ��ļ��ͨ��ʾ��Cmnd_Aliasʱ��Ҫ��·��

�� Runas_Alias ��User_Alias �е��ƣ��User_Alias ��Բ��ͬһ��Runas_Alias ��ĳ��ϵͳ�û��sudo �л��ݵ�Runas_Alias �µĳ�Ա��Ȩ��ʵ��н�˵��

��ÿ��һ��һ��һ��ݲ��ʱ��ͨ��\��У�ͬһ��ͱ��Ķ��壬һ��Ҳ��Զ��弸��м��:�ŷָ��

Host_Alias HT01=localhost,st05,st04,10,0,0,4,255.255.255.0,192.168.1.0/24 ע��HT01��ͨ��=��г��Ա
Host_Alias HT02=st09,st10 ע��HT02��Ա��
Host_Alias HT01=localhost,st05,st04,10,0,0,4,255.255.255.0,192.168.1.0/24:HT02=st09,st10 ע��Ķ��壬��ͨ��һ��ʵ�֣��֮��:�ŷָ

ע��ͨ��Host_Alias ��ʱ��Ŀ��ǵ��ip��ip��ַҲ��ԣ��Ҳ��룻��Ƕ�̨��У��Щ��ͨ��໥ͨ�ŷ��ʲ��Ч��ʲô��ͨ��໥ͨ�Ż��أ�� ping ��ͨ��Զ�̷��ʡ��Ǿ��У��ü��ͨ��ͨ�ţ��/etc/hosts��/etc/resolv.conf ��Ҫ��DNS��໥֮��޷�ͨ��ʣ��ʱ��Ŀ��ĳ��Ŀ��Ļ��ͨ��hostname ��鿴��ͨ��w��¼��Դ��ͨ��Դ��ȷ��ͻ��ip��ַ��Ķ��壬��ȥ�е㸴�ӣ��ʵ�Ǻܼ򵥡�

��Host_Alias ��ô��£�Ҳ��Բ��ڶ��Ȩ��ʱͨ��ALL��ƥ��п��ܳ��ֵ��֪ʶŪ�ĸ��ף��ȷ��Ҫ��ѧϰ��

User_Alias SYSAD=beinan,linuxsir,bnnnb,lanhaitun ע��û��ĸ��Ա��Ҫ��ϵͳ��ȷʵ�ڴ��ڵģ�
User_Alias NETAD=beinan,bnnb ע��û��NETAD ��µ��û��磬��ȡ��NETAD�ı��
User_Alias WEBMASTER=linuxsir ע��û��WEBMASTER��µ��û��վ��
User_Alias SYSAD=beinan,linuxsir,bnnnb,lanhaitun:NETAD=beinan,bnnb:WEBMASTER=linuxsir ע��еı��壬��ͨ��һ��ʵ�֣��뿴ǰ��˵��ǲ��Ƿ��ϣ�

Cmnd_Alias USERMAG=/usr/sbin/adduser,/usr/sbin/userdel,/usr/bin/passwd [A-Za-z]*,/bin/chown,/bin/chmod
ע�⣺��µĳ�Ա��ļ��Ŀ¼�ľ��·��
Cmnd_Alias DISKMAG=/sbin/fdisk,/sbin/parted
Cmnd_Alias NETMAG=/sbin/ifconfig,/etc/init.d/network
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PWMAG = /usr/sbin/reboot,/usr/sbin/halt
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
ע��ж��е㳤��ͨ�� \ �Ŷ��У�
Cmnd_Alias SU = /usr/bin/su,/bin,/sbin,/usr/sbin,/usr/bin

��У��KILL��PWMAG��壬��ǿ��Ժϲ�Ϊһ��д��Ҳ��ǵȼ��У�

Cmnd_Alias KILL = /usr/bin/kill:PWMAG = /usr/sbin/reboot,/usr/sbin/halt ע��һ�оʹ��KILL��PWMAG��KILL��PWMAG�ı��ϲ��һ��дҲ�ǿ��Եģ�

Runas_Alias OP = root, operator
Runas_Alias DBADM=mysql:OP = root, operator ע��еĵȼ��У��ô��Runas_Alias ��Ǳ��ͨ��Ȩ��ʵ��⣻

4��/etc/sudoers�е��Ȩ��

��Ȩ��Ƿ��Ȩ�޵�ִ�й��ǰ��Ķ��Ҫ��Ϊ�˸��Ȩ��ñ��ϵͳ��ֻ�м��û��ʵ�·�Ȩ�ޱȽ��޵Ļ��Բ��ö��ϵͳ�û�ֱ��ֱ��Ȩ��Ȩ��б��Ǳ��ģ�

��Ȩ��򲢲��¿�Ѱ��ֻ˵��һ��ģ��Ƚϼ򵥵�д��ϸ�˽��Ȩ��д��ģ��ο�man sudoers

��Ȩ�û� ��=����

��Ҫ��ȱһ��ɣ��ڶ��֮ǰҲ��ָ��л��ض��û��£��ָ��л��û�Ҫ��( )��Ҫ��ֱ��ģ�Ӧ�ü�NOPASSWD:��Щ��ʡ�ԣ��˵��

ʵ��һ��

beinan ALL=/bin/chown,/bin/chmod

��/etc/sudoers ��һ�У��ʾbeinan ��κο��ܳ��ֵ��ϵͳ�У��л��root�û��ִ�� /bin/chown ��/bin/chmod ��ͨ��sudo -l ��鿴beinan ��̨��ͽ�ֹ��е��

ֵ��ע��ǣ��ʡ��ָ��л��ĸ��û��ִ��/bin/shown ��/bin/chmod����ʡ�Ե��Ĭ��Ϊ��л��root�û��ִ�У�ͬʱҲʡ��ǲ��Ҫbeinan�û��֤��룬��ʡ��ˣ�Ĭ��Ϊ��Ҫ��֤��롣

Ϊ�˸��ϸ��˵��Щ��ǿ��Թ��һ��һ��Ĺ�ʽ��

��Ȩ�û� ��=[(�л��Щ�û��û��)] [�Ƿ��Ҫ��֤] ��1,[(�л��Щ�û��û��)] [�Ƿ��Ҫ��֤] [��2],[(�л��Щ�û��û��)] [�Ƿ��Ҫ��֤] [��3]......

ע�⣺

��[ ]�е��ݣ��ǿ��ʡ�ԣ��֮��,�ŷָ��ͨ��ĵ��ӣ��Զ��ſ��Щ��ʡ��ˣ��Щ�ط��Ҫ�пո�
��[(�л��Щ�û��û��)] ��ʡ�ԣ��Ĭ��Ϊroot�û��ALL ��л��û��ע��Ҫ�л��Ŀ��û��()��(ALL)��(beinan)

ʵ��

beinan ALL=(root) /bin/chown, /bin/chmod

��ǰѵ�һ��ʵ��е��ȥ��У��ʾ��beinan ��κο��ܳ��ֵ��У��л��root��ִ�� /bin/chown ��л��κ��û��ִ��/bin/chmod ��ͨ��sudo -l ��鿴beinan ��̨��ͽ�ֹ��е��

ʵ��

beinan ALL=(root) NOPASSWD: /bin/chown,/bin/chmod

��أ��ʾ��beinan ��κο��ܳ��ֵ��У��л��root��ִ�� /bin/chown ��Ҫ��beinan�û��룻��ҿ��л��κ��û��ִ��/bin/chmod ����ִ��chmodʱ��Ҫbeinan��Լ��룻ͨ��sudo -l ��鿴beinan ��̨��ͽ�ֹ��е��

��һ����ǲ��Ҫ��룬��ǿ��Է��ϵͳ��Ĭ�ϵ��Ҫ�û��ģ��ؼ�ָ��Ҫ�û��Ҫ��Լ��룬��Ҫ��ִ�ж��֮ǰ��NOPASSWD: ��

�п��еĵ��ֶ�ϵͳ��̫��֪��÷��Ӱ�� sudoers��⣬��پ�һ��򵥣��˵��ӣ�

ʵ��ģ�

��beinan��ͨ�û�ͨ��more /etc/shadow�ļ��ʱ��ܻ��

[beinan@localhost ~]$ more /etc/shadow
/etc/shadow: Ȩ�޲��

��ʱ��ǿ��sudo more /etc/shadow ��ȡ�ļ��ݣ��;��Ҫ��/etc/soduers�и�beinan��Ȩ��

��ǾͿ��su ��root�û��ͨ��visudo ��/etc/sudoers ��beinan�û��¼ϵͳ�ģ�

[beinan@localhost ~]$ su
Password: ע��root��
��visodu��
[root@localhost beinan]# visudo ע��visudo �� /etc/sudoers

��һ�У��˳��棻�˳��棬��Ҫ��vi��visudoҲ��õ�vi�༭��vi��÷��˵�ˣ�

beinan ALL=/bin/more ��ʾbeinan��л��root��ִ��more ��鿴�ļ��

�˻ص�beinan�û��£��exit��

[root@localhost beinan]# exit
exit
[beinan@localhost ~]$

�鿴beinan��ͨ��sudo��ִ��Щ��

[beinan@localhost ~]$ sudo -l
Password: ע��beinan�û��
User beinan may run the following commands on this host: ע��˵��ڱ�̨��ϣ�beinan�û��rootȨ��more ��rootȨ��µ�more ��Բ鿴�κ��ı��ļ��ݵģ�
(root) /bin/more

��ǿ��ǲ��beinan�û��/etc/shadow�ļ��ݣ�

[beinan@localhost ~]$ sudo more /etc/shadow

beinan ��ܿ�� /etc/shadow�ļ��ݣ��ܿ��ֻ��rootȨ��²��ܿ��ļ��ݣ��磻

[beinan@localhost ~]$ sudo more /etc/gshadow

��beinan�û��鿴�Ͷ�ȡ��ϵͳ�ļ��У��ֻ��/etc/shadow ��ݿ��鿴��Լ��һ�У�

beinan ALL=/bin/more /etc/shadow

��⻰��еĵ��ֻ�˵��ͨ��su �л��root�û��ܿ��뿴��ˣ��԰��ڲ��ڽ��sudo��÷��ж��û��Ҳ�֪��root�û��룬��鿴ĳЩ��ǿ��ļ��ʱ��Ҫ��Ա��Ȩ�ˣ��sudo�ĺô��

ʵ��壺��ϰ�û��/etc/sudoers��д��

��û��/etc/sudoers �У�ǰ��Ҫ��%�ţ��%beinan ��м䲻��пո�

%beinan ALL=/usr/sbin/*,/sbin/*

�� /etc/sudoers �м��һ�У��ʾbeinan�û��µ��г�Ա��п��ܵĳ��ֵ��£��л��root�û�� /usr/sbin��/sbinĿ¼�µ��

ʵ��ϰȡ��ĳ��ִ�У�

ȡ��ĳ��ִ�У�Ҫ����ǰ��!�ţ� �ڱ��Ҳ��ͨ��*��÷��

beinan ALL=/usr/sbin/*,/sbin/*,!/usr/sbin/fdisk ע��й��뵽/etc/sudoers�У��beinan��û��飬��beinanҲ��еĲ��У�

��ʾbeinan�û��п��ܴ��ڵ��/usr/sbin��/sbin��еĳ��򣬵�fdisk ��⣻

[beinan@localhost ~]$ sudo -l
Password: ע��beinan�û��룻
User beinan may run the following commands on this host:
(root) /usr/sbin/*
(root) /sbin/*
(root) !/sbin/fdisk

[beinan@localhost ~]$ sudo /sbin/fdisk -l
Sorry, user beinan is not allowed to execute '/sbin/fdisk -l' as root on localhost.

ע��л��root�û��fdisk ��

ʵ��ߣ��õ�ʵ��

��Ǿ�һ̨��localhost��ͨ��hostname ��鿴��Ͳ��ˣ��ALL��ƥ��п��ܳ��ֵ��beinan��linuxsir��lanhaitun �û��Ҫ��ͨ��С��ܸ��⣻sudo��Ȼ�򵥺��ã��ܰ�˵��׵�ȷ�Ǽ��£��õİ취�Ƕ࿴��Ӻ�man soduers ��

User_Alias SYSADER=beinan,linuxsir,%beinan
User_Alias DISKADER=lanhaitun
Runas_Alias OP=root
Cmnd_Alias SYDCMD=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root
Cmnd_Alias DSKCMD=/sbin/parted,/sbin/fdisk ע��DSKCMD��г�Աparted��fdisk ��
SYSADER ALL= SYDCMD,DSKCMD
DISKADER ALL=(OP) DSKCMD

ע�⣺

��һ�У��û��SYSADER ��г�Ա beinan��linuxsir��beinan�û��µĳ�Ա��û��ǰ��%�ţ�
�ڶ��У��û�� DISKADER ��Ա��lanhaitun
��У��Runas�û��Ҳ��Ŀ��û��ı��ΪOP��г�Աroot
��У��SYSCMD��Ա֮��,�ŷָ��!/usr/bin/passwd root ��ʾ��ͨ��passwd ��root��룻
��У��DSKCMD��г�Աparted��fdisk ��
��У� ��ʾ��ȨSYSADER�µ��г�Ա��п��ܴ��ڵ��л��ֹ SYDCMD��DSKCMD�¶����Ϊ��ȷң˵��beinan��linuxsir��beinan�û��µĳ�Ա��root�� chown ��chmod ��adduser��passwd��ܸ��root��룻Ҳ��root�� parted��fdisk ��ĵȼ۹��ǣ�

beinan,linuxsir,%beinan ALL=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,/sbin/parted,/sbin/fdisk

��У��ʾ��ȨDISKADER �µ��г�Ա��OP��ݣ�� DSKCMD ��Ҫ��룻��Ϊ��ȷ��˵ lanhaitun ��root�� parted��fdisk ����ȼ۹��ǣ�

lanhaitun ALL=(root) /sbin/parted,/sbin/fdisk

��еĵ��ֻ�˵��벻��û��л��root��SYDCMD��DSKCMD �µ����Ӧ�ðѰ�NOPASSWD:��Ϊ�ã��Ӱɣ��׵ģ�

SYSADER ALL= NOPASSWD: SYDCMD, NOPASSWD: DSKCMD

5��/etc/sudoers��δ��

��Ȩ��У�� NOEXEC:��EXEC��÷��Լ��man sudoers �˽⣻��й��ڹ��ͨ��÷��Ҳ��Ҫ�˽�ġ��Щ��ݲ��˵�ˣ��Ͼ�ֻ��һ��Ե��ĵ��soduers��ļ�Ҫ��򵥾��ж�򵥣�Ҫ��Ѿ��ж��ѣ��Ϳ��Լ��Ӧ��ˡ�

6��sudo��÷��

��ǰ�潲��/etc/sudoers �Ĺ��д��յ�Ŀ��û�ͨ��sudo��ȡ��ļ��еĹ��ʵ��ƥ��Ȩ��Ա��滻��Ȩ��²��ɵ��

��ֻ˵��򵥵��÷��Ϊ��ϸ��ο�man sudo

sudo [��ѡ��] ��
-l �г��û��Ͽ��õĺͱ��ֹ��һ��ú�/etc/sudoers��Ҫ��鿴�Ͳ��ǲ��ȷ�ģ�
-v ��֤�û��ʱ��û��sudo ��û��ڶ�ʱ��ڿ��Բ��ֱ�ӽ��sudo ��-v ��Ը��µ�ʱ��
-u ָ��ĳ��û�ִ��ض��
-k ɾ��ʱ��һ��sudo ��Ҫ��ṩ��룻

��У�

��ͨ��visudo ��/etc/sudoers �ļ��һ�У�

beinan,linuxsir,%beinan ALL=/bin/chown,/bin/chmod,/usr/sbin/adduser,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,/sbin/parted,/sbin/fdisk

Ȼ��г�beinan�û��ͨ��sudo ��л��û��õ��򱻽�ֹ�õ��

[beinan@localhost ~]$ sudo -l ע��г��û��ͨ��л��û��Ŀ��õĻ򱻽�ֹ��
Password: ע��û��룻
User beinan may run the following commands on this host:
(root) /bin/chown ע��л��root��chown��
(root) /bin/chmod ע��л��root��chmod��
(root) /usr/sbin/adduser ע��л��root��adduser��
(root) /usr/bin/passwd [A-Za-z]* ע��л��root�� passwd ��
(root) !/usr/bin/passwd root ע��л��root�£��ִ��passwd root ��root��룻
(root) /sbin/parted ע��л�� root��ִ��parted ��
(root) /sbin/fdisk ע��л��root��ִ�� fdisk ��

ͨ��sudo -l �г��ͨ��chown ��ı�/optĿ¼��Ϊbeinan ��

[beinan@localhost ~]$ ls -ld /opt ע��鿴/opt��
drwxr-xr-x 26 root root 4096 10�� 27 10:09 /opt ע��õ��Ĵ��ǹ��root�û��root�û��飻
[beinan@localhost ~]$ sudo chown beinan:beinan /opt ע��ͨ��chown ��ı��Ϊbeinan�û��beinan�û��飻
[beinan@localhost ~]$ ls -ld /opt ע��鿴/opt��ǲ��Ѿ��ı��ˣ�
drwxr-xr-x 26 beinan beinan 4096 10�� 27 10:09 /opt

��ͨ��ӷ��beinan�û��л��root��ִ�иı��û��passwd����sudo -l ��д�Ų��ܸ��root�Ŀ��Ҳ��˵��root�Ŀ��beinan�û��ܸ��⣬��û��Ŀ���ܸ��ġ��ԣ�

��һ��ͨ�û��˵��˸��Ŀ��⣬��ܸ��û��Ŀ����root��ִ����Ը��û��Ŀ��

��ϵͳ��linuxsir��û�, ��볢�Ը��û��Ŀ��

[beinan@localhost ~]$ passwd linuxsir ע��ͨ��sudo ֱ��passwd ��linuxsir�û��Ŀ��
passwd: Only root can specify a user name. ע��ʧ�ܣ��ʾ��ͨ�� root��ģ�
[beinan@localhost ~]$ sudo passwd linuxsir ע��ͨ��/etc/sudoers �Ķ��壬��beinan�л��root��ִ�� passwd ��ı�linuxsir�Ŀ��
Changing password for user linuxsir.
New UNIX password: ע��¿��
Retype new UNIX password: ע��һ�Σ�
passwd: all authentication tokens updated successfully. ע��ı�ɹ��

��ǣ�

��û��ĵ��Ҫ��ɲ��ݣ��Ҽƻ��쿪ʼд�û��ƹ��ߣ�� useradd��userdel��usermod ��Ҳ��ǹ��û��Ĺ��߽��ܣ��Ȼ�һ��д�û��ѯ��ߵ��û��صģ�

Linux ϵͳ�еĳ��Ȩ�޵Ŀ��

�� 3 ��

Ƶ��

��½̳�

��Ƽ�

Linux ϵͳ�еĳ���Ȩ�޵Ŀ���

���� 3 ������

Ƶ������

���½̳�

����Ƽ�

Linux ϵͳ�еĳ��Ȩ�޵Ŀ��

�� 3 ��

Ƶ��

��½̳�

��Ƽ�