zoukankan      html  css  js  c++  java
  • Linux下通过受限bash创建指定权限的账号

    在日常业务运维中,有时为了配合解决问题,需要给非运维人员开通系统账号,用于查询日志或代码。通常为了系统安全或避免不必要的误操作等目的,会将账号权限降至最低。下面介绍下在Linux下通过受限bash创建指定权限账号的操作记录:

    [root@mq-server ~]# ln -s /bin/bash  /bin/rbash
    [root@mq-server ~]# useradd -s /bin/rbash wangshibo
    [root@mq-server ~]# passwd wangshibo
    [root@mq-server ~]# mkdir /home/wangshibo/bin
    [root@mq-server ~]# chown root. /home/wangshibo/.bash_profile 
    [root@mq-server ~]# chmod 755 /home/wangshibo/.bash_profile
    [root@mq-server ~]# vim /home/wangshibo/.bash_profile       //复制下面的内容覆盖原内容
    # .bash_profile
     
    # Get the aliases and functions
    if [ -f ~/.bashrc ]; then
            . ~/.bashrc
    fi
     
    # User specific environment and startup programs
     
    PATH=$HOME/bin
     
    export PATH
    [root@mq-server ~]# ln -s /bin/cat /home/wangshibo/bin/cat [root@mq-server ~]# ll /home/wangshibo/ total 4 drwxr-xr-x 2 root root 4096 Nov 25 23:38 bin [root@mq-server ~]# ll /home/wangshibo/bin/ total 0 lrwxrwxrwx 1 root root 8 Nov 25 23:12 cat -> /bin/cat

    如上设置后,可以发现创建的wangshibo用户家目录下的文件权限是root.root上面只设置了wangshibo用户的cat权限,并且只能cat查看wangshibo用户家目录/home/wangshibo下的文件。除了cat命令外。不能执行其他命令!

    [wangshibo@mq-server ~]$ cat /var/log/messages
    cat: /var/log/messages: Permission denied
    [wangshibo@mq-server ~]$ ls
    -rbash: /home/wangshibo/bin/ls: No such file or directory
    [wangshibo@mq-server ~]$ touch test
    -rbash: /home/wangshibo/bin/touch: No such file or directory

    如果要想在其家目录下有其他命令的执行权,那么需要添加这些命令的软链接到/home/wangshibo/bin目录下(可以通过which命令查看二进制命令的全路径)

    [root@mq-server ~]# ln -s /bin/ls /home/wangshibo/bin
    [root@mq-server ~]# ln -s /bin/touch /home/wangshibo/bin
    [root@mq-server ~]# ln -s /bin/mkdir /home/wangshibo/bin
    [root@mq-server ~]# ln -s /usr/bin/vim /home/wangshibo/bin/
    [root@mq-server ~]# ll /home/wangshibo/bin/
    total 0
    lrwxrwxrwx 1 root root  8 Nov 25 23:12 cat -> /bin/cat
    lrwxrwxrwx 1 root root  7 Nov 25 23:44 ls -> /bin/ls
    lrwxrwxrwx 1 root root 10 Nov 25 23:45 mkdir -> /bin/mkdir
    lrwxrwxrwx 1 root root 10 Nov 25 23:44 touch -> /bin/touch
    lrwxrwxrwx 1 root root 12 Nov 25 23:45 vim -> /usr/bin/vim

    这样,wangshibo用户就拥有了上面加入的命令的执行权

    [root@mq-server ~]# su - wangshibo
    [wangshibo@mq-server ~]$ ls
    bin
    [wangshibo@mq-server ~]$ touch test
    [wangshibo@mq-server ~]$ mkdir ops
    [wangshibo@mq-server ~]$ vim test
    [wangshibo@mq-server ~]$ cat test
    dsfdsafsadf
    [wangshibo@mq-server ~]$ rm -f test
    -rbash: rm: command not found
    [wangshibo@mq-server ~]$ ls /usr/
    bin  etc  games  include  lib  lib64  libexec  local  sbin  share  src  tmp
    [wangshibo@mq-server ~]$ cat /var/log/messages
    cat: /var/log/messages: Permission denied
  • 相关阅读:
    POJ_2104_K-th Number_主席树
    BZOJ_1014_[JSOI2008]火星人prefix_splay+hash
    BZOJ_1861_[Zjoi2006]Book 书架_splay
    BZOJ_2242_[SDOI2011]计算器_快速幂+扩展GCD+BSGS
    BZOJ_3239_Discrete Logging_BSGS
    BZOJ_1269&&1507_[AHOI2006]文本编辑器editor&&[NOI2003]Editor
    BZOJ_1552_[Cerc2007]robotic sort_splay
    BZOJ_1500_[NOI2005]维修数列_splay
    BZOJ_1251_序列终结者
    吴裕雄--天生自然ORACLE数据库学习笔记:优化SQL语句
  • 原文地址:https://www.cnblogs.com/kevingrace/p/7897150.html
Copyright © 2011-2022 走看看