zoukankan      html  css  js  c++  java
  • Linux命令-sudo

    sudo命令用于给普通用户提供额外权利来完成原本只有超级用户才有权限完成的任务,

    格式:sudo [参数] 命令名称

    sudo命令与su命令的区别是,su命令允许普通用户完全变更为超级管理员的身份,但

    如此一来便增加了安全隐患,而使用sudo命令可以仅将特定的命令/程序执行权限赋予

    指定的用户。

    sudo命令的特色:

    1:限制用户执行指定的命令
    2:记录用户执行的每一条命令
    3:验证过密码后5分钟(默认值)内无需再让用户验证密码,更加方便。

    sudo程序的配置文件为/etc/sudoers,只有超级用户可以使用visudo编辑该文件。

    实例1:使用visudo命令编辑sudo程序的配置文件,在第99行添加参数允许pentest用户

    能够从任意主机执行任意命令的参数。

         1  ## Sudoers allows particular users to run various commands as
         2  ## the root user, without needing the root password.
         3  ##
         4  ## Examples are provided at the bottom of the file for collections
         5  ## of related commands, which can then be delegated out to particular
         6  ## users or groups.
         7  ##
         8  ## This file must be edited with the 'visudo' command.
         9
        10  ## Host Aliases
        11  ## Groups of machines. You may prefer to use hostnames (perhaps using
        12  ## wildcards for entire domains) or IP addresses instead.
        13  # Host_Alias     FILESERVERS = fs1, fs2
        14  # Host_Alias     MAILSERVERS = smtp, smtp2
        15
        16  ## User Aliases
        17  ## These aren't often necessary, as you can use regular groups
        18  ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
        19  ## rather than USERALIAS
        20  # User_Alias ADMINS = jsmith, mikem
        21
        22
        23  ## Command Aliases
        24  ## These are groups of related commands...
        25
        26  ## Networking
        27  # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
        28
        29  ## Installation and management of software
        30  # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
        31
        32  ## Services
        33  # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
        34
        35  ## Updating the locate database
        36  # Cmnd_Alias LOCATE = /usr/bin/updatedb
        37
        38  ## Storage
        39  # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
        40
        41  ## Delegating permissions
        42  # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
        43
        44  ## Processes
        45  # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
        46
        47  ## Drivers
        48  # Cmnd_Alias DRIVERS = /sbin/modprobe
        49
        50  # Defaults specification
        51
        52  #
        53  # Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
        54  #         You have to run "ssh -t hostname sudo <cmd>".
        55  #
        56  Defaults    requiretty
        57
        58  #
        59  # Refuse to run if unable to disable echo on the tty. This setting should also be
        60  # changed in order to be able to use sudo without a tty. See requiretty above.
        61  #
        62  Defaults   !visiblepw
        63
        64  #
        65  # Preserving HOME has security implications since many programs
        66  # use it when searching for configuration files. Note that HOME
        67  # is already set when the the env_reset option is enabled, so
        68  # this option is only effective for configurations where either
        69  # env_reset is disabled or HOME is present in the env_keep list.
        70  #
        71  Defaults    always_set_home
        72
        73  Defaults    env_reset
        74  Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
        75  Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
        76  Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
        77  Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
        78  Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
        79
        80  #
        81  # Adding HOME to env_keep may enable a user to run unrestricted
        82  # commands via sudo.
        83  #
        84  # Defaults   env_keep += "HOME"
        85
        86  Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
        87
        88  ## Next comes the main part: which users can run what software on
        89  ## which machines (the sudoers file can be shared between multiple
        90  ## systems).
        91  ## Syntax:
        92  ##
        93  ##      user    MACHINE=COMMANDS
        94  ##
        95  ## The COMMANDS section may have other options added to it.
        96  ##
        97  ## Allow root to run any commands anywhere
        98  root    ALL=(ALL)       ALL
        99  pentest ALL=(ALL)       ALL
       100  ## Allows members of the 'sys' group to run networking, software,
       101  ## service management apps and more.
       102  # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
       103
       104  ## Allows people in group wheel to run all commands
       105  %wheel  ALL=(ALL)       ALL
       106
       107  ## Same thing without a password
       108  # %wheel        ALL=(ALL)       NOPASSWD: ALL
       109
       110  ## Allows members of the users group to mount and unmount the
       111  ## cdrom as root
       112  # %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
       113
       114  ## Allows members of the users group to shutdown this system
       115  # %users  localhost=/sbin/shutdown -h now
       116
       117  ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
       118  #includedir /etc/sudoers.d
    [root@localhost ~]#

    切换到pentest用户查看可以执行的命令,提示为ALL,即可以执行所有超级管理员的命令。

    [root@localhost ~]# su - pentest
    上一次登录:五 9月  9 13:29:34 CST 2016pts/1 上
    [pentest@localhost ~]$ sudo -l
    [sudo] password for pentest:
    匹配此主机上 pentest 的默认条目:
        requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
        HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
        LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
        env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
        LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
    
    用户 pentest 可以在该主机上运行以下命令:
        (ALL) ALL

    使用普通ls命令来查看/root文件夹出现“权限不够”,然后使用sudo ls后便可以查看了。

    [pentest@localhost ~]$ ls /root/
    ls: 无法打开目录/root/: 权限不够
    [pentest@localhost ~]$ sudo ls /root/
    [sudo] password for pentest:
    anaconda-ks.cfg       testA  testC  公共  视频  文档  音乐
    initial-setup-ks.cfg  testB  yum    模板  图片  下载  桌面
    [pentest@localhost ~]$

    实例2:仅允许pentest以root身份执行cat命令

    pentest用户先以普通权限cat文件/etc/shadow发现权限不够
    [pentest@localhost ~]$ cat /etc/shadow cat: /etc/shadow: 权限不够

    切换至root用户给予pentest用户cat权限 [pentest@localhost
    ~]$ su - root 密码: 上一次登录:五 9月 9 14:12:10 CST 2016pts/1 上 [root@localhost ~]# visudo [root@localhost ~]# su - pentest 上一次登录:五 9月 9 14:12:30 CST 2016pts/1、

    赋予执行cat权限
    [root@localhost ~]# visudo
    root    ALL=(ALL)       ALL
    pentest ALL=(root)      /bin/cat

    继续使用普通cat确认是否可以查看/etc/shadow提示权限不够 [pentest@localhost
    ~]$ cat /etc/shadow cat: /etc/shadow: 权限不够

    使用sudo cat查看/etc/shadow发现可以查看了。 [pentest@localhost
    ~]$ sudo cat /etc/shadow root:$6$Y6LHG5EEAGs3JMUM$jcEE.RZgMF9mO/xiPVA522l1Ek8JZ2Nkl.9nCBuiUWAH/.F84Kj6XyNxbuecW1M4BNGpryB/10Ncp.EGu9VhZ/::0:99999:7::: bin:*:16579:0:99999:7::: daemon:*:16579:0:99999:7::: adm:*:16579:0:99999:7::: lp:*:16579:0:99999:7::: sync:*:16579:0:99999:7::: shutdown:*:16579:0:99999:7::: halt:*:16579:0:99999:7::: mail:*:16579:0:99999:7::: operator:*:16579:0:99999:7::: games:*:16579:0:99999:7::: ftp:*:16579:0:99999:7::: nobody:*:16579:0:99999:7::: avahi-autoipd:!!:17050:::::: ods:!!:17050:::::: pegasus:!!:17050:::::: systemd-bus-proxy:!!:17050:::::: systemd-network:!!:17050:::::: dbus:!!:17050:::::: polkitd:!!:17050:::::: sssd:!!:17050:::::: colord:!!:17050:::::: apache:!!:17050:::::: tss:!!:17050:::::: unbound:!!:17050:::::: usbmuxd:!!:17050:::::: abrt:!!:17050:::::: amandabackup:!!:17050:::::: saslauth:!!:17050:::::: libstoragemgmt:!!:17050:::::: geoclue:!!:17050:::::: memcached:!!:17050:::::: rpc:!!:17050:0:99999:7::: postfix:!!:17050:::::: setroubleshoot:!!:17050:::::: rtkit:!!:17050:::::: chrony:!!:17050:::::: mysql:!!:17050:::::: qemu:!!:17050:::::: ntp:!!:17050:::::: rpcuser:!!:17050:::::: nfsnobody:!!:17050:::::: radvd:!!:17050:::::: named:!!:17050:::::: pcp:!!:17050:::::: pulse:!!:17050:::::: hsqldb:!!:17050:::::: tomcat:!!:17050:::::: pkiuser:!!:17050:::::: gdm:!!:17050:::::: gnome-initial-setup:!!:17050:::::: avahi:!!:17050:::::: postgres:!!:17050:::::: dovecot:!!:17050:::::: dovenull:!!:17050:::::: sshd:!!:17050:::::: oprofile:!!:17050:::::: tcpdump:!!:17050:::::: pentest:$6$6U3Z2n.sd63M32ZS$tzQJg852/1G3Mw7uv1.Ipbh.lOusvfd47Ih52xxku7okBBb/nu.Vn5V4mB50SSCMfaspqeGSDLcPM7XdgLE2w/::0:99999:7::: [pentest@localhost ~]$
  • 相关阅读:
    中国剩余定理及其扩展
    扩展欧几里得
    乘法逆元
    58-63用ssh远程连接linux系统
    148复习前一天的内容
    165-168函数
    Linux运维命令总结(-)
    177流程控制经典案例讲解
    170-176流程控制
    161【案例讲解】存储过程
  • 原文地址:https://www.cnblogs.com/tdcqma/p/5856553.html
Copyright © 2011-2022 走看看