用户提权
1. su 使用普通用户登录,然后执行su命令切换到root用户 优点:简单 缺点:需要知道root密码
2. sudo 使用普通用户管理,当需要使用root的权限的时候,进行提权 优点:安全、方便 缺点:复杂
shell的分类及执行的过程
交互式shell #终端操作 输入一条指令,需要等待系统的处理及返回结果
非交互式shell #脚本的执行方式就是 用户执行完指令 不需要跟系统进行交互
登录式shell #通过用户名和密码的方式进行登录的
非登录式shell #不是通过用户名和密码的方式进行登录的 执行一个bash,就是一个非登录式shell
[root@qls ~]# yum install -y psmisc
[root@qls ~]# pstree
systemd─┬─NetworkManager───2*[{NetworkManager}]
├─VGAuthService
├─agetty
├─auditd───{auditd}
├─crond
├─dbus-daemon
├─firewalld───{firewalld}
├─master─┬─pickup
│ └─qmgr
├─nginx───nginx
├─polkitd───6*[{polkitd}]
├─rsyslogd───2*[{rsyslogd}]
├─sshd─┬─sshd───bash───pstree
│ └─sshd───bash───bash
├─systemd-journal
├─systemd-logind
├─systemd-udevd
├─tuned───4*[{tuned}]
└─vmtoolsd───{vmtoolsd}
用户的工作环境相关文件
用户的工作环境相关文件
#个人配置文件
/root/.bash_profile
/root/.bashrc
#全局配置文件
/etc/bashrc
/etc/profile
/etc/profile.d/*.sh
profile #环境变量配置文件 系统登录前执行的一些命令或者脚本
bashrc # 本地变量 别名
执行顺序
#在5个文件的第二行加入echo输出
[root@qls ~]# vim .bashrc
[root@qls ~]# vim .bash_profile
[root@qls ~]# vim /etc/bashrc
[root@qls ~]#
[root@qls ~]# vim /etc/profile
[root@qls ~]# vim /etc/profile.d/test.sh
#登录式Shell执行顺序
/etc/profile ---》 /etc/profile.d/*.sh ---》 .bash_profile ---》 .bashrc ---》 /etc/bashrc
#非登录式shell执行顺序
.bashrc ---》 /etc/bashrc ---》 /etc/profile.d/*.sh
su命令用户提权
su username #非登录式shell
su - username #登录式shell
区别就是加载的配置文件不一样
root用户切换到普通用户是不需要密码的,而普通用户切换到root用户是需要密码的
[root@qls ~]# useradd test10
[root@qls ~]# echo "1" |passwd --stdin test10
Changing password for user test10.
passwd: all authentication tokens updated successfully.
[root@qls ~]# su test10
/etc/bashrc
/etc/profile.d/*.sh
[test10@qls root]$
[test10@qls root]$ pwd
/root
su username在切换用户的时候,只执行了
/etc/bashrc
/etc/profile.d/*.sh
切换之后所在的目录是在从哪个用户切换过来的就是谁的家目录
[root@qls ~]# su - test10
Last login: Wed Jul 22 09:09:58 CST 2020 on pts/0
/etc/profile
/etc/profile.d/*.sh
/etc/bashrc
[test10@qls ~]$ pwd
/home/test10
su - username 在切换用户的时候属于一种登录式shell 跟su命令直接切换的区别就是是否加载了/etc/profile文件,切换之后,工作环境也已经改变了,是在自己的家目录下面
[root@qls ~]# su - test10
Last login: Wed Jul 22 09:13:03 CST 2020 on pts/0
[test10@qls ~]$ su -
Password:
Last login: Wed Jul 22 09:13:25 CST 2020 from 10.0.0.1 on pts/2
[root@qls ~]# su - test10
Last login: Wed Jul 22 09:16:33 CST 2020 on pts/0
[test10@qls ~]$ su - root
Password:
Last login: Wed Jul 22 09:16:59 CST 2020 on pts/0
[root@qls ~]#
sudo用户提权
#日志审计
[root@qls ~]# grep 'wheel' /etc/group
wheel:x:10:
[root@qls ~]# usermod -aG wheel test10
[root@qls ~]# id test10
uid=1007(test10) gid=1007(test10) groups=1007(test10),10(wheel)
[test10@qls ~]$ sudo -l
[sudo] password for test10:
Matching Defaults entries for test10 on qls:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User test10 may run the following commands on qls:
(ALL) ALL
[test10@qls ~]$ sudo tail -f /var/log/messages
Jul 22 09:19:49 qls systemd-logind: Removed session 65.
Jul 22 09:19:56 qls systemd: Created slice User Slice of test10.
Jul 22 09:19:56 qls systemd: Started Session 66 of user test10.
Jul 22 09:19:56 qls systemd-logind: New session 66 of user test10.
Jul 22 09:20:11 qls su: (to root) test10 on pts/2
Jul 22 09:47:08 qls systemd-logind: Removed session 66.
Jul 22 09:47:08 qls systemd: Removed slice User Slice of test10.
Jul 22 09:47:12 qls systemd: Created slice User Slice of test10.
Jul 22 09:47:12 qls systemd: Started Session 67 of user test10.
Jul 22 09:47:12 qls systemd-logind: New session 67 of user test10.
^C
[test10@qls ~]$ rm -rf /opt/
rm: cannot remove ‘/opt/hostname’: Permission denied
rm: cannot remove ‘/opt/hostnamectl’: Permission denied
rm: cannot remove ‘/opt/test_hostname’: Permission denied
rm: cannot remove ‘/opt/test_hostname.txt’: Permission denied
rm: cannot remove ‘/opt/.hostname.log’: Permission denied
rm: cannot remove ‘/opt/HOSTNAMECTL’: Permission denied
rm: cannot remove ‘/opt/user02’: Permission denied
rm: cannot remove ‘/opt/user01’: Permission denied
[test10@qls ~]$ sudo rm -rf /opt/
[test10@qls ~]$ ll /opt
ls: cannot access /opt: No such file or directory
#权限太大 怎么限制权限
visudo #进行设置 默认只能root用户使用sudo命令 普通用户是使用不了的 需要root用户设置
#只给开发人员只读权限
[root@qls ~]# visudo #简单 有语法检查功能
====
[root@qls ~]# vi /etc/sudoers
#在100行左右添加此行
test11 ALL=(ALL) /usr/bin/cat,/usr/bin/tail
用户 主机 角色 命令
ALL 所有命令
/usr/bin/cat #单个命令
/usr/bin/cat,/usr/bin/tail #多个用逗号分割
/usr/bin/* #目录下的所有命令
NOPASSWD: #免密执行
test11 ALL=(ALL) NOPASSWD: /usr/bin/tail /var/log/messages #限制某个文件操作
#检查语法
[root@qls ~]# visudo -c
/etc/sudoers: parsed OK
#普通用户测试
[sudo] password for test11:
Matching Defaults entries for test11 on qls:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User test11 may run the following commands on qls:
(ALL) /usr/bin/cat, /usr/bin/tail
[test11@qls ~]$ tail -f /var/log/messages
tail: cannot open ‘/var/log/messages’ for reading: Permission denied
tail: no files remaining
[test11@qls ~]$ sudo tail -f /var/log/messages
Jul 22 09:47:12 qls systemd: Started Session 67 of user test10.
Jul 22 09:47:12 qls systemd-logind: New session 67 of user test10.
Jul 22 09:52:16 qls systemd: Created slice User Slice of test11.
Jul 22 09:52:16 qls systemd: Started Session 68 of user test11.
Jul 22 09:52:16 qls systemd-logind: New session 68 of user test11.
Jul 22 09:57:26 qls systemd-logind: Removed session 68.
Jul 22 09:57:26 qls systemd: Removed slice User Slice of test11.
Jul 22 09:57:35 qls systemd: Created slice User Slice of test11.
Jul 22 09:57:35 qls systemd: Started Session 69 of user test11.
Jul 22 09:57:35 qls systemd-logind: New session 69 of user test11.
^C
[test11@qls ~]$ rm -rf /mnt/
rm: cannot remove ‘/mnt/’: Permission denied
[test11@qls ~]$ sudo rm -rf /mnt/
Sorry, user test11 is not allowed to execute '/bin/rm -rf /mnt/' as root on qls.
#执行sodu命令的时候,不提示输入密码
[root@qls ~]# visudo
test11 ALL=(ALL) NOPASSWD:/usr/bin/cat,/usr/bin/tail
[root@qls ~]# visudo -c
/etc/sudoers: parsed OK
[test11@qls ~]$ sudo -l
Matching Defaults entries for test11 on qls:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User test11 may run the following commands on qls:
(ALL) NOPASSWD: /usr/bin/cat, /usr/bin/tail
[test11@qls ~]$
注意:设置命令权限的时候,多个可以使用逗号分割 也可以是/usr/bin/* ALL
sudo设置组
两种方法:
利用sudo的自己的组 只在sudo里面生效
利用系统组 是一个真实存在的组
#利用sudo的自己的组
[root@qls ~]# useradd dev01
[root@qls ~]# useradd dev02
[root@qls ~]# echo "1" | passwd --stdin dev01
Changing password for user dev01.
passwd: all authentication tokens updated successfully.
[root@qls ~]# echo "1" | passwd --stdin dev02
Changing password for user dev02.
passwd: all authentication tokens updated successfully.
#用户别名组
User_Alias DEV = dev01,dev02
#命令别名组
Cmnd_Alias READ = /bin/cat,/bin/head,/bin/tail
#调用
DEV ALL=(ALL) NOPASSWD: READ
[root@qls ~]# visudo -c
/etc/sudoers: parsed OK
#测试
[dev01@qls ~]$ sudo -l
Matching Defaults entries for dev01 on qls:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User dev01 may run the following commands on qls:
(ALL) NOPASSWD: /bin/cat, /bin/head, /bin/tail
[dev01@qls ~]$ sudo head -1 /etc/shadow
root:$6$SoTZ3L8.5rI4l25X$WAqOKpP8BwpL/evQNV2RfaJnXn6AZepgQcwUjHTUoDSJz7InZPGUZbanfzCVtLUeSX1q6gbPTiP.vnKIVcW1t0::0:99999:7:::
[dev01@qls ~]$ sudo tail -1 /etc/shadow
dev02:$6$iZSmy0at$iDnyU7dcY1saiseJHT40Qw00.LildePgoG2j3ShODj1s69Z.aVpaj9vvoZLtCcMakQ0BDFdA5Lh3FstbnAKcf1:18465:0:99999:7:::
系统的组 真实组
[root@qls ~]# groupadd dev_group
[root@qls ~]# useradd -g dev_group dev11
[root@qls ~]# useradd -g dev_group dev12
[root@qls ~]# echo "1" | passwd --stdin dev11
Changing password for user dev11.
passwd: all authentication tokens updated successfully.
[root@qls ~]# echo "1" | passwd --stdin dev12
Changing password for user dev12.
passwd: all authentication tokens updated successfully.
[root@qls ~]# visudo
%dev_group ALL=(ALL) NOPASSWD: READ
[root@qls ~]# visudo -c
/etc/sudoers: parsed OK
#测试
[dev11@qls ~]$ sudo -l
Matching Defaults entries for dev11 on qls:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User dev11 may run the following commands on qls:
(ALL) NOPASSWD: /bin/cat, /bin/head, /bin/tail
[dev11@qls ~]$ head -1 /var/log/messages
head: cannot open ‘/var/log/messages’ for reading: Permission denied
[dev11@qls ~]$ sudo head -1 /var/log/messages
Jul 16 04:01:01 qls systemd: Started Session 61 of user root.
[dev11@qls ~]$ sudo tail -1 /var/log/messages
Jul 22 10:54:33 qls systemd-logind: New session 79 of user dev11.
sudo设置案例
禁止root用户登录,使用普通用户登录,并且普通用户能够免密的切换到root用户
#禁止root登录
[root@qls ~]# ll /etc/ssh/sshd_config
-rw-------. 1 root root 3907 Apr 11 2018 /etc/ssh/sshd_config
[root@qls ~]# grep -i 'rootlogin' /etc/ssh/sshd_config
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
[root@qls ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
[root@qls ~]# sed -i '/^#PermitRootLogin/s#.*#PermitRootLogin no#g' /etc/ssh/sshd_config
[root@qls ~]# grep -i 'rootlogin' /etc/ssh/sshd_config
PermitRootLogin no
# the setting of "PermitRootLogin without-password".
[root@qls ~]# systemctl restart sshd
[root@qls ~]# useradd qiudao
[root@qls ~]# echo "1" | passwd --stdin qiudao
Changing password for user qiudao.
passwd: all authentication tokens updated successfully.
[C:\~]$ ssh qiudao@10.0.0.100
Connecting to 10.0.0.100:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Wed Jul 22 09:47:12 2020 from 10.0.0.1
[qiudao@qls ~]$
[root@qls ~]# visudo
qiudao ALL=(ALL) NOPASSWD: /bin/su
[root@qls ~]# visudo -c
/etc/sudoers: parsed OK
#测试
[qiudao@qls ~]$ sudo su -
Last login: Wed Jul 22 11:08:51 CST 2020 on pts/1
Last failed login: Wed Jul 22 11:09:55 CST 2020 from 10.0.0.1 on ssh:notty
There were 2 failed login attempts since the last successful login.
[root@qls ~]#
浙公网安备 33010602011771号