所属分类: linux&Unix 整理: FengNet.Com 更新日期:2015/9/20 10:29:32 阅读次数:702

Ubuntu中普通用户sudo执行权限配置


sudo是linux下常用的允许普通用户使用超级用户权限的工具。默认Ubuntu关闭root登陆,用户可以通过sudo -i切换到root 。如果只允许www用户重启apache服务,那么可以通过配置/etc/sudoers实现。下面一起修改后就可以实现这个要求。

修改/etc/sudoers可以使用visudo编辑,好处是如果规则写的不符合要求他能提示你,坏处是调出的是nano编辑器,甚为不顺手。这个看个人喜好,我用visudo -f /etc/sudoers 打开配置。

首先看下Ubuntu默认sudoers配置,内容如下所示。

#
# This file MUST be edited with the visudo command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
然后添加几个alias,这样在下面配置权限时,会方便一些,不用写大段大段的配置。

# Host alias specification
Host_Alias SERVER = 192.168.188.115
# User alias specification
User_Alias USER_FLAG = www,tomcat
# Cmnd alias specification
Cmnd_Alias RESTARTAPACHE = service apache2 restart
Cmnd_Alias STOPAPACHE = service apache2 stop
Cmnd_Alias STARTAPACHE = service apache2 start
接着配置执行的权限。

# User privilege specification
root ALL=(ALL:ALL) ALL
USER_FLAG SERVER=RESTARTAPACHE,STOPAPACHE,STARTAPACHE
最后添加log日志记录,可以记录每个用户sudo执行日志。

Defaults@SERVER log_host, logfile=/var/log/sudo.log
查看配置效果:

root@ubuntu:~# su - tomcat
tomcat@ubuntu:~$ sudo service apache2 stop
[sudo] password for tomcat:
httpd: Could not reliably determine the servers fully qualified domain name, using 127.0.0.1 for ServerName
tomcat@ubuntu:~$ ps -ef|grep apache
tomcat 26247 1 0 07:53 ? 00:01:38 /usr/lib/jvm/jdk1.7.0_45//bin/java -Djava.util.logging.config.file=/usr/local/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -Xms800M -Xmx1024M -XX:MaxPermSize=512M -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/local/tomcat7/endorsed -classpath /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat7 -Dcatalina.home=/usr/local/tomcat7 -Djava.io.tmpdir=/usr/local/tomcat7/temp org.apache.catalina.startup.Bootstrap start
tomcat 27905 27848 0 11:35 pts/0 00:00:00 grep apache
tomcat@ubuntu:~$ sudo service apache2 start
httpd: Could not reliably determine the servers fully qualified domain name, using 127.0.0.1 for ServerName
tomcat@ubuntu:~$ ps -ef|grep apache
tomcat 26247 1 0 07:53 ? 00:01:38 /usr/lib/jvm/jdk1.7.0_45//bin/java -Djava.util.logging.config.file=/usr/local/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -Xms800M -Xmx1024M -XX:MaxPermSize=512M -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/local/tomcat7/endorsed -classpath /usr/local/tomcat7/bin/bootstrap.jar:/usr/local/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat7 -Dcatalina.home=/usr/local/tomcat7 -Djava.io.tmpdir=/usr/local/tomcat7/temp org.apache.catalina.startup.Bootstrap start
root 27910 1 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27911 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27912 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27913 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27914 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
www 27915 27910 0 11:35 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
tomcat 27917 27848 0 11:35 pts/0 00:00:00 grep apache
tomcat@ubuntu:~$ sudo -i
Sorry, user tomcat is not allowed to execute /bin/bash as root on ubuntu.
tomcat@ubuntu:~$ logout
root@ubuntu:~# more /var/log/sudo.log
May 11 11:35:42 : tomcat : HOST=ubuntu : TTY=pts/0 ; PWD=/home/tomcat ;
USER=root ; COMMAND=service apache2 stop
May 11 11:35:49 : tomcat : HOST=ubuntu : TTY=pts/0 ; PWD=/home/tomcat ;
USER=root ; COMMAND=service apache2 start
May 11 11:35:54 : tomcat : HOST=ubuntu : command not allowed ; TTY=pts/0 ;
PWD=/home/tomcat ; USER=root ; COMMAND=/bin/bash

--------------------------------------------------------------------------------

相关文章
Ubuntu更改apt-get源地址 2014/12/18 15:46:47
ubuntu默认root密码 2014/5/20 11:54:54
LAMP 环境搭建 2013/3/15 16:44:51
苹果入门-mac系统终端命令大全 2012/9/4 11:06:07
Mac OS X:以安全模式启动 2012/9/4 11:05:18
MySQL Cluster开发环境简明部署 2012/3/28 13:35:11
搭建类似Amazon EC2的私有云计算平台 2012/3/20 16:09:38
Ubuntu 常用命令收集 2010/5/4 15:42:27
redhat enterprise linux普通用户增加sudo权限 2010/4/16 15:20:33
Linux下华为校园网802.1x上网认证客户端操作说明 2009/1/8 10:15:09
linux 常用命令总结 2008/4/28 18:51:58
基本的域名服务器配置举例 2007/8/8 9:02:28
linux common command 2007/2/1 20:13:16
Linux安全配置步骤简述 2006/12/14 13:36:24
Solaris基本安全配置规范 2006/5/24 11:14:30
Linux必学的系统安全命令 2005/12/13 18:02:56
系统安全名词列表(2) 2004/10/8 9:40:16
sudoers中文man文档 (特别推荐) 2004/1/24 19:22:56
理解Linux系统的日志 2003/8/27 13:41:13
Linux系统命令分类详解 (2) 2003/8/12 9:23:12
常用的Linux网络安全工具介绍 2003/7/13 18:11:03
Linux 学习手册--linux命令大全 2003/5/14 10:04:59
系统管理进阶-用户管理 2003/5/14 9:54:39
理解Linux系统的日志 2003/2/22 14:34:13
unix日志文件安全小议 2003/2/21 22:06:40


感性空间
设计&运维
网络技术
休闲娱乐
NetFilter
linux&Unix
网络安全
程序空间
软件考试
RFC&ISO
规划&规范
虚拟&存储
Apple技巧
云计算&大数据



文章搜索



站内搜索