Linux Operations-Enterprise sudo permissions planning detailed (measured a heap command done)

Last Update:2018-06-08 Source: Internet

Author: User

Tags md5 stdin iptables

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Briefly describe the problem: as the company's servers more and more, personnel mobility is also beginning to grow, the old Management Server should abandon the idea, the company needs to have a better and more perfect authority system, after many rounds of communication and consultation, the company unanimously decided to reorganize the planning authority system, the supervisor clearly pointed out the existence of the problem of authority, and need to solve the previous root privilege flooding problem. As the initiator of this authority plan, I understand the current situation of the company, after many times with the relevant staff and leadership to communicate, confirmed that the company's existing problems: operations and Maintenance Department in the basic onboarding process there are some account problems: if you do not prepare to leave, System permissions are not recycled. The account password is too simplistic this will undoubtedly give the company's server and data security caused a small hidden danger. Therefore, the following is a detailed description of the partitioning scheme. The company has a number of departments using the Linux server we provide and open account: security rights are not properly planned. So I proposed a more secure account management method: sudo authorization form. Advantages: It can be a detailed access to the account hierarchy division, to the server brought a better security company has a different level of operation and maintenance personnel, we need to organize the division of their rights, according to the responsibility of our planning authority for the primary operation and maintenance of the intermediate operation and maintenance of the advanced operations. They have permissions to planoperation and Maintenance Department:

Level	Permissions
Primary operations:	View system Information to view network status: /usr/bin/free,/usr/bin/iostat,/usr/bin/top,/bin/hostname,/sbin/ifconfig,/bin/netstat,/sbin/route
Advanced Operations and Maintenance	View system Information, view and modify grid configuration, process management, package management, storage management /usr/bin/free,/usr/bin/iostat,/usr/bin/top,/bin/hostname,/sbin/ifconfig, /bin/netstat,/sbin/route,/sbin/iptables,/etc/init.d/network,/bin/nice,/bin/kill, /usr/bin/kill,/usr/bin/killall,/bin/rpm,/usr/bin/up2date,/usr/bin/yum, /sbin/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount
Manager, Operations and maintenance	Super User All rights All

Development Department:

Level	Permissions
Primary development	Root view permission, which corresponds to the service View log permissions /usr/bin/tail/app/log,/bin/grep/app/log,/bin/cat,/bin/ls
Advanced Development	Root View permissions, the corresponding service to view the log permissions, restart the corresponding service permissions /sbin/service,/sbin/chkconfig,tail/app/log,grep/app/log,/bin/cat,/bin/ls, /bin/sh ~/scripts/deploy.sh
Development Manager	All permissions on the server where the project resides, cannot modify the root password ALL,!/USR/BIN/PASSWD root,/usr/bin/passwd [a-za-z]*,!/usr/bin/passwd Root

Schema Group:

Level	Permissions
Architecture Engineer	Permissions for ordinary Users Do not add sudo list

DBA Group:

Level	Permissions
Junior DBA	Permissions for ordinary Users Do not add sudo columns
Advanced DBA	All permissions for the database server on which the project resides All,/usr/bin/passwd [a-za-z]*!/usr/bin/passwd root,!/usr/sbin/visudo,

Network Group

Level	Permissions
Primary Network	Normal User permissions Do not add sudo to the list of pretty
Advanced Network	All permissions for the database server on which the project resides /sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,/usr/bin/net, /sbin/iptables,/usr/bin/rfcomm,/usr/bin/wvdial,/sbin/iwconfig, /sbin/mii-tool,/bin/cat,/var/log/*

The company now has operations and maintenance personnel:OPS Group: 5 primary operations, 2 senior OPS, 1 operations ManagerDevelopment Group: 3 Junior Developers, 1 advanced development, 1 development managersSchema group: 2 Architecture Engineers (schema group not added sudo)DBA Group: 3 primary DBA (primary DBA not added sudo), 1 advanced DBANetworking group: 2 Primary Network management (Novice DBA does not join sudo), 1 advanced network management Basic Command Description (not explained in detail later): useradd yun1 && echo "123456" | password--stdin yun1 This is to create a yun1 user and then output a 123456 to passwd and then passwd put this String character as the password of the YUN1
For n in ' seq ';d o useradd user$n;echo "user$n ' echo user$n|md5sum|cut-c4-8 '" |passwd--stdin User$n;done used here For loop to create a user account and password: SEQ 21 25 Create 5 digits n represents the creation user following the 5 digits and then user$n is to start with user n
then echo output yoghurt name MD5 use cut out 4-8 block of self-character to password--stdin to each user does not configure a different password, their password is the user name of the MD5 value details please see the following reference

To start creating a User:useradd yun1 && echo "123456" | password--stdin yun1 # #基础创建方法 using a For loop to create a user and password 3 (reference)For n in ' seq ';d o useradd user$n;echo "user$n ' echo user$n|md5sum|cut-c4-8 '" |passwd--stdin user$n;done # #批量创建用户方式

OPS Group: 5 primary operations, 2 senior OPS, 1 operations Manager
For n in ' seq ';d o useradd chuyun$n;echo "user$n ' echo user$n|md5sum|cut-c4-8 '" |passwd--stdin user$n;done #创建5个初级运维, The password is MD5 4-8-bit
-----------------------------------------------------
For n in ' seq 1 5 ';d o useradd chuji$n;echo "123456" | passwd--stdin Chuji$n;done #推荐用这个创建账户和密码, created 5 primary OPS accounts and configured passwords
For n in ' seq 1 2 ';d o useradd gaoji$n;echo "123456" | passwd--stdin Gaoji$n;done #创建高级运维的用户和密码
Useradd Jingli && echo 123456 | passwd--stdin Jingli # # Create a manager's account and password
For n in ' seq 1 2 ';d o useradd jiagou$n;echo "123456" | passwd--stdin jiagou$n;done #创建2个架构师 account number and password
For n in ' seq 1 3 ';d o useradd chujidba$n;echo "123456" | passwd--stdin chujidba$n;done #创建初级dba account number and password
Useradd gaojidba && echo 123456 | passwd--stdin GAOJIDBA # #创建高级dba账号和密码
For n in ' seq 1 2 ';d o useradd wangguan$n;echo "123456" | passwd--stdin Wangguan$n;done # # Create a primary network
Useradd superwangguan1 && echo 123456 | passwd--stdin Superwangguan # # Create an advanced webmaster
Useradd Jingli && echo 123456 | passwd--stdin Jingli #创建运维经理
-----------------------------------------------------

Development Group: 3 Junior Developers, 1 advanced development, 1 development managers
For n in ' seq 1 5 ';d o useradd chuji$n;echo "123456" | passwd--stdin Chuji$n;done
Schema group: 2 Architecture Engineers (schema group not added sudo)
DBA Group: 3 primary DBA (primary DBA not added sudo), 1 advanced DBA
Networking group: 2 Primary Network management (Novice DBA does not join sudo), 1 advanced network management

regardless of this permission plan ====== Bulk Delete user mode:

Reference:

Batch create user, create random password
For n in ' seq ';d o useradd user$n;echo "user$n ' echo user$n|md5sum|cut-c4-8 '" |passwd--stdin user$n;done #取用户的md5 4 -8-bit character as password.
How do you see the above password? ----View the MD5 value by using the user name of Echo user$. The MD5 is worth 4-8 bits. The way to get the password exactly is (user$ $ is assigned) as User21
Echo User21|md5sum|cut-c4-8 # This is a tricky way to do it. Bytes are used to create a user-specified password using bulk.

Create a user in bulk, create a specified password
For n in ' seq 1 5 ';d o useradd chen$n;echo "123456" | passwd--stdin Chen$n;done

To delete a user in bulk:
For n in ' seq ';d o userdel-r user$n;done # # Tail of user$ in user is your username prefix 21-25 is the suffix. Bulk Create user Delete users have this

To start creating a related user:
OPS Group: 5 primary operations, 2 senior OPS, 1 operations Manager
Development Group: 3 Junior Developers, 1 advanced development, 1 development managers
For n in ' seq 1 5 ';d o useradd chuji$n;echo "123456" | passwd--stdin Chuji$n;done
Schema group: 2 Architecture Engineers (schema group not added sudo)
DBA Group: 3 primary DBA (primary DBA not added sudo), 1 advanced DBA
Networking group: 2 Primary Network management (Novice DBA does not join sudo), 1 advanced network management

The following commands can be created directly by copying and pasting

For n in ' seq 1 5 ';d o useradd chujiyunwei$n;echo "123456" | passwd--stdin Chujiyunwei$n;done
For n in ' seq 1 2 ';d o useradd gaojiyunwei$n;echo "123456" | passwd--stdin Gaojiyunwei$n;done
Useradd Yunweijingli && echo 123456 | passwd--stdin Yunweijingli

For n in ' seq 1 3 ';d o useradd chujikaifa$n;echo "123456" | passwd--stdin Chujikaifa$n;done
Useradd Gaojikaifa && echo 123456 | passwd--stdin Gaojikaifa
Useradd Kaifajingli && echo 123456 | passwd--stdin Kaifajingli

For n in ' seq 1 2 ';d o useradd jiagou$n;echo "123456" | passwd--stdin Jiagou$n;done
For n in ' seq 1 3 ';d o useradd chujidba$n;echo "123456" | passwd--stdin Chujidba$n;done
Useradd gaojidba && echo 123456 | passwd--stdin GAOJIDBA
For n in ' seq 1 2 ';d o useradd wangguan$n;echo "123456" | passwd--stdin Wangguan$n;done
Useradd gaojiwangguan1 && echo 123456 | passwd--stdin Gaojiwangguan1

Total Users:
Yunweijingli # (Create Ops manager useradd Gaojiwangguan1 && echo 123456 | passwd--stdin gaojiwangguan1)
Gaojiyunwei1 Gaojiyunwei2 (#创建高级运维: (for N in ' seq 1 2 ';d o useradd gaojiyunwei$n;echo "123456" | passwd--stdin gaojiyunwe I$n;done))
Chujiyunwei1 chujiyunwei2 chujiyunwei3 chujiyunwei5 chujiyunwei5 #创建处及运维: (for N in ' seq 1 5 ';d o useradd chujiyunwei$n;ech O "123456" | passwd--stdin Chujiyunwei$n;done)

Kaifajinlgi # # (Create development manager Useradd Kaifajingli && echo 123456 | passwd--stdin Kaifajingli)
GAOJIKAIFA1 # # (Create Advanced Development useradd Gaojikaifa && echo 123456 | passwd--stdin Gaojikaifa)
CHUJIKAIFA1 CHUJIKAIFA2 Chujikaifa3 # #创建初级开发 (for n in ' seq 1 3 ';d o useradd chujikaifa$n;echo "123456" | passwd--stdin C Hujikaifa$n;done)

Jiagoushi1 Jiagoushi2 # # (Create architect for N in ' seq 1 2 ';d o useradd jiagoushi$n;echo "123456" | passwd--stdin Jiagoushi$n;done)

Dba1
DBA2 # # (Create architect for n ' seq 1 2 ';d o useradd dba$n;echo "123456" | passwd--stdin Dba$n;done)
Dba3

GAOJIDBA #创建高级DBA useradd DBA && echo 123456 | passwd--stdin DBA

Wangguan1
WANGGUAN2 # # (Create a managed for n ' seq 1 2 ';d o useradd wangguan$n;echo "123456" | passwd--stdin Wangguan$n;done)

Gaojiwanguan #创建高级网管 useradd Gaojiwangguan && echo 123456 | passwd--stdin Wangjiwangguan

User Rights planning:

advanced operations:%GAOJIYUNWEI&NBSP;
Primary operations:%YUNWEI&NBSP;
Development:%kaifa
Network Group:%net

#配置命令:
User_alias net =%net
User_alias kaifa =%kaifa
User_ Alias Yunwei =%yunwei
User_alias gaojiyunwei =%gaojiyunwei

-----------------------
#创建用户
useradd net1 && echo ' 123456 ' | passwd--stdin net1
useradd yunwei1 && Echo ' 12345 6 ' | passwd--stdin yunwei1
useradd gaojiyunwei1 && echo ' 123456 ' | passwd--stdin gaojiyunwei1
Useradd kaifa1 && echo ' 123456 ' | passwd--stdin kaifa1

Create Group: (Groupadd)
Groupadd net
Groupadd kaifa
Groupadd yunwei
Groupadd gaojiyunwei

Join Group: (usermod-g Group user)
Usermod-g Yunwei yunwei1
Usermod-g Gaojiyunwei gaojiyunwei1
usermod-g net net1
usermod-g kaifa kaifa1

User alias Categories:

User_alias NET =%net
User_alias Kaifa =%kaifa
User_alias Yunwei =%yunwei
User_alias Gaojiyunwei =%gaojiyunwei

Command alias Management

#网络工程师命令别名组
Cmnd_alias net_cmd =/bin/vi,/bin/ping,/bin/traceroute,/sbin/route,/bin/netstat,/bin/ps

#开发命令别名组
Cmnd_alias kaifa_cmd =/bin/grep,/usr/bin/vim,/bin/vi,/usr/bin/tail,/USR/BIN/WC,/bin/ps

#运维命令别名组
Cmnd_alias yunwei_cmd =/bin/chmod,/usr/bin/chattr,/usr/sbin/useradd,/usr/sbin/groupadd,/bin/touch,/bin/mkdir,/ Usr/bin/passwd[a-za-z],!/usr/bin/passwd root

#高级运维命令别名组
Cmnd_alias gaojiyunwei_cmd =/bin/chmod,/usr/bin/chattr,/usr/sbin/useradd,/usr/sbin/groupadd,/bin/touch,/bin/ mkdir,/usr/bin/passwd[a-za-z],/usr/sbin/usermod,/usr/sbin/userdel

Rights Management

#能获取到的权限
Runas_alias NET = root
Runas_alias Kaifa = root
Runas_alias Yunwei = root
Runas_alias Gaojiyunwei = root

#对应关系
#权限分组
User_alias NET =%net
User_alias Kaifa =%kaifa
User_alias Yunwei =%yunwei
User_alias Gaojiyunwei =%gaojiyunwei

#网络工程师命令别名组
Cmnd_alias net_cmd =/bin/vi,/bin/ping,/bin/traceroute,/sbin/route,/bin/netstat,/bin/ps

#开发命令别名组
Cmnd_alias kaifa_cmd =/bin/grep,/usr/bin/vim,/bin/vi,/usr/bin/tail,/USR/BIN/WC,/bin/ps

#运维命令别名组
Cmnd_alias yunwei_cmd =/bin/chmod,/usr/bin/chattr,/usr/sbin/useradd,/usr/sbin/groupadd,/bin/touch,/bin/mkdir,/ Usr/bin/passwd[a-za-z],!/usr/bin/passwd root

#高级运维命令别名组
Cmnd_alias gaojiyunwei_cmd =/bin/chmod,/usr/bin/chattr,/usr/sbin/useradd,/usr/sbin/groupadd,/bin/touch,/bin/ mkdir,/usr/bin/passwd[a-za-z],/usr/sbin/usermod,/usr/sbin/userdel

#能获取到的权限
Runas_alias NET = root
Runas_alias Kaifa = root
Runas_alias Yunwei = root
Runas_alias Gaojiyunwei = root

#Runas_Alias OP = root

#对应关系
NET all= (NET) net_cmd
Kaifa all= (Kaifa) kaifa_cmd
Yunwei all= (Yunwei) yunwei_cmd
Gaojiyunwei all= (Gaojiyunwei) gaojiyunwei_cmd

A script to complete the permissions (no problem, the permissions are all done Sudo-l view the permissions obtained)

Useradd net1 && echo ' 123456 ' | passwd--stdin Net1
Useradd yunwei1 && echo ' 123456 ' | passwd--stdin Yunwei1
Useradd gaojiyunwei1 && echo ' 123456 ' | passwd--stdin Gaojiyunwei1
Useradd kaifa1 && echo ' 123456 ' | passwd--stdin KAIFA1
Groupadd Net
Groupadd Kaifa
Groupadd Yunwei
Groupadd Gaojiyunwei
Usermod-g Yunwei Yunwei1
Usermod-g Gaojiyunwei Gaojiyunwei1
Usermod-g Net Net1
Usermod-g Kaifa KAIFA1
Cat >>/etc/sudoers <<eof
User_alias NET =%net
User_alias Kaifa =%kaifa
User_alias Yunwei =%yunwei
User_alias Gaojiyunwei =%gaojiyunwei

# #network--

Cmnd_alias net_cmd =/bin/vi,/bin/ping,/bin/traceroute,/sbin/route,/bin/netstat,/bin/ps

# #kaifamingling--

Cmnd_alias kaifa_cmd =/bin/grep,/usr/bin/vim,/bin/vi,/usr/bin/tail,/USR/BIN/WC,/bin/ps

# #yunweimingling--

Cmnd_alias yunwei_cmd =/bin/chmod,/usr/bin/chattr,/usr/sbin/useradd,/usr/sbin/groupadd,/bin/touch,/bin/mkdir,/ Usr/bin/passwd[a-za-z],!/usr/bin/passwd root

# #gaojiyunweimingling--

Cmnd_alias gaojiyunwei_cmd =/bin/chmod,/usr/bin/chattr,/usr/sbin/useradd,/usr/sbin/groupadd,/bin/touch,/bin/ mkdir,/usr/bin/passwd[a-za-z],/usr/sbin/usermod,/usr/sbin/userdel

# #quanxian--
Runas_alias NET = root
Runas_alias Kaifa = root
Runas_alias Yunwei = root
Runas_alias Gaojiyunwei = root

# #Runas_Alias OP = root
#guanxi--
NET all= (NET) net_cmd
Kaifa all= (Kaifa) kaifa_cmd
Yunwei all= (Yunwei) yunwei_cmd
Gaojiyunwei all= (Gaojiyunwei) gaojiyunwei_cmd
Eof

Normal template Reference Links:

Https://www.cnblogs.com/superlinux/p/1324d19f9d54eaac83247081c8362ee6.html

Linux Operations-Enterprise sudo permissions planning detailed (measured a heap command done)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More