Linux-sudo Configuration

In Linux, we use sudo to command to reduce the use of root user time, and improve security, the following is a brief explanation of how to configure, mainly records, afraid to forget.

System environment:

[Email protected] ~]# cat/etc/redhat-release

CentOS Linux release 7.3.1611 (Core)

[Email protected] ~]# uname-r

3.10.0-514.26.2.el7.x86_64

Configuration file path:/etc/sudoers

[[email protected] ~]# Vim/etc/sudoers (although the implementation of Visudo can also enter the editor, but it is recommended to use this)

1 # # Sudoers allows particular users to run various commands as

2 # # Root user, without needing the root password.

3 # #

4 # # Examples is provided at the bottom of the file for collections

5 # of related commands, which can then is delegated out to particular

6 # # users or groups.

7 # #

8 # # This file must is edited with the ' Visudo ' command.

9

Ten # # Host Aliases

# # Groups of machines. Prefer to use hostnames (perhaps using

# # # wildcards for entire domains) or IP addresses instead.

# Host_alias fileservers = FS1, FS2

# Host_alias mailservers = SMTP, SMTP2

15

-# # User Aliases

# # # These aren ' t often necessary, as can use regular groups

# # # (ie, from files, LDAP, NIS, etc) in the File-just use%groupname

# # # rather than Useralias

# User_alias ADMINS = jsmith, Mikem

21st

22

# # Command Aliases

# # # These is groups of related commands ...

25

# # Networking

Cmnd_alias NETWORKING =/sbin/route,/sbin/ifconfig,/bin/ping,/sbin/dhclient,/usr/bin/net,/sbin/iptables,/usr/b In/rfcomm,/usr/bin/wvdial,/sbin/iwconfig,/sbin/mii-tool

28

# # Installation and management of software

# Cmnd_alias software =/bin/rpm,/usr/bin/up2date,/usr/bin/yum

31

# # Services

Cmnd_alias SERVICES =/sbin/service,/sbin/chkconfig,/usr/bin/systemctl start,/usr/bin/systemctl stop,/usr/bin/sy Stemctl Reload,/usr/bin/systemctl restart,/usr/bin/systemctl status,/usr/bin/systemctl enable,/usr/bin/systemctl D Isable

34

# # Updating The Locate database

# Cmnd_alias LOCATE =/usr/bin/updatedb

37

# # # Storage

Cmnd_alias STORAGE =/sbin/fdisk,/sbin/sfdisk,/sbin/parted,/sbin/partprobe,/bin/mount,/bin/umount

40

* # Delegating permissions

Cmnd_alias delegating =/usr/sbin/visudo,/bin/chown,/bin/chmod,/BIN/CHGRP

43

# # Processes

Cmnd_alias PROCESSES =/bin/nice,/bin/kill,/usr/bin/kill,/usr/bin/killall

46

* # Drivers

# Cmnd_alias DRIVERS =/sbin/modprobe

49

# Defaults Specification

51

52 #

Refuse to run if unable to disable echo on the TTY.

54 #

Defaults!VISIBLEPW

56

57 #

Preserving HOME has security implications since many programs

The use of it when the searching for configuration files. Note that HOME

Already set when the Env_reset option is enabled, so

# This option was only effective for configurations where either

Env_reset is disabled or HOME is present in the Env_keep list.

63 #

Defaults Always_set_home

65

Defaults Env_reset

Defaults env_keep = "COLORS DISPLAY HOSTNAME histsize kdedir ls_colors"

Defaults Env_keep + = "MAIL PS1 PS2 qtdir USERNAME LANG lc_address lc_ctype"

Defaults Env_keep + = "Lc_collate lc_identification lc_measurement lc_messages"

Defaults Env_keep + = "Lc_monetary lc_name lc_numeric lc_paper lc_telephone"

Defaults Env_keep + = "Lc_time lc_all LANGUAGE linguas _xkb_charset xauthority"

72

73 #

# Adding HOME to Env_keep if enable a user to run unrestricted

# commands via sudo.

76 #

# Defaults Env_keep + = "HOME"

78

Defaults Secure_path =/sbin:/bin:/usr/sbin:/usr/bin

80

Bayi # # Next comes the main Part:which users can run what software on

Which machines (the sudoers file can be shared between multiple

# # # Systems).

# # # Syntax:

85 # #

* # # User Machine=commands

87 # #

The COMMANDS section of * * May has the other options added to it.

89 # #

# # Allow Root to run any commands anywhere

All= root (All) all

Wxh-docker all= (Root)/usr/bin/systemctl

93

94 # Allows members of the "SYS" group to run networking, software,

# # Service Management apps and more.

%sys all = NETWORKING, software, SERVICES, STORAGE, delegating, PROCESSES, LOCATE, DRIVERS

97

98 # allows people in group wheel to run all commands

%wheel all= (All) all

100

101 # Same thing without a password

102 #%wheel All= (All) Nopasswd:all

103

104 # Allows members of the users group to mount and unmount the

* # CDROM as root

106 #%users All=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom

107

108 # Allows members of the users group to shutdown this system

109 #%users Localhost=/sbin/shutdown-h now

110

111 # # Read Drop-in Files from/etc/sudoers.d (the # here does not mean a comment)

/ETC/SUDOERS.D #includedir

Explain:

In fact, the core of this configuration file is a command format:

User source host ip/Domain name = (authorized user) command

Group source host ip/Domain name = (authorized user) command

All of these can be defined at the beginning of the file alias, a set of user/ip/commands such as integration into a

All= root (All) all

Wxh-docker all= (Root)/usr/bin/systemctl

With the 91st and 92 behavior examples, line 91st is the default, and line 92nd is the one I added

This line means: Allow Wxh-docker this user to connect to this host in any location (unlimited source IP) and can run the Systemctl command as root

This article is from the "Breeze Month Blog" blog, please be sure to keep this source http://watchmen.blog.51cto.com/6091957/1952460

Linux-sudo Configuration