Tcp_wrapper&sudo
First, Tcp_wrapper
Access Control
Services above the 1.TCP protocol
2. Only a subset of the application-tier services based on TCP transport can accept their control
User space: library
Libwrap.so
Apps linked to this library will be managed by Tcp_wrapper
LDD ' which sshd '//See if link to this library
1. Dynamic Link:
The LDD command contains libwrap.so in the results of its application execution.
LDD $ (which COMMAND)
LDD ' which vsftpd ' |grep wrap
2. Static link
The result of the strings command's execution of its application contains
/etc/hosts.allow
/etc/hosts.deny
Strings $ (which COMMAND)
Yum-y Install Telnet-server
RPM-QL Telnet-server
LDD ' which in.telnetd '//no link, but in.telnetd is managed by the XINETD Super Daemon, and xinetd is linked to LibWrap
LDD ' which xinetd ' |grep-i libwrap verification
Note: The super daemon on the CentOS6 system xinetd linked to the libwrap.so
Not connected to the CentOS7.
The service is based on LibWrap to complete the access control process;
Match order:
/etc/host.allow---->/etc/host.deny
If there is no match, it is the default policy, the default allow
The Hosts.allow file is checked first, if there is an explicit authorization rule, otherwise, the Hosts.deny file is checked, and if there is an explicit Deny rule, access is denied, otherwise the default policy
format:
Daemon_list:client_list[:options]
Daemon_list:
1. The file name of a single application file, not the service name; for example, VSTPD
2. Comma-separated list of application file names;
Vsftpd,sshd,in.telnetd
3.ALL, all service programs controlled by TCP wrapper
Client_list:
1. Single Host: IP address or host name
2. Network address: Use the full mask format, or use the short address network address notation, cannot use the prefix
172.16.1.0/255.255.0.0
172.16.1.//back. is not to be omitted
3.ALL All hosts
4.known,unknown,paranoid
Known: The forward and backward parsing of the hostname is OK
UNKNOWN: address cannot be reversed
PARANOID: paralysis, positive and negative analysis does not correspond to
EXCEPT: Except
vsftpd:172.16. EXECPT 172.16.1.0/255.255.255.0
vsftpd:172.16. EXECPT 172.16.1.0/255.255.255.0 execpt 172.16.1.1
172.16.1.1 is accessible, double negation is definitely
[: Options]
Deny: Deny, mainly used in/etc/hosts.allow
vsftpd:172.16.1.1:d Eny
Allow: Allowed, mainly used in/etc/hosts.deny
sshd:172.16.1. : Allow
Spawn: Start an external program to complete the operation
Sshd:all:spawn/bin/echo $ (date) login attemp from%c to%s,%d >>/var/log/sshd.log
Hosts.allow/hosts.deny Macros:
%c: Client information, [email protected] or [email protected]
%s: Service information, such as sshd, daemon name
%d: Daemon information
%p:daemon precess ID
%u:clinet User Name
If you need to record and deny everyone access to sshd
1. Logging in Hosts.allow
2. Reject all Hosts.deny in the
Or: Just write the following sentence into the/etc/hosts.deny
Sshd:all:spawn/bin/echo $ (date) login attemp from%c to%s,%d >>/var/log/sshd.log
Note: If sshd: This line, written in Hosts.allow, logs the log and allows
Second, Su:switch user
User Switching
1.su-user,su-l User//Login switch
2.SU User//non-login switch
-C "command"//use the user's identity to execute the command
Su wolf-c ' rm aa '
sudo: Executing a command as another user
Authorized confidant: sudo file,/etc/sudoers//Multiple records, the last one is the default
Two types of content:
1. The definition of aliases, which is the variable
2. Authorization entries, which can be authorized using aliases
Visudo: Has a fixed syntax format, check
Note: The user's authorization via sudo can only be obtained via the sudo command
Authorization Entries (one per line)
who where (runas) commands
Who
Username: Single User,
#uid: ID number of a single user
%group: All users within a group
% #gid: All users in the group
User_alias: User aliases, such as defining multiple users as an alias, and then authorizing the alias directly
Where: Host Address
IP or hostname: single IP
NETADDR: Network address, mask, prefix support
Host_alias: Host Alias
runas
Username
#uid
Runas_alias
Commands
command;
Directory: Specify all applications within the directory
Sudoedit: Special permissions that can be used to grant sudo permissions to other users, by default the sudo command can only be used by itself
Cmnd_alias: Command aliases, you can put multiple commands a name
Define aliases:
Alias_type name=item1,item2,...
Alias_type:
User_alias
Host_alias
Runas_alias
Cmnd_alias
Name: alias names character, must use all caps
Note: $sudo Su-//If you have SU permissions, you can switch directly to root
Or the user has a wheel group, or can switch to root using their own password
Less/etc/sudoers
%wheel//This group can have any permissions, if you want the user to have this permission, only need to let the user join the group
Common Tags:
nopasswd
PASSWD
Wheel Group:
Usermod-ag wheel Wolf//Let Wolf join wheel Group
Su-wheel
Sudo-l//self-capable to run all commands, and be able to switch to root identity
sudo usage
sudo [options] Command
-U Specify user identity
-l Lists all commands that the user can execute in a sudo manner
-K: Clear the previous user authentication success record, use sudo again still need to use password
Sudo-u Admin Ls/root//will prompt for Deny
Lab 1: Empowering Wolf to Useradd,usermod
Visudo
Wolf all= (Root)/usr/sbin/useradd,/usr/sbin/usermod
Who (runas) command
sudo useradd tt
Lab 2: Alias usage
User_alias useradmins=
Wolf,centos
Cmnd_alias commands=/usr/sbin/useradd,/usr/sbin/usermod,/usr/bin/passwd
Visudo
Useradmins all= (Root) COMMANDS
sudo useraddd user1
Note You can change the root password at this time: passwd root//modify root password directly
Lab 3: Disable the root user password change
Cmnd_alias commands=/usr/sbin/useradd,/usr/sbin/usermod,/usr/bin/passwd [a-z]*,!/usr/bin/passwd root,/usr/sbin/ Userdel
experiment 4:sudo don't need to enter a password
Wolf all= (Root) nopasswd:/usr/sbin/useradd,/usr/sbin/usermod
Wolf all= (Root) nopasswd:/usr/sbin/useradd,/usr/sbin/usermod,passwd:/usr/sbin/userdel//requires a password when executing Userdel
Lab 5: Pseudo Administrator
Wolf all= (Root)/usr/sbin/su//At this time Wolf is the equivalent of root.
Wolf $: sudo su-//You can switch directly to root and use your own password
Tcp_wrapper&sudo
