配置文件(/etc/sudoers)提供集中的用户管理、权限与主机等参数
验证密码的后5分钟内(默认值)无须再让用户再次验证密码
实战演练环境:Red Hat Enterprise Linux Server release 7.3
1. 测试普通用户能否删除 root 用户创建的文件
drwxr-xr-x. 2 root root 6 Jul 18 02:19 test.dir
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
uid=1004(test) gid=1005(test) groups=1005(test)
Last login: Thu Jul 18 02:17:11 EDT 2019 on pts/0
[test@localhost ~]$ cd /test
[test@localhost test]$ ll
drwxr-xr-x. 2 root root 6 Jul 18 02:19 test.dir
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
[test@localhost test]$ rm -rf test.dir/
rm: cannot remove ‘test.dir/’: Permission denied
[test@localhost test]$ rm -rf test.txt
rm: cannot remove ‘test.txt’: Permission denied
[test@localhost test]$ ll
drwxr-xr-x. 2 root root 6 Jul 18 02:19 test.dir
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
2. 用 visudo 命令配置 sudo
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
root ALL=(ALL) ALL
test ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL
3. 普通用户结合 sudo 删除 root 用户的文件
Changing password for user test.
passwd: all authentication tokens updated successfully.
Last login: Thu Jul 18 02:34:50 EDT 2019 on pts/0
[test@localhost ~]$ cd /test/
[test@localhost test]$ ll
drwxr-xr-x. 2 root root 6 Jul 18 02:19 test.dir
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
[test@localhost test]$ rm -rf test.dir/
rm: cannot remove ‘test.dir/’: Permission denied
[test@localhost test]$ rm -rf test.txt
rm: cannot remove ‘test.txt’: Permission denied
[test@localhost test]$ sudo rm -rf test.dir/
[sudo] password for test:
[test@localhost test]$ ll
-rw-r--r--. 1 root root 0 Jul 18 02:19 test.txt
[test@localhost test]$ sudo rm -rf test.txt
[test@localhost test]$ ll
4. sudo 免密配置[test@localhost test]$ sudo cat /etc/shadow
[sudo] password for test:
root:$6$YZrm6scxO5zzICbR$fOzORb.0Ib9POZzJmrnzOGDqfFySp8X.9p5QpcpnJXWHIJvZcFpXQONyNigwrZbhXtyfnFn5F1mJsdkXS3jEF/::0:99999:7:::
bin:*:16925:0:99999:7:::
daemon:*:16925:0:99999:7:::
adm:*:16925:0:99999:7:::
***省略部分输出信息***
[test@localhost test]$ id test2
uid=1006(test2) gid=1007(test2) groups=1007(test2)
%wheel ALL=(ALL) NOPASSWD: ALL
test ALL=(ALL) NOPASSWD: ALL
[test@localhost ~]$ sudo cat /etc/shadow
root:$6$YZrm6scxO5zzICbR$fOzORb.0Ib9POZzJmrnzOGDqfFySp8X.9p5QpcpnJXWHIJvZcFpXQONyNigwrZbhXtyfnFn5F1mJsdkXS3jEF/::0:99999:7:::
bin:*:16925:0:99999:7:::
daemon:*:16925:0:99999:7:::
adm:*:16925:0:99999:7:::
***省略部分输出信息***
5. 配置 sudo 的部分权限
drwxr-xr-x. 2 root root 6 Jul 18 03:01 dir
-rw-r--r--. 1 root root 0 Jul 18 03:01 file
cat: /usr/bin/cat /usr/share/man/man1/cat.1.gz
test ALL=(ALL) /usr/bin/cat
Last login: Thu Jul 18 03:06:55 EDT 2019 on pts/0
[test@localhost ~]$ sudo cat /etc/shadow
root:$6$YZrm6scxO5zzICbR$fOzORb.0Ib9POZzJmrnzOGDqfFySp8X.9p5QpcpnJXWHIJvZcFpXQONyNigwrZbhXtyfnFn5F1mJsdkXS3jEF/::0:99999:7:::
bin:*:16925:0:99999:7:::
daemon:*:16925:0:99999:7:::
adm:*:16925:0:99999:7:::
***省略部分输出信息***
[test@localhost ~]$ cd /tmp
[test@localhost tmp]$ ll
drwxr-xr-x. 2 root root 6 Jul 18 03:06 dir
-rw-r--r--. 1 root root 0 Jul 18 03:01 file
[test@localhost tmp]$ rm -rf dir
rm: cannot remove ‘dir’: Permission denied
[test@localhost tmp]$ rm -rf file
rm: cannot remove ‘file’: Permission denied
[test@localhost tmp]$ ll
drwxr-xr-x. 2 root root 6 Jul 18 03:06 dir
-rw-r--r--. 1 root root 0 Jul 18 03:01 file
