解决方法:
sudo命令允许用户在RHEL上以另外一个身份执行命令。sudo命令和su命令是不一样的,sudo更加灵活和安全。一个最重要的好处是它能在日志中记录所有通过sudo做的命令操作,默认记录日志为/var/log/secure。
sudo命令的配置文件为/etc/sudoers,该文件保存用来决定是否允许一个用户执行某个命令的规则定义,一般推荐用户用sudo的RPM包携带的visudo命令来对规则进行编辑定义。
假设我们希望normaluser这个用户能以root身份来执行程序,首先我们不对/etc/sudoers进行任何配置,直接使用sudo来执行:
$ sudo /sbin/service sendmail restart
Password:
normaluser is not in the sudoers file. This incident will be reported.
sudo命令的失败执行会记录在/var/log/secure中:
# tail /var/log/secure
...
Aug 2 14:37:49 somehost sudo: normaluser : user NOT in sudoers ;
TTY=pts/2 ; PWD=/home/normaluser ; USER=root ;
COMMAND=/sbin/service sendmail restart
在红帽RHEL中有一个特殊的“wheel”组,该组主要是用来完成一些特权操作。把普通用户添加到wheel组中(必须以root身份来做,并且建议wheel作为辅组):
# usermod -G normaluser,wheel normaluser
确认用户现在已经是wheel成员:
# groups normaluser
normaluser : normaluser wheel
使用visudo命令来编辑文件/etc/sudoers:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
请注意/etcsudoers文件里面的示例和注释,为了允许'wheel'组成员能以root身份运行命令,去掉下面一行的注释:
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
vsisudo程序使用使用和vi编辑器一样快捷键,来进行操作。
然后以normaluser用户执行特权命令:
$ sudo /sbin/service sendmail restart
Password:
Shutting down sendmail: [ OK ]
Shutting down sm-client: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
/var/log/secure会记录该sudo命令的执行:
# tail /var/log/secure
...
Aug 2 15:05:49 somehost sudo: normaluser : TTY=pts/2 ;
PWD=/home/normaluser ; USER=root ;
COMMAND=/sbin/service sendmail restart