如何实现使得一个普通用户以root身份运行命令和如何使用sudo命令?

时间:2021-07-29 18:48:23
From:http://www.redhat.com.cn/kbase/3474.php

解决方法:

sudo命令允许用户在RHEL上以另外一个身份执行命令。sudo命令和su命令是不一样的,sudo更加灵活和安全。一个最重要的好处是它能在日志中记录所有通过sudo做的命令操作,默认记录日志为/var/log/secure。

sudo命令的配置文件为/etc/sudoers,该文件保存用来决定是否允许一个用户执行某个命令的规则定义,一般推荐用户用sudo的RPM包携带的visudo命令来对规则进行编辑定义。

假设我们希望normaluser这个用户能以root身份来执行程序,首先我们不对/etc/sudoers进行任何配置,直接使用sudo来执行:

$ sudo /sbin/service sendmail restart
Password:
normaluser is not in the sudoers file. This incident will be reported.

sudo命令的失败执行会记录在/var/log/secure中:

# tail /var/log/secure
...
Aug 2 14:37:49 somehost sudo: normaluser : user NOT in sudoers ;
TTY=pts/2 ; PWD=/home/normaluser ; USER=root ;
COMMAND=/sbin/service sendmail restart

在红帽RHEL中有一个特殊的“wheel”组,该组主要是用来完成一些特权操作。把普通用户添加到wheel组中(必须以root身份来做,并且建议wheel作为辅组):

# usermod -G normaluser,wheel normaluser

确认用户现在已经是wheel成员:

# groups normaluser
normaluser : normaluser wheel

使用visudo命令来编辑文件/etc/sudoers:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

请注意/etcsudoers文件里面的示例和注释,为了允许'wheel'组成员能以root身份运行命令,去掉下面一行的注释:

# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL

vsisudo程序使用使用和vi编辑器一样快捷键,来进行操作。

然后以normaluser用户执行特权命令:

$ sudo /sbin/service sendmail restart
Password:
Shutting down sendmail: [ OK ]
Shutting down sm-client: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]

/var/log/secure会记录该sudo命令的执行:

# tail /var/log/secure 
...
Aug 2 15:05:49 somehost sudo: normaluser : TTY=pts/2 ;
PWD=/home/normaluser ; USER=root ;
COMMAND=/sbin/service sendmail restart