sudoers文件那些事(一)

时间:2021-10-23 12:50:40

sudoers文件谈“拒绝”与“允许”

##Cmnd_Alias by umbe##
Cmnd_Alias   USERCMD = !/usr/bin/passwd,/usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

一、命令选项的作用
命令选项
配置文件为:
Cmnd_Alias USERCMD = !/usr/bin/passwd
结果:
[ett@www2 ~]$ sudo passwd   =>不加任何参数也是拒绝
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd' as root on www2.
[ett@www2 ~]$ sudo passwd root   =>加参数也拒绝
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd root' as root on www2.
[ett@www2 ~]$

结论:如果仅有一个!/usr/bin/passwd选项,他的作用.拒绝用户执行passwd命令,不管有没有参数 。
----------------------------------------------------------------------
2.当配置文件为:
Cmnd_Alias USERCMD = /usr/bin/passwd
结果:
[ett@www2 ~]$ sudo passwd
Changing password for user root.  =>默认是更改passwd的密码,很可怕吧,试想一个普New UNIX password:                      通用户如果拥有这个权限是个多么可怕的事情!

结论:所以要想让一个普通用户来管理其他账号和密码,堵住缺口不能让他更改root的密码,否则他就无敌了!

----------------------------------------------------------------------
3.当配置文件为:
Cmnd_Alias USERCMD = !/usr/bin/passwd,/usr/bin/passwd [A-Za-z]*
[ett@www2 ~]$ sudo /usr/bin/passwd root =>匹配后面这个参数可以更改以字母开头账户的密码
Changing password for user root.
New UNIX password:
[ett@www2 ~]$ sudo /usr/bin/passwd  =>不接用户拒绝执行
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd' as root on www2.
[root@www2 ~]$ useradd 123  =>添加一个以数字开头的用户 
[ett@www2 ~]$ sudo passwd 123
Sorry, user umbe is not allowed to execute '/usr/bin/passwd 123' as root on www2.

   结论:“/usr/bin/passwd [A-Za-z]*” 这个选项的作用是:如果使用passwd命令,后面必须接用户且这个用户必须是以字母开头的用户,如果passwd后面不带用户或者是以数字开头的用户,passwd命令拒绝执行 !

----------------------------------------------------------------------
4.当配置文件为:
Cmnd_Alias USERCMD =!/usr/bin/passwd, /usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root

[ett@www2 ~]$ sudo /usr/bin/passwd root  =>不允许更改root密码
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd root' as root on www2.
[ett@www2 ~]$ sudo /usr/bin/passwd   =>不接用户拒绝执行
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd' as root on www2.
[ett@www2 ~]$ sudo /usr/bin/passwd oldboy  =>可以更改其他以字母开头用户的密码
Changing password for user oldboy.
New UNIX password:
结论:!/usr/bin/passwd root 的作用是用户不能更改root的密码。

----------------------------------------------------------------------
5.当配置文件为:
Cmnd_Alias USERCMD = /usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root

[ett@www2 ~]$ sudo /usr/bin/passwd   =>配置文件没有匹配项所以拒绝执行
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd' as root on www2.
[ett@www2 ~]$ sudo /usr/bin/passwd 001  =>只允许字母开头的账户,所以数字开头账户拒绝
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd 001' as root on www2.
[ett@www2 ~]$ sudo /usr/bin/passwd root  =>配置文件明确表示不能更改root 所以拒绝
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd root' as root on www2.
[ett@www2 ~]$ sudo /usr/bin/passwd oldboy  =>可以更改字母开头账户的密码
Changing password for user oldboy.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[ett@www2 ~]$
结论:配置文件中如果没有命令的匹配路径,默认也是拒绝执行这个命令,但是我们为什么还要加上!/usr/bin/passwd 这个命令呢?为了考虑全面!
----------------------------------------------------------------------
二、命令选项顺序对执行结果的影响
1.配置文件为:
Cmnd_Alias USERCMD =!/usr/bin/passwd root, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd

[ett@www2 ~]$ sudo /usr/bin/passwd oldboy  =>拒绝
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd oldboy' as root on www2.
[ett@www2 ~]$ sudo /usr/bin/passwd root  =>拒绝
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd root' as root on www2.
[ett@www2 ~]$ sudo /usr/bin/passwd   =>拒绝
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd' as root on www2.
[ett@www2 ~]$
结论:
1.sudoers中命令的读取顺序是从后向前读
2.通过更改!/usr/bin/passwd 顺序发现,如果!/usr/bin/passwd放到最后,就会全部决绝执行passwd命令
----------------------------------------------------------------------
2.配置文件为:
Cmnd_Alias USERCMD =!/usr/bin/passwd,!/usr/bin/passwd root, /usr/bin/passwd [A-Za-z]*
[ett@www2 ~]$ sudo /usr/bin/passwd oldboy   =>允许更改以字母头的用户
Changing password for user oldboy.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[ett@www2 ~]$ sudo passwd root   =>也允许更改root
Changing password for user root.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[ett@www2 ~]$ sudo /usr/bin/passwd  =>后面不接用户不允许执行
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd' as root on www2.
结论:
1.sudoers中命令的读取顺序是从后向前读
2.如果先读取允许参数,再读取拒绝参数。允许生效,拒绝失效,这也是为什么!/usr/bin/passwd 要放在/usr/bin/passwd [A-Za-z]*的后面

----------------------------------------------------------------------
结论:
1.配置文件中如果没有命令的匹配路径,默认也是拒绝执行这个命令;虽说是拒绝执行,一是为了考虑全面,二是还是自己亲自写上比较放心!
2.sudoers中命令的读取顺序是从后向前读
3.通过更改!/usr/bin/passwd 顺序发现,如果!/usr/bin/passwd放到最后,就会全部决绝执行passwd命令,
4.命令相同,参数不同,参数范围越小,放的位置越靠后!(不论拒绝还是允许只要你的范围小你就得靠后,区别于包含关系)
!/usr/bin/passwd,!/usr/bin/passwd [A-Za-z]*, /usr/bin/passwd root 这三个命令的参数都在/usr/bin/passwd 这个范围内(不是包含关系)
!/usr/bin/passwd  =>不允许执行passwd命令,不管有没有参数,全部拒绝
/usr/bin/passwd [A-Za-z]*   =>执行passwd命令,但是只能更改以字母开头的账户密码
!/usr/bin/passwd root   =>不允许更改root用户的密码
其中!/usr/bin/passwd   =>的意思是全部拒绝,他的范围最大所以要放在最前面
/usr/bin/passwd   [A-Za-z]*   =>范围其次,只能更改以字母开头账户的密码,范围要比!/usr/bin/passwd 要小
!/usr/bin/passwd root  =>这个命令已经定义到用户,所以他的范围比 /usr/bin/passwd [A-Za-z]*范围要小,所以要放在最后

4.定义命令执行的范围要一级级定义不能跨级否则命令就会失效。
三、包含关系
包含关系中:前面允许,后面拒绝 拒绝生效
                        前面拒绝,后面允许 拒绝失效
                        读取顺序由后向前读    =>这个很重要
以这个为例:
1.Cmnd_Alias USERCMD =!/usr/bin/passwd root, /usr/bin/passwd [A-Za-z]*
拒绝在前,允许在后
注:/usr/bin/passwd root 包含于 usr/bin/passwd [A-Za-z]*

[ett@www2 ~]$ sudo /usr/bin/passwd root   =>可以更改root密码
Changing password for user root.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[ett@www2 ~]$

2.Cmnd_Alias USERCMD =/usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root,
允许在前,拒绝在后
[ett@www2 ~]$ sudo /usr/bin/passwd root  =>不能更改root密码
[sudo] password for ett:
Sorry, user ett is not allowed to execute '/usr/bin/passwd root' as root on www2.
[ett@www2 ~]$

老男孩老师点评:两个字,很好,只有亲自实践,用脑思考,才是最棒的。

本文出自 “八一杠一的博客” 博客,请务必保留此出处http://yapeng.blog.51cto.com/4455269/934674