0
点赞
收藏
分享

微信扫一扫

CentOS运用技巧之用户权限管理

非常帅气的昵称吧 2022-02-14 阅读 192

文章目录

技巧一:限制[su -]切换到root权限

# 有权限账号添加到wheel用户组
usermod -G wheel ericzhong

# 设置pam认证配置

vi /etc/pam.d/su
#%PAM-1.0
auth            required        pam_env.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid < 取消注释
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so

技巧二:sudo权限管理

将所有 root 权限委派给特定用户

(root) # visudo
ericzhong01 ALL = (ALL) ALL

将所有 root 权限委派给特定用户,但限制部分命令无法被执行

(root) # visudo
cmd_Alias SHUTDOWN = /usr/sbin/halt,/usr/sbin/shutdown,/usr/sbin/poweroff,/usr/sbin/reboot,/usr/sbin/init,/usr/bin/systemctl

ericzhong01 ALL = (ALL) ALL,!SHUTDOWN

将特定权限委派给特定用户组

(root) # visudo
cmd_Alias USERMGR = /usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd

%usermgr ALL = (ALL) USERMGR

(root) # groupadd usermgr
(root) # usermod -G usermgr ericzhong02

sudo履历记录

(root) # visudo
Defaults syslog=local1

(root) # vi /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local1.none    /var/log/messages
local1.*                                                /var/log/sudo.log
authpriv.*                                              /var/log/secure
举报

相关推荐

0 条评论