文章目录
技巧一:限制[su -]切换到root权限
# 有权限账号添加到wheel用户组
usermod -G wheel ericzhong
# 设置pam认证配置
vi /etc/pam.d/su
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid < 取消注释
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
技巧二:sudo权限管理
将所有 root 权限委派给特定用户
(root) # visudo
ericzhong01 ALL = (ALL) ALL
将所有 root 权限委派给特定用户,但限制部分命令无法被执行
(root) # visudo
cmd_Alias SHUTDOWN = /usr/sbin/halt,/usr/sbin/shutdown,/usr/sbin/poweroff,/usr/sbin/reboot,/usr/sbin/init,/usr/bin/systemctl
ericzhong01 ALL = (ALL) ALL,!SHUTDOWN
将特定权限委派给特定用户组
(root) # visudo
cmd_Alias USERMGR = /usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd
%usermgr ALL = (ALL) USERMGR
(root) # groupadd usermgr
(root) # usermod -G usermgr ericzhong02
sudo履历记录
(root) # visudo
Defaults syslog=local1
(root) # vi /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages
local1.* /var/log/sudo.log
authpriv.* /var/log/secure