12 身份切换
1. su⚓
原本以为该命令很简单,但是没想到还有一些玄机在里面。
su [options] [USER [arg]...]
Options:
-m, -p, --preserve-environment do not reset environment variables
-, -l, --login 使shell变为 login shell ,默认为 non-login shell
-c, --command <command> pass a single command to the shell with -c
-s, --shell <shell> run shell if /etc/shells allows it
# non-login shell
[sink@dev ~]$ su
Password:
[root@dev sink]# env
# 可以看到一些环境变量仍然是原来用户的,
USER=sink
PATH=/home/clion-2018.3/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/sink/.local/bin:/home/sink/bin
MAIL=/var/spool/mail/sink
HOME=/root
LOGNAME=sink
# login shell,相当于使用 root 登录,所有的环境变量也会改变
[sink@dev ~]$ su -
Password:
Last login: Tue Oct 15 10:51:57 CST 2019 on pts/2
[root@dev ~]# env
USER=root
MAIL=/var/spool/mail/root
PATH=/home/clion-2018.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
HOME=/root
LOGNAME=root
# 执行一次命令
[sink@dev shell]$ ll -d /root/
dr-xr-x---. 36 root root 4096 Oct 15 14:36 /root/
[sink@dev shell]$ su - -c "ls -d /root/Desktop"
Password:
/root/Desktop
[sink@dev shell]$
关于non-login shell参考 08 bash。
2. sudo⚓
sudo [options] [command]
execute a command as another user
Options:
-u, --user=user run command (or edit file) as specified user name or ID
-b, --background run command in the background
-h, --host=host run command on host (if supported by plugin)
-g, --group=group run command as the specified group name or ID
-i, --login run login shell as the target user; a command may also be specified
-S, --stdin read password from standard input
# 切换的用户也必须有权限才可执行命令
[root@dev ~]# sudo -u sink touch root-for-sink
touch: cannot touch ‘root-for-sink’: Permission denied
[root@dev ~]# sudo -u sink touch /tmp/root-for-sink
[root@dev ~]# ll /tmp/root-for-sink
-rw-r--r-- 1 sink sink 0 Oct 15 14:46 /tmp/root-for-sink
# 即使不能登录的用户也可以切换
[root@dev ~]# grep sshd /etc/passwd
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
[root@dev ~]# sudo -u sshd sh -c "ls /tmp"
默认情况下,只有root才可以执行sudo指令,这是在/etc/sudoers中配置的,该文件可以使用visudo来编辑。
visudo [-chqsV] [-f sudoers] [-x output_file]
safely edit the sudoers file
Options:
-c, --check check-only mode
-f, --file=sudoers specify sudoers file location
-x, --export=output_file write sudoers in JSON format to output_file
2.1 使单一账号可执行sudo⚓
[root@dev ~]# visudo
……
## Allow root to run any commands anywhere
使用者帐号 登陆者的来源主机名称=(可切换的身份) 可下达的指令,使用指令的绝对路径
root ALL=(ALL) ALL
sink ALL=(ALL) NOPASSWD: ALL
……
2.2 使群组内的账号都可执行sudo⚓
[root@dev ~]# visudo
……
# 加了 % 就代表是群组,该群组下的所有用户都可以执行 sudo 指令
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
……
2.3 限制行为⚓
如果设置成上述的方式,那么会很危险,所以需要通过以下这种方式限制用户的行为:
sink ALL=(root) NOPASSWD: !/usr/bin/passwd, !/usr/bin/passwd root, /usr/bin/passwd [a-zA-Z]*
%users localhost=/sbin/shutdown -h now
表示sink用户只能执行passwd指令,且不能更改root的密码。
2.4 设置别名⚓
sudo可以设置别名来方便管理,sudo已经预设好了一些别名,可以分别填写到对应位置:
## Host Aliases
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
2.5 时间间隔⚓
如果两次sudo的时间间隔超过5分钟,那么就需要重新输入一次密码来确认用户。
2.6 搭配su来使用⚓
搭配su指令可以让你使用自己的密码来变成root用户:
user1 ALL=(root) /bin/su -
[user1@dev ~]$ sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for user1:
Last login: Tue Oct 15 14:37:53 CST 2019 on pts/2
[root@dev ~]#