美文网首页
DAY 19 sudo

DAY 19 sudo

作者: 余仔丶 | 来源:发表于2019-03-26 23:06 被阅读0次

    [root@oldboyedu ~]# chage -l oldboy
    Last password change : Oct 07, 2020
    Password expires : never
    Password inactive : never
    Account expires : never
    Minimum number of days between password change : 0
    Maximum number of days between password change : 99999
    Number of days of warning before password expires : 7
    [root@oldboyedu ~]# chage -E "2020/10/1" oldboy
    [root@oldboyedu ~]# chage -l oldboy
    Last password change : Oct 07, 2020
    Password expires : never
    Password inactive : never
    Account expires : Oct 01, 2020
    Minimum number of days between password change : 0
    Maximum number of days between password change : 99999
    Number of days of warning before password expires : 7

    范例14-17:创建新用户range,要求该用户7天内不能更改密码,
    60天以后必须修改密码,过期前10天通知用户,过期后30天后禁止用户登录。
    chage -m7 -M60 -W10 -I30 oldboy
    联系英文:
    Options:
    -d, --lastday LAST_DAY set date of last password change to LAST_DAY
    -E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
    -h, --help display this help message and exit
    -I, --inactive INACTIVE set password inactive after expiration
    to INACTIVE
    -l, --list show account aging information
    -m, --mindays MIN_DAYS set minimum number of days before password
    change to MIN_DAYS
    -M, --maxdays MAX_DAYS set maximim number of days before password
    change to MAX_DAYS
    -R, --root CHROOT_DIR directory to chroot into
    -W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS

    [root@oldboyedu ~]# chage -l oldboy
    Last password change : Oct 07, 2020
    Password expires : never
    Password inactive : never
    Account expires : Oct 01, 2020
    Minimum number of days between password change : 0
    Maximum number of days between password change : 99999
    Number of days of warning before password expires : 7
    You have new mail in /var/spool/mail/root
    [root@oldboyedu ~]# chage -m7 -M60 -W10 -I30 oldboy
    [root@oldboyedu ~]# chage -l oldboy
    Last password change : Oct 07, 2020
    Password expires : Dec 06, 2020
    Password inactive : Jan 05, 2021
    Account expires : Oct 01, 2020
    Minimum number of days between password change : 7
    Maximum number of days between password change : 60
    Number of days of warning before password expires : 10

    passwd -n70 -x600 -w100 -i300 oldboy

    [root@oldboyedu ~]# passwd -n70 -x600 -w100 -i300 oldboy
    Adjusting aging data for user oldboy.
    passwd: Success
    You have new mail in /var/spool/mail/root
    [root@oldboyedu ~]# chage -l oldboy
    Last password change : Oct 07, 2020
    Password expires : May 30, 2022
    Password inactive : Mar 26, 2023
    Account expires : Oct 01, 2020
    Minimum number of days between password change : 70
    Maximum number of days between password change : 600
    Number of days of warning before password expires : 100

    -n, --minimum DAYS
    This will set the minimum password lifetime, in days, if the user's account supports password life‐
    times. Available to root only.

    -x, --maximum DAYS
    This will set the maximum password lifetime, in days, if the user's account supports password life‐
    times. Available to root only.

    -w, --warning DAYS
    This will set the number of days in advance the user will begin receiving warnings that her password
    will expire, if the user's account supports password lifetimes. Available to root only.

    -i, --inactive DAYS

    [root@oldboyedu ~]# su - oldboy -c pwd
    /home/oldboy
    [root@oldboyedu ~]# su - oldboy -c whoami
    oldboy

    怎么用su。

    1、先登录普通用户,没事不允许登录root。
    只有执行的任务需要root权限的时候才允许你登录root。
    系统维护通道。
    用su管理,必须知道root密码,安全隐患。
    10个运维,都得知道root密码,安全隐患。

    需求:
    1、不用知道root密码还能管理服务器。
    2、最小化管理服务器,想关机,就只给你halt权限。

    sudo命令:
    可以以最小化的权限(单个命令),执行命令时拥有root用户的权限

    SUID 针对命令,任何用户执行命令都有root身份。 任何用户执行某个命令:模糊
    SUDO 针对用户,给某个用户以root身份执行某个命令。指定用户执行某个命令:具体。

    如何编辑配置sudo?

    sudo是一个提权的命令(对应权限通过读取/etc/sudoers(严格语法)文件实现的)

    配置/etc/sudoers可以使用visudo命令,或vim /etc/sudoers(不推荐)

    [oldboy@oldboyedu ~]$ ls /root
    ls: cannot open directory /root: Permission denied
    完成上面的动作。

    给oldboy用户,针对ls设置权限。

    visudo进入编辑状态,100G

    Allow root to run any commands anywhere

    root ALL=(ALL) ALL
    oldboy ALL=(ALL) /usr/bin/ls,/bin/cp #<===增加一行
    用户 主机=(角色) 命令

    注意:
    1、路径要全路径:
    which cp查
    2、不要vim /etc/sudoers编辑,如果非要用编辑完visudo -c检查语法

    oldboy是管理员,并且不要密码:
    oldboy ALL=(ALL) NOPASSWD: ALL

    登录后切到root运行。
    [oldboy@oldboyedu ~]$ sudo su - root
    Last login: Tue Mar 26 10:32:57 CST 2019 on pts/3
    [root@oldboyedu ~]#

    为了安全禁止root远程连接linux。

    工作中如何登录?使用普通用户登录然后利用sudo提权到root。
    Wecomle to oldboy training 58期。
    [oldboy@oldboyedu ~]whoami oldboy [oldboy@oldboyedu ~] sudo ls /root
    a.txt c.txt data1 etc oldboy oldboy_b oldboy_soft_link pass test.txt user.log
    b.txt d d.txt grep.txt oldboy_1.txt oldboyedu.txt oldboy.txt test test.txt.ori
    [oldboy@oldboyedu ~][oldboy@oldboyedu ~]
    [oldboy@oldboyedu ~]$ sudo su -
    Last login: Tue Mar 26 11:42:09 CST 2019 on pts/0
    [root@oldboyedu ~]#

    [root@oldboyedu ~]# su - oldboy
    Last login: Tue Mar 26 10:44:08 CST 2019 on pts/3
    [oldboy@oldboyedu ~]ls /root ls: cannot open directory /root: Permission denied [oldboy@oldboyedu ~] sudo -l

    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
    

    [sudo] password for oldboy:
    Matching Defaults entries for oldboy on oldboyedu:
    User oldboy may run the following commands on oldboyedu:
    (ALL) /bin/ls
    [oldboy@oldboyedu ~]sudo ls /root a.txt c.txt data1 etc oldboy oldboy_b oldboy_soft_link pass test.txt user.log b.txt d d.txt grep.txt oldboy_1.txt oldboyedu.txt oldboy.txt test test.txt.ori [oldboy@oldboyedu ~] ls /root
    ls: cannot open directory /root: Permission denied
    [oldboy@oldboyedu ~]$

    相关文章

      网友评论

          本文标题:DAY 19 sudo

          本文链接:https://www.haomeiwen.com/subject/cyvovqtx.html