一、sudo授权工具
授权工具;能够实现把有限的管理操作授权给某普通用户;且还能限定其仅能够在某些主机上执行此类的命令;操作过程还会被记录与日志中;以便于日后审计。
1、定义sudo授权;保存/etc/sudoers
visudo:编辑sudoers命令
格式:who which_host=(whom) command
添加删除用户
|
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@localhost ~]
# visudo
jerry
ALL
=
(root)
/
usr
/
sbin
/
useradd,
/
usr
/
sbin
/
userdel
[root@localhost ~]
# su - jerry
[jerry@localhost ~]$ sudo useradd tom
[sudo] password
for
jerry:
[jerry@localhost ~]$ tail
-
1
/
etc
/
passwd
tom:x:
503
:
503
::
/
home
/
tom:
/
bin
/
bash
[jerry@localhost ~]$ sudo userdel tom
[jerry@localhost ~]$ tail
-
1
/
etc
/
passwd
jerry:x:
502
:
502
::
/
home
/
jerry:
/
bin
/
bash
[jerry@localhost ~]$
#测试可以删除添加账户
|
别名:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
Host_Alias FILESERVERS
=
fs1, fs2
#主机别名
User_Alias ADMINS
=
jsmith, mikem
#用户别名
Cmnd_Alias NETWORKING
=
/
sbin
/
route,
/
sbin
/
ifconfig...
#命令别名
[root@localhost ~]
# visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
User_Alias USERADMIN
=
jerry,tom
Cmnd_Alias USERCMND
=
/
usr
/
sbin
/
useradd,
/
usr
/
sbin
/
userdel
USERADMIN
ALL
=
(root) USERCMND
[root@localhost ~]
# su - jerry
[sudo] password
for
jerry:
useradd: warning: the home directory already exists.
Not copying
any
file
from
skel directory into it.
Creating mailbox
file
:
File
exists
[jerry@localhost ~]$
[root@localhost ~]
# su - tom
[tom@localhost ~]$ sudo userdel
-
r jerry
[sudo] password
for
tom:
[tom@localhost ~]$ tail
-
3
/
etc
/
passwd
mockbuild:x:
500
:
500
::
/
home
/
mockbuild:
/
bin
/
bash
soul:x:
501
:
501
::
/
home
/
soul:
/
bin
/
bash
tom:x:
503
:
503
::
/
home
/
tom:
/
bin
/
bash
[tom@localhost ~]$
|
命令取反
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@localhost ~]
# visudo
#includedir /etc/sudoers.d
User_Alias USERADMIN
=
jerry,tom
Cmnd_Alias USERCMND
=
/
usr
/
sbin
/
useradd,
/
usr
/
sbin
/
userdel,
/
usr
/
sbin
/
usermod,
/
usr
/
bin
/
passwd,!
/
usr
/
bin
/
passwd root
#命令取反
USERADMIN
ALL
=
(root) USERCMND
[root@localhost ~]
# su - jerry
[jerry@localhost ~]$ sudo passwd tom
[sudo] password
for
jerry:
Changing password
for
user tom.
New password:
BAD PASSWORD: it
is
WAY too short
BAD PASSWORD:
is
too simple
Retype new password:
passwd:
all
authentication tokens updated successfully.
[jerry@localhost ~]$ sudo passwd root
Sorry, user jerry
is
not
allowed to execute
'/usr/bin/passwd root'
as root on localhost.localdomain.
[jerry@localhost ~]$
|
以哪些身份执行以及密码控制
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@localhost ~]
# visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
User_Alias USERADMIN
=
jerry,tom
Cmnd_Alias USERCMND
=
/
usr
/
sbin
/
useradd,
/
usr
/
sbin
/
userdel,
/
usr
/
sbin
/
usermod,
/
usr
/
bin
/
passwd,!
/
usr
/
bin
/
passwd root
Runas_Alias ADMIN
=
root
#已哪些身份运行
soul
ALL
=
(
ALL
)
ALL
USERADMIN
ALL
=
(ADMIN) NOPASSWD:
/
usr
/
sbin
/
useradd,
/
usr
/
sbin
/
userdel,
/
usr
/
sbin
/
usermod,
#前面的不需要输入密码
PASSWD:
/
usr
/
bin
/
passwd,!
/
usr
/
bin
/
passwd root
#这几个需要输入密码
[root@localhost ~]
# su - jerry
[jerry@localhost ~]$ sudo useradd tom2
[jerry@localhost ~]$ sudo passwd tom2
[sudo] password
for
jerry:
Changing password
for
user tom2.
New password:
BAD PASSWORD: it
is
WAY too short
BAD PASSWORD:
is
too simple
Retype new password:
passwd:
all
authentication tokens updated successfully.
[jerry@localhost ~]$
|
让普通用户执行管理员所有的命令
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@localhost ~]
# useradd -g wheel soul
[root@localhost ~]
# id soul
uid
=
501
(soul) gid
=
501
(soul) groups
=
501
(soul),
10
(wheel)
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
%
wheel
ALL
=
(
ALL
)
ALL
#该组用户可以执行所有权限
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
%
wheel
ALL
=
(
ALL
) NOPASSWD:
ALL
#执行时无需输入密码
[soul@localhost ~]$ sudo useradd tom
useradd: warning: the home directory already exists.
Not copying
any
file
from
skel directory into it.
Creating mailbox
file
:
File
exists
[soul@localhost ~]$ sudo userdel tom
[soul@localhost ~]$
|
2、常用选项
| -V | 显示版本编号 |
| -h | 会显示版本编号及指令的使用方式说明 |
| -l | 显示出自己(执行sudo的使用者)的权限 |
| -v | 因为sudo在第一次执行时或是在N分钟内没有执行(N预设为五)会询问密码;这个参数是重新做一次确认;如果超过N分钟;也会问密码 |
| -k |
强迫使用者在下一次执行sudo时询问密码(不论有没有超过N分钟) |
| -b | 将要执行的指令放在后台执行 |
二、tcp_wrapper(tcp包装器)基于主机的访问控制
tcp工作于tcp/ip协议栈中的tcp的协议上;守护进程tcpd。
配置文件:/etc/hosts.allow; /etc/hosts.deny
1、并非所有服务均能由tcp_wrapper控制
2、判断某服务程序是否能够由tcp_wrapper控制
动态编译:
ldd命令检测其是否链接至libwrap库上即可
libwrap.so.0 => /lib64/libwrap.so.0
静态编译:
strings /path/to/program如果有以下内容
hosts.allow
hosts.deny
配置文件语法格式:daemon_list:client_list [:options]
deamon_list:
-
应用程序名称;
-
应用程序列表;多个以逗号分隔;
-
ALL:匹配所有进程
1、hosts.allow;如果被允许;直接放行
2、hosts.deny;如果被匹配;则禁止访问
3、二者都无匹配;则默认放行
[:options]
在allow文件中使用deny选项:在allow文件中定义拒绝规则
在deny文件中使用allow选项:在deny文件中定义允许规则
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
[root@localhost ~]
# vim /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
#详细可以man See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
vsftpd :
172.16
.
254.28
#放行这台机器;
[root@localhost ~]
# vim /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# 详细可以man See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
vsftpd:
ALL
: spawn echo `date` login attempts
from
%
c to
%
s >>
/
var
/
log
/
deny.log
#拒绝未Allow的所有主机;并对访问服务的机器记入日志
#spawn:发起一条命令
[root@dns ~]
# lftp 172.16.251.85/pub
Interrupt
[root@dns ~]
# lftp 172.16.251.85/pub
Interrupt
[root@dns ~]
#
[root@localhost ~]
# tail /var/log/deny.log
Mon Mar
31
22
:
50
:
18
CST
2014
login attempts
from
172.16
.
251.84
to vsftpd@
172.16
.
251.85
Mon Mar
31
22
:
50
:
48
CST
2014
login attempts
from
172.16
.
251.84
to vsftpd@
172.16
.
251.85
Mon Mar
31
22
:
57
:
58
CST
2014
login attempts
from
172.16
.
251.84
to vsftpd@
172.16
.
251.85
Mon Mar
31
22
:
58
:
43
CST
2014
login attempts
from
172.16
.
251.84
to vsftpd@
172.16
.
251.85
Mon Mar
31
22
:
59
:
50
CST
2014
login attempts
from
172.16
.
251.84
to vsftpd@
172.16
.
251.85
Mon Mar
31
23
:
00
:
31
CST
2014
login attempts
from
172.16
.
251.84
to vsftpd@
172.16
.
251.85
Mon Mar
31
23
:
00
:
44
CST
2014
login attempts
from
172.16
.
251.84
to vsftpd@
172.16
.
251.85
Mon Mar
31
23
:
01
:
14
CST
2014
login attempts
from
172.16
.
251.84
to vsftpd@
172.16
.
251.85
|
内置的Macro
client_list
-
ALL
-
KNOWN
-
UNKOWN
-
PARANOID
daemon_list:ALL
EXCEPT:可以用于client和daemon之中;起到排除功能
三、pam模块
1、认证模块和配置文件存放位置
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[root@localhost ~]
# ls /lib64/security/
pam_access.so pam_faillock.so pam_localuser.so pam_rootok.so pam_tty_audit.so
pam_cap.so pam_filter pam_loginuid.so pam_securetty.so pam_umask.so
pam_chroot.so pam_filter.so pam_mail.so pam_selinux_permit.so pam_unix_acct.so
pam_ck_connector.so pam_fprintd.so pam_mkhomedir.so pam_selinux.so pam_unix_auth.so
pam_console.so pam_ftp.so pam_motd.so pam_sepermit.so pam_unix_passwd.so
pam_cracklib.so pam_gnome_keyring.so pam_namespace.so pam_shells.so pam_unix_session.so
pam_debug.so pam_group.so pam_nologin.so pam_smbpass.so pam_unix.so
pam_deny.so pam_issue.so pam_passwdqc.so pam_stress.so pam_userdb.so
pam_echo.so pam_keyinit.so pam_permit.so pam_succeed_if.so pam_warn.so
pam_env.so pam_lastlog.so pam_postgresok.so pam_tally2.so pam_wheel.so
pam_exec.so pam_limits.so pam_pwhistory.so pam_time.so pam_winbind.so
pam_faildelay.so pam_listfile.so pam_rhosts.so pam_timestamp.so pam_xauth.so
[root@localhost ~]
#
[root@localhost ~]
# ls /etc/pam.d/
atd fingerprint
-
auth passwd setup system
-
auth
authconfig fingerprint
-
auth
-
ac password
-
auth smartcard
-
auth system
-
auth
-
ac
authconfig
-
gtk gdm password
-
auth
-
ac smartcard
-
auth
-
ac system
-
config
-
authentication
authconfig
-
tui gdm
-
autologin polkit
-
1
smtp system
-
config
-
date
chfn gdm
-
fingerprint poweroff smtp.postfix system
-
config
-
kdump
chsh gdm
-
password ppp sshd system
-
config
-
keyboard
config
-
util gnome
-
screensaver reboot ssh
-
keycat system
-
config
-
network
crond halt remote su system
-
config
-
network
-
cmd
cups login run_init sudo system
-
config
-
users
cvs newrole runuser sudo
-
i xserver
eject other runuser
-
l su
-
l
[root@localhost ~]
#
|
格式:/etc/pam.d/service
type control module-path [module-arguments]
| TYPE: 栈;每项可以有多条 |
|
| account | 跟认证无关的账号检测机制;例如账号是否过期等 |
| auth | 认证和授权 |
| password | 用户在修改密码是要完成的检测 |
| session | 建立会话前/后需要做一些侦测机制;例如有没有足够的内存等 |
control:在某个模块认证成功或失败时应该采取的行为;分为简单类型的control和复杂类型control
| 简单类型的control |
|
| substack | 与include相同,也是调用一个新的配置文件进行验证; |
| required | 过滤不通过;仍需检测同一个栈中的其他模块;最后返回failure;认证失败;拥有参考其他模块意见基础之上的一票否决权 |
| requisite | 一票否决;过滤不通过;立即返回failure;后续的不用再检查; |
| sufficient | 一票通过;过滤条件通过;立即返回OK;后续无需检查 |
| optional | 可选模块; |
| include | 包含其他指定的配置文件中同名栈中的规则;并对此进行检测; |
2、模块
模块是由模块路径和模块的参数组成的。可以使用绝对路径和相对路径;参数是用来定义和调整模块的工作行为的。/etc/pam.d/*
| pam_unix | 传统意义上的账号密码的认证方式{nullok|shadow|md5} |
| pam_permit | 允许访问 |
| pam_deny | 拒绝访问;other文件为其他每一个服务中栈提供默认策略 |
| pam_cracklib |
在用户更改密码是限定密码策略的; |
| pam_shells | 检查用户登录时的安全shells;远程是需要更改的是sshd配置文件 |
| pam_securetty | 限定管理员只能通过安全tty登录;/etc/securetty文件中包含的 |
| pam_listfile | 限定listfile文件中的用户可以登录; |
| pam_rootok | 如果是root;su到其他用户不需要输入密码;wheel组中的也可以无需密码 |
| pam_succeed_if | 指定条件的符合;su到其他用户也无需密码 |
| pam_limits | /etc/security/limits.conf|limits.d/*;{hard|soft}/{nofile|nproc} |
3、例子
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
pam_shells
[Linux85]
#useradd -s /bin/cshgentoo
[Linux85]
#passwd gentoo
[Linux85]
#vim /etc/shells
/
bin
/
sh
/
bin
/
bash
/
sbin
/
nologin
/
bin
/
dash
/
bin
/
tcsh
#暂时去掉csh
[Linux85]
#vim sshd
#%PAM-1.0
auth required pam_shells.so
#添加一行
auth required pam_sepermit.so
#测试
[Linux86]
#ssh gentoo@172.16.251.85
gentoo@
172.16
.
251.85
's password:
Permission denied, please
try
again.
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
pam_securetty
[Linux85]
#cat /etc/securetty
console
tty1
tty2
tty3....
[Linux85]
#cp /etc/securetty /etc/securetty.bak
[Linux85]
#vim /etc/securetty
#仅留下面两项
console
tty1
tty2
[Linux85]
#vim sshd
#%PAM-1.0
auth required pam_shells.so
auth required pam_securetty.so
#启用这项ssh无法登陆
[Linux86]
#ssh root@172.16.251.85
root@
172.16
.
251.85
's password:
Permission denied, please
try
again.
#此时测试只有tty1/tty2可以在终端登陆
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
pam_listfile
itme
=
{tty|user|rhost|ruser|group|shell} sense
=
{allow|deny}
file
=
/
path
/
to
/
filename onerr
=
{succeed|fail} [
apply
=
[user|@group]] [quiet]
[Linux85]
#groupadd soul
[Linux85]
#vim sshd
#%PAM-1.0
auth required pam_listfile.so item
=
group sense
=
allow
file
=
/
etc
/
allowgroup
#测试
[Linux85]
#useradd -G soul centos
[Linux85]
#passwd centos
[Linux86]
#ssh gentoo@172.16.251.85
gentoo@
172.16
.
251.85
's password:
Permission denied, please
try
again
[Linux86]
#ssh centos@172.16.251.85
centos@
172.16
.
251.85
's password:
Permission denied, please
try
again.
centos@
172.16
.
251.85
's password:
Last login: Sun Apr
6
10
:
15
:
46
2014
from
172.16
.
254.28
[centos@soul ~]$
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
pam_rootok
[Linux85]
#vim su
#%PAM-1.0
#auth sufficient pam_rootok.so 注释这项
[Linux85]
#su - gentoo
Password:
[gentoo@soul ~]$
[Linux85]
#vim su
#%PAM-1.0
auth sufficient pam_rootok.so
#定义root用户su到其他用户是否需要密码
auth sufficient pam_succeed_if.so uid
=
500
use_uid quiet
#定义uid=500的用户可以不用密码su到其他用户
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid #组中的用户可以执行root权限
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system
-
auth
account sufficient pam_succeed_if.so uid
=
0
use_uid quiet
#uid = N的用户su到其他用户也是无需密码的;前面的type需要更改为认证auth
#
#
#[Linux85]#vim su
#%PAM-1.0
#auth sufficient pam_rootok.so #注释后root也需要密码
auth sufficient pam_succeed_if.so uid
=
500
use_uid quiet
#uid=500的用户不需要密码
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
#
#测试
[Linux85]
#id gentoo
uid
=
500
(gentoo) gid
=
500
(gentoo) groups
=
500
(gentoo)
[Linux85]
#su - gentoo #root用户su到gentoo
Password:
[gentoo@soul ~]$ su
-
root
#gentoo用户su到root
[root@soul ~]
# whoami
root
#测试正常
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
pam_limits
/
etc
/
security
/
limits.d
/
*
|
/
etc
/
security
/
limits.conf
[Linux85]
#vim /etc/security/limits.conf
# /etc/security/limits.conf
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#<item> can be one of the following: 常用几项
# - core - limits the core file size (KB) **核心文件大小
# - data - max data size (KB) 数据大小;进程访问内存数据段
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files ***所能打开的文件个数
# - rss - max resident set size (KB) 常驻内存集大小
# - stack - max stack size (KB) 进程栈空间大小
# - cpu - max CPU time (MIN)
# - nproc - max number of processes ***所能打开的进程数
# - as - address space limit (KB) 线性物理空间
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
|
本文转自Mr_陈 51CTO博客,原文链接:http://blog.51cto.com/chenpipi/1391076,如需转载请自行联系原作者
