[root@localhost ~]# su - lsx //加上-切换到自己的家目录下
[root@localhost ~]# su - -c "touch /tmp/lsx.txt" lsx //以指定用户的身份执行命令
[root@localhost ~]# su - lsx -c "touch /tmp/lsx.txt" //以指定用户的身份执行命令
[root@localhost ~]# ll /tmp/
-rw-rw-r--. 1 lsx lsx 0 10月 21 11:56 lsx.txt
[root@localhost user6]# su - user8
su: 警告:无法更改到 /home/user8 目录: 没有那个文件或目录
-bash-4.2$ //因为没有家目录,没有家目录里的文件
[root@localhost ~]# mkdir /home/user8
[root@localhost ~]# chown user8:user8 /home/user8
[root@localhost ~]# ls -la /etc/skel/
drwxr-xr-x. 2 root root 59 10月 15 22:36 .
drwxr-xr-x. 73 root root 8192 10月 21 12:09 ..
-rw-r--r--. 1 root root 18 6月 10 2014 .bash_logout
-rw-r--r--. 1 root root 193 6月 10 2014 .bash_profile
-rw-r--r--. 1 root root 231 6月 10 2014 .bashrc
[root@localhost ~]# cp /etc/skel/.bash* /home/user8
[root@localhost ~]# chown user8:user8 /home/user8 -R
[root@localhost ~]# su - user8
上一次登录:六 10月 21 12:13:33 CST 2689pxs/0 上
[user8@localhost ~]$
3.8 sudo命令
Sudo:让普通用户临时执行命令以指定身份执行(一般授权root身份)
[root@localhost ~]# visudo //这种方式执行可以检测错误
## Allow root to run any commands anywhere
ALL=(ALL) 前面ALL表示Ip、主机。 右边ALL(指授予哪个用户身份)
ALL 后边ALL表示所有命令
root ALL=(ALL) ALL
lsx ALL=(ALL) /usr/bin/ls,/usr/bin/mv,/usr/bin/cat
user1 ALL=(ALL) NOPASSWD: /usr/bin/ls,/usr/bin/mv,/usr/bin/cat
[lsx@localhost ~]$ sudo /usr/bin/ls /root/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for lsx:
11. txt1.txt 2.txt anaconda-ks.cfg lsx lsx.txt qq.jpg
[lsx@localhost ~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[lsx@localhost ~]$ sudo /usr/bin/ls /root/
11.txt1.txt 2.txt anaconda-ks.cfg lsx lsx.txt qq.jpg
[lsx@localhost ~]$ sudo /usr/bin/cat /root/1.txt
[root@localhost ~]# su - user1
[user1@localhost ~]$ id
uid=1006(user1) gid=1006(user1) 组=1006(user1),1003(user3) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user1@localhost ~]$ sudo /usr/bin/ls /root/ //NOPASSWD不需要密码
11. txt1.txt 2.txt anaconda-ks.cfg lsx lsx.txt qq.jpg
# User_Alias ADMINS = jsmith, mikem
User_Alias LSHX = lsx,user1,user2 //用户组
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
Cmnd_Alias LSHX_CMD = /usr/bin/ls,/usr/bin/cat,/usr/bin/mv //密码组
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
##lsx ALL=(ALL) /usr/bin/ls,/usr/bin/mv,/usr/bin/cat
##user1 ALL=(ALL) NOPASSWD: /usr/bin/ls,/usr/bin/mv,/usr/bin/cat
LSHX ALL=(ALL) NOPASSWD: LSHX_CMD
3.9 限制root远程登录
Root不允许登录,只允许登录普通用户,(root密码保密),sudo /usr/bin/su,就不需要密码了。(前提限制root用户远程登录)
# User_Alias ADMINS = jsmith, mikem
User_Alias LSHX = lsx,user1,user2
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
Cmnd_Alias LSHX_CMD = /usr/bin/ls,/usr/bin/cat,/usr/bin/mv,/usr/bin/su
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
##lsx ALL=(ALL) /usr/bin/ls,/usr/bin/mv,/usr/bin/cat
##user1 ALL=(ALL) NOPASSWD: /usr/bin/ls,/usr/bin/mv,/usr/bin/cat
LSHX ALL=(ALL) NOPASSWD: LSHX_CMD //执行这个命令时不要输入密码
[root@localhost ~]# su - lsx
上一次登录:六 10月 21 13:17:01 CST 2689pxs/0 上
[lsx@localhost ~]$ sudo /usr/bin/su - root
上一次登录:六 10月 21 13:18:28 CST 2689pxs/0 上
限制root远程登录配置文件
[root@localhost ~]# vi /etc/ssh/sshd_config
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes //需要修改去掉#yes改为no
#StrictModes yes
#MaxAuthTries 6
[root@localhost ~]# systemctl restart sshd.service
本文转自 虾米的春天 51CTO博客,原文链接:http://blog.51cto.com/lsxme/1977980,如需转载请自行联系原作者