最近公司应相关部门的监管要求加强了对用户权限的控制,为了积极响应国家的号召,公司账号权限设计管理的重任就落到我的肩上。花了两三个小时,对批量创建用户,普通用户对除了用户目录之外的权限管理、root权限控制进行了设计,目前脚本已经完全通过测试,在此和大家分享一下。现分别对每一部分代码进行一下备注、解析。
批量创建用户。
HostName=$(hostname)
Account=`whoami`
PASSWORD='TTkx1324'
USER1='payer'
APP='/app'
TEMP='/temp'
UserName=('tangchanggen' 'wuyaxiong' 'lihui' 'wangyifeng' 'yanglongjun' 'liyunfeng' 'xiaoyongan' 'ivandu') #需要添加的用户
#以下内容,批量创建用户。
adduser $USER1 -g root #将用户添加到root组里
echo $PASSWD | passwd payer --stdin #从标准输入流读取密码TTkx1324
passwd $USER1 -x 90 -w 7 #密码的生命周期为90天,到期前7天提示用户修改密码
passwd -e $USER1 #chage -d0 payer #用户首次登陆强制修改密码
echo -e "\033[47;31m The account $USER1 has been created! \033[0m"
for U in ${UserName[@]};
do
adduser $U
echo $PASSWORD | passwd $U --stdin
passwd $U -x 90 -w 7
passwd -e $U
echo -e "\033[47;31m The account $U has been created! \033[0m"
sleep 2
done
在sudoer文件内追加以下内容,看起来是不很凌乱?
echo -e "Runas_Alias OP = root\nCmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp\nCmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount\nCmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable\nCmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/ifconfig, /sbin/mii-tool\nCmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall\nCmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum\nCmnd_Alias LOCATE = /usr/bin/updatedb\nUser_Alias ORDINARY_DEVELOP = ${UserName[0]},${UserName[1]},${UserName[2]},${UserName[3]},${UserName[4]}\nUser_Alias SUDO_DEVELOP = ${UserName[1]}\nUser_Alias NETWORKMANAGER = ${UserName[5]}\nUser_Alias DEVOPS = ${UserName[6]},${UserName[7]}\nORDINARY_DEVELOP $HostName=(OP) NOPASSWD:/sbin/service\nSUDO_DEVELOP $HostName=(OP) NOPASSWD:SERVICES\nNETWORKMANAGER $HostName=(OP) NOPASSWD:NETWORKING\nDEVOPS $HostName=(OP) NOPASSWD:SERVICES,SOFTWARE,STORAGE,DELEGATING,PROCESSES,NETWORKING,LOCATE">>/etc/sudoers
其实打印出来是这样的(这里面的内容一般人仔细一看都能懂的,不解释):
Runas_Alias OP = root Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/ifconfig, /sbin/mii-tool Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum Cmnd_Alias LOCATE = /usr/bin/updatedb User_Alias ORDINARY_DEVELOP = tangchanggen,wuyaxiong,lihui,wangyifeng,yanglongjun User_Alias SUDO_DEVELOP = wuyaxiong User_Alias NETWORKMANAGER = liyunfeng User_Alias DEVOPS = xiaoyongan,ivandu ORDINARY_DEVELOP UserManager=(OP) NOPASSWD:/sbin/service SUDO_DEVELOP UserManager=(OP) NOPASSWD:SERVICES NETWORKMANAGER UserManager=(OP) NOPASSWD:NETWORKING DEVOPS UserManager=(OP) NOPASSWD:SERVICES,SOFTWARE,STORAGE,DELEGATING,PROCESSES,NETWORKING,LOCATE以下这一段代码主要用于ACL权限设置。
if [ -d $APP ] ; then
setfacl -m u:${UserName[1]}:rwx -R $APP #递归设置$APP的ACL权限
elif [ ! -d $APP ] ;
then
mkdir $APP
setfacl -m u:${UserName[1]}:rwx -R $APP
fi
if [ -d $TEMP ] ; then
setfacl -m u:${UserName[1]}:rwx -R $TEMP
elif [ ! -d $TEMP ] ; #不存在目录temp则进行创建
then
mkdir "$TEMP"
setfacl -m u:${UserName[1]}:rwx -R $TEMP
fi
for ACL_Account in ${UserName[0]} ${UserName[1]} ${UserName[2]} ${UserName[3]} ${UserName[4]};
do
setfacl -m u:${ACL_Account}:rwx -R /opt
done
批量删除用户脚本:
#!/bin/bash
USER1='payer'
UserName=('tangchanggen' 'wuyaxiong' 'lihui' 'wangyifeng' 'yanglongjun' 'liyunfeng' 'xiaoyongan' 'ivandu')
echo -e "\033[41;34m These account were deleting now! Please wait! \033[0m"
userdel -r $USER1
echo -e "\033[47;31m The account $USER1 had been deleted! \033[0m"
for U in ${UserName[@]};
do
userdel -r $U
echo -e "\033[47;31m The account $U had been deleted! \033[0m"
done完毕!最后我发现一个问题,/etc/sudoers这个文件是没有写入权限的,但是可以通过>>追加内容,你知道是怎么回事吗?麻烦告诉我一下。完整代码参见我的GitHub:https://github.com/geeklp/Scripts/blob/master/BashShell/UserAdd.sh ,批量删除用户脚本:https://github.com/geeklp/Scripts/blob/master/BashShell/UserDel.sh
