Linux-sudo配置

在Linux中，我们使用sudo来命令来减少使用root用户的时间，并且提高安全性，下面就简单讲解下如何配置，主要也是记录，怕自己忘了。

系统环境：

[root@master ~]# cat /etc/redhat-release 

CentOS Linux release 7.3.1611 (Core) 

[root@master ~]# uname  -r

3.10.0-514.26.2.el7.x86_64

配置文件路径：/etc/sudoers

[root@master ~]# vim /etc/sudoers（虽然执行visudo也能进入编辑，但还是推荐使用这种）

 1 ## Sudoers allows particular users to run various commands as

  2 ## the root user, without needing the root password.

  3 ##

  4 ## Examples are provided at the bottom of the file for collections

  5 ## of related commands, which can then be delegated out to particular

  6 ## users or groups.

  7 ## 

  8 ## This file must be edited with the 'visudo' command.

  9 

 10 ## Host Aliases

 11 ## Groups of machines. You may prefer to use hostnames (perhaps using 

 12 ## wildcards for entire domains) or IP addresses instead.

 13 # Host_Alias     FILESERVERS = fs1, fs2

 14 # Host_Alias     MAILSERVERS = smtp, smtp2

 15 

 16 ## User Aliases

 17 ## These aren't often necessary, as you can use regular groups

 18 ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 

 19 ## rather than USERALIAS

 20 # User_Alias ADMINS = jsmith, mikem

 21 

 22 

 23 ## Command Aliases

 24 ## These are groups of related commands...

 25 

 26 ## Networking

 27 # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

 28 

 29 ## Installation and management of software

 30 # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

 31 

 32 ## Services

 33 # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status    , /usr/bin/systemctl enable, /usr/bin/systemctl disable

 34 

 35 ## Updating the locate database

 36 # Cmnd_Alias LOCATE = /usr/bin/updatedb

 37 

 38 ## Storage

 39 # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

 40 

 41 ## Delegating permissions

 42 # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

 43 

 44 ## Processes

 45 # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

 46 

 47 ## Drivers

 48 # Cmnd_Alias DRIVERS = /sbin/modprobe

 49 

 50 # Defaults specification

 51 

 52 #

 53 # Refuse to run if unable to disable echo on the tty.

 54 #

 55 Defaults   !visiblepw

 56 

 57 #

 58 # Preserving HOME has security implications since many programs

 59 # use it when searching for configuration files. Note that HOME

 60 # is already set when the the env_reset option is enabled, so

 61 # this option is only effective for configurations where either

 62 # env_reset is disabled or HOME is present in the env_keep list.

 63 #

 64 Defaults    always_set_home

 65 

 66 Defaults    env_reset

 67 Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"

 68 Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

 69 Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

 70 Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

 71 Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

 72 

 73 #

 74 # Adding HOME to env_keep may enable a user to run unrestricted

 75 # commands via sudo.

 76 #

 77 # Defaults   env_keep += "HOME"

 78 

 79 Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

 80 

 81 ## Next comes the main part: which users can run what software on 

 82 ## which machines (the sudoers file can be shared between multiple

 83 ## systems).

 84 ## Syntax:

 85 ##

 86 ##      user    MACHINE=COMMANDS

 87 ##

 88 ## The COMMANDS section may have other options added to it.

 89 ##

 90 ## Allow root to run any commands anywhere 

 91 root    ALL=(ALL)       ALL

 92 wxh-docker ALL=(root)   /usr/bin/systemctl

 93 

 94 ## Allows members of the 'sys' group to run networking, software, 

 95 ## service management apps and more.

 96 # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

 97 

 98 ## Allows people in group wheel to run all commands

 99 %wheel  ALL=(ALL)       ALL

100 

101 ## Same thing without a password

102 # %wheel        ALL=(ALL)       NOPASSWD: ALL

103 

104 ## Allows members of the users group to mount and unmount the 

105 ## cdrom as root

106 # %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

107 

108 ## Allows members of the users group to shutdown this system

109 # %users  localhost=/sbin/shutdown -h now

110 

111 ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

112 #includedir /etc/sudoers.d

讲解：

其实这个配置文件的核心就是一个命令格式：

用户  来源主机IP/域名=（授权用户）   命令

组    来源主机IP/域名=（授权用户）   命令

以上这些都可以在文件开头定义别名，讲一组用户/IP/命令等整合成一个

 91 root    ALL=(ALL)       ALL

 92 wxh-docker ALL=(root)   /usr/bin/systemctl

以第91和92行为例，第91行是默认存在的，第92行是我添加的

这行的意思是：允许wxh-docker这个用户在任意位置（不限源IP）连接到这台主机上并且可以以root的身份运行systemctl命令

      本文转自1清风揽月1  51CTO博客，原文链接：http://blog.51cto.com/watchmen/1952460，如需转载请自行联系原作者