人生在世，看得透，又看得远者prevail everywhere.

gg.gg/13nbnz gg.gg/13p5tj gg.gg/13p9s5 gg.gg/13tljl gg.gg/13xudz gg.gg/13xy3p gg.gg/143tqc linux.die.net linux.it.net.cn ostechnix.com unix.com gg.gg/19yv96 man.linuxde.net gg.gg/148erg bit.ly/2vsM34J bit.ly/2EzoUDo bit.ly/2wCsZSI bit.ly/2v6jGJi bit.ly/2tW6eYT bit.ly/2u2MMtm bit.ly/2X6vadl bit.ly/2viLpHU bit.ly/2fzzbEU linuxprobe.com linuxtechi.com ttlsa.com systutorials.com ghacks.net linuxopsys.com reurl.cc/8W1x3X reurl.cc/NpzMWe reurl.cc/WrgYdx reurl.cc/Yv4Yvo reurl.cc/Lmy90K reurl.cc/Rr5aeG

Tuesday 30 June 2020

谈谈sudo

ABCs

sudo allows a permitted user to execute a command as the superuser (by default) or another user (if provided), as specified by a security policy.

Different security policies are supported by a plugin architecutre. The official security plicy is sudoers, configured via the file /etc/sudoers or via LDAP. Third party developers can distribute their own policy to work seamlessly with the sudo front end.

Security policy plugin is configured in the /etc/sudo.conf file.

Installation

[root@host ~]# pacman -S sudo
[root@host ~]# sudo -ll -U username

'sudoers' Syntax

Check the 'SUDOERS FILE FORMAT' section in the man page of suoers(5). Basically, syntax is prescribed with Extented Backus-Naur Form (EBNF). Do not despair if you are unfamiliar with EBNF; it is fairly simple and take the chance to study it.

An EBNF definition looks like:

symbol ::= definition | alternate1 | alternate2

Special characters '?' (optional, 0 or 1), '*' (zero or more), and '+' (one or more) mean the same thing as regular expression. Single quotes denote verbatim character string as opposed to a defined symbol (variable) name. The rest part of EBNF of sudoer is left to yourself.

The sudoers file is composed of two types of entries: alias and user specification. The advantage of alias is to group multiple items together and assign a meaningful label. There exist four kinds of aliases, namely 'User_Alias', 'Runas_Alias', 'Host_Alias' and 'Cmd_Alias'. When there exist only few accounts and hostnames concerned, alias is optional.

When a username is matched by multiple entries, they are applied in order but only the last match takes effect. Let's forget about EBNF and alias part (not the focus of this post), here is the simplified user specification:

USER HOSTNAME = (RUNAS_USER) COMMANDS

USER is the primary key, for which this entry is designated.

It can be a user name (i.e. 'jim'), user ID ('#1000'), group name ('%wheel'), group ID ('%#10') etc.
HOSTNAME defines the location where this user specification takes effect. The sudoers file can be shared among multiple systems.

This field can be hostname, IP address, network range etc.
COMMANDS specifies what commands can be executed.
'(RUNAS_USER)' means to execute COMMANDS as another user account. It is applied to commands followed.

This is an optional field with parentheses. By default, it is root.
The columns are divided into two groups by '=', namely the left side and the right side.

The left side defines the object while the right side defines the actions.
Multiple items within a field is separated by comma.

'ALL', a special field value, matches anything.

For example:

jim localhost = (operator) /bin/ls, (root) /bin/kill, /usr/bin/apg

This entry means on localhost, account jim can run /bin/ls as acount operator; he can also run /bin/kill and /usr/bin/apg as root.

There are also other interesting fields like 'NOPASSWD:', which is left to yourself.

Configuration

To modify configuration files, please use command visudo.
Personally, I'd like to put per-user configuration under /etc/sudoers.d/.

To make the directory loaded, add the #includedir directive in /etc/sudoers. As per the man page, sudo will read each file in /etc/sudoers.d, skipping file names that contain a dot '.' or end in a tilde '~'. Hence, if the username contains a dot, then file '/etc/sudoers.d/username' is probably ignored!

[root@host ~]# visudo -f /etc/sudoers
[root@host ~]# visudo -f /etc/sudoers.d/username
#
gray localhost = (jim) ALL
%wheel ALL  = (root) /bin/iptables

Once finished editting, use the option -c to verify syntax.

[root@host ~]# visudo -c -f /etc/sudoers
[root@host ~]# visudo -c -f /etc/sudoers.d/username

Then check the result:

[root@host ~]# sudo -ll -U username

Run

[username@host ~]$ sudo command
[username@host ~]$ sudo -u another-username command

When to edit a protected file, sudoedit /path/to/file is preferred than sudo vim /path/to/file

------------------

groupadd -g 250 honadmin
useradd -u 252 -g honadmin annie
useradd -u 253 -g honadmin vineesh

root@olds20 [~]# groups annie
annie : honadmin
root@olds20 [~]# id annie
uid=252(annie) gid=250(honadmin) groups=250(honadmin)
root@olds20 [~]# 


ssh -p 3333 USER@SERVER_IP


cagefsctl --list | grep deepak

visudo -f /etc/sudoers.d/hostonnet

%honadmin  ALL=/usr/sbin/exim
%honadmin  ALL=/usr/honcpanel/bin/eximrm
%honadmin  ALL=/usr/bin/uptime
%honadmin  ALL=/sbin/reboot
%honadmin  ALL=/usr/bin/top
%honadmin  ALL=/usr/bin/atop
%honadmin  ALL=/usr/sbin/lvetop
%honadmin  ALL=/usr/sbin/dbtop
%honadmin  ALL=/usr/sbin/csf
%honeadmin ALL=/scripts/suspendacct

from https://github.com/serverok/server-setup/blob/master/ssh_sudo.txt