linux系统中sudo服务

1、linux系统中sudo服务是的普通用户能够执行较大权限的命令

使用sudo -l 命令 查看是否具有sudo权限：

[root@linuxprobe test]# ls
[root@linuxprobe test]# whoami
root
[root@linuxprobe test]# su - liujiaxin01
Last login: Wed Oct 21 17:00:37 CST 2020 from 192.168.3.4 on pts/2
[liujiaxin01@linuxprobe ~]$ sudo -l  ## 查看是否具有sudo权限
[sudo] password for liujiaxin01:
Sorry, user liujiaxin01 may not run sudo on linuxprobe.

2、如何赋予sudo权限

[liujiaxin01@linuxprobe ~]$ exit
logout
[root@linuxprobe test]# whoami
root
[root@linuxprobe test]# visudo  ## 修改sudo配置文件
## 在 "root    ALL=(ALL)       ALL"语句下添加如下语句（见下图），保存，然后退出，操作同vim编辑器
liujiaxin01     ALL=(ALL)       ALL

3、查看添加效果

[root@linuxprobe test]# su - liujiaxin01
Last login: Wed Oct 21 17:12:50 CST 2020 on pts/0
[liujiaxin01@linuxprobe ~]$ whoami
liujiaxin01
[liujiaxin01@linuxprobe ~]$ sudo -l  ## 查看sudo权限
[sudo] password for liujiaxin01:
Matching Defaults entries for liujiaxin01 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User liujiaxin01 may run the following commands on this host:
    (ALL) ALL
[liujiaxin01@linuxprobe ~]$ useradd liujiaxin05  ## 测试普通用户创建新用户
-bash: /usr/sbin/useradd: Permission denied
[liujiaxin01@linuxprobe ~]$ sudo useradd liujiaxin05  ## 加 sudo 使用，可以创建新用户
[liujiaxin01@linuxprobe ~]$ tail -n 5 /etc/passwd
tcpdump:x:72:72::/:/sbin/nologin
linuxprobe:x:1000:1000:linuxprobe:/home/linuxprobe:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
liujiaxin01:x:1001:1001::/home/liujiaxin01:/bin/bash
liujiaxin05:x:1002:1002::/home/liujiaxin05:/bin/bash

4、如何移除sudo权限

[liujiaxin01@linuxprobe ~]$ exit
logout
[root@linuxprobe test]# whoami
root
[root@linuxprobe test]# visudo  ## 编辑sudo配置文件，注释掉或者删除用户sudo权限（下图注释掉）
[root@linuxprobe test]# su - liujiaxin01
Last login: Wed Oct 21 17:20:34 CST 2020 on pts/0
[liujiaxin01@linuxprobe ~]$ whoami
liujiaxin01
[liujiaxin01@linuxprobe ~]$ sudo -l
[sudo] password for liujiaxin01:
Sorry, user liujiaxin01 may not run sudo on linuxprobe.

5、如何赋予用户部分权限

## 测试未赋予权限前cat命令， /etc/shadow 储存用户密码，只有root可以使用cat查看
[root@linuxprobe test]# ls
[root@linuxprobe test]# su - liujiaxin01
Last login: Wed Oct 21 17:26:51 CST 2020 on pts/0
[liujiaxin01@linuxprobe ~]$ whoami
liujiaxin01
[liujiaxin01@linuxprobe ~]$ sudo -l
[sudo] password for liujiaxin01:
Sorry, user liujiaxin01 may not run sudo on linuxprobe.
[liujiaxin01@linuxprobe ~]$ cat /etc/shadow  ## 普通用户没有权限
cat: /etc/shadow: Permission denied

## 测试赋予普通用户部分命令超级权限
[liujiaxin01@linuxprobe ~]$ exit
logout
[root@linuxprobe test]# whoami
root
[root@linuxprobe test]# whereis cat  ## 查看命令位置
cat: /usr/bin/cat /usr/share/man/man1/cat.1.gz /usr/share/man/man1p/cat.1p.gz
[root@linuxprobe test]#
[root@linuxprobe test]# visudo  ## 编辑 sudo权限配置文件，在"root    ALL=(ALL)       ALL"下添加
liujiaxin01     ALL=(ALL)       /usr/bin/cat   ## 见下图

[root@linuxprobe test]# su - liujiaxin01
Last login: Wed Oct 21 17:30:54 CST 2020 on pts/0
[liujiaxin01@linuxprobe ~]$ whoami
liujiaxin01
[liujiaxin01@linuxprobe ~]$ sudo -l  ## 查看sudo权限
[sudo] password for liujiaxin01:
Matching Defaults entries for liujiaxin01 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User liujiaxin01 may run the following commands on this host:
    (ALL) /usr/bin/cat
[liujiaxin01@linuxprobe ~]$ cat /etc/shadow  ## 普通用户不能查看
cat: /etc/shadow: Permission denied
[liujiaxin01@linuxprobe ~]$ sudo cat /etc/shadow | head -n 5  ## 加sudo权限查看前5行
root:$6$IBEi.cy6$jVDcYM9yAlrcfbkzusxvt2mTNXbbajsx6TaZ7m7HHeADpm5m5BoznmgtkFdEo28JkWJ6uD6p2SNpWvFy0zQ/k1:18554:0:99999:7:::
bin:*:16141:0:99999:7:::
daemon:*:16141:0:99999:7:::
adm:*:16141:0:99999:7:::
lp:*:16141:0:99999:7:::

注：移除用户部分权限只需在sudu配置文件中删除添加行或者注释掉

6、加NOPASSWD选项，执行sudo命令无需输入普通用户密码

[root@linuxprobe test]# whoami
root
[root@linuxprobe test]# visudo  ## 修改sudo配置文件，ALL=NOPASSWD：（见下图）
[root@linuxprobe test]# su - liujiaxin01
Last login: Wed Oct 21 17:36:23 CST 2020 on pts/0
[liujiaxin01@linuxprobe ~]$ whoami
liujiaxin01
[liujiaxin01@linuxprobe ~]$ sudo -l
Matching Defaults entries for liujiaxin01 on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User liujiaxin01 may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/cat
[liujiaxin01@linuxprobe ~]$ sudo cat /etc/shadow | head -n 3
root:$6$IBEi.cy6$jVDcYM9yAlrcfbkzusxvt2mTNXbbajsx6TaZ7m7HHeADpm5m5BoznmgtkFdEo28JkWJ6uD6p2SNpWvFy0zQ/k1:18554:0:99999:7:::
bin:*:16141:0:99999:7:::
daemon:*:16141:0:99999:7:::