• Linux 禁止普通用户su到root

    Linux账户权限管理上为了防止普通用户通过su切换到root用户,需要修改/etc/pam.d/su和/etc/login.defs两个配置文件。

    Step1:修改 /etc/pam.d/su文件

    [root@ess ~]# vi /etc/pam.d/su
    #%PAM-1.0
    auth sufficient pam_rootok.so
    # Uncomment the following line to implicitly trust users in the "wheel" group.
    #auth sufficient pam_wheel.so trust use_uid
    # Uncomment the following line to require a user to be in the "wheel" group.
    #auth required pam_wheel.so use_uid   //取消该行前的注释
    auth substack system-auth
    auth include postlogin
    account sufficient pam_succeed_if.so uid = 0 use_uid quiet
    account include system-auth
    "/etc/pam.d/su" 14L, 540C
    #%PAM-1.0
    auth sufficient pam_rootok.so
    # Uncomment the following line to implicitly trust users in the "wheel" group.
    #auth sufficient pam_wheel.so trust use_uid
    # Uncomment the following line to require a user to be in the "wheel" group.
    #auth required pam_wheel.so use_uid
    auth substack system-auth
    auth include postlogin
    account sufficient pam_succeed_if.so uid = 0 use_uid quiet
    account include system-auth
    password include system-auth
    session include system-auth
    session include postlogin
    session optional pam_xauth.so

    Step2:修改/etc/login.defs,末尾追加SU_WHEEL_ONLY yes

    #
    # If defined, this command is run when removing a user.
    # It should remove any at/cron/print jobs etc. owned by
    # the user to be removed (passed as the first argument).
    #
    #USERDEL_CMD /usr/sbin/userdel_local

    #
    # If useradd should create home directories for users by default
    # On RH systems, we do. This option is overridden with the -m flag on
    # useradd command line.
    #
    CREATE_HOME yes

    # The permission mask is initialized to this value. If not specified,
    # the permission mask will be initialized to 022.
    UMASK 077

    # This enables userdel to remove user groups if no members exist.
    #
    USERGROUPS_ENAB yes

    # Use SHA512 to encrypt password.
    ENCRYPT_METHOD SHA512
    SU_WHEEL_ONLY yes

    Step3:使用普通账户登录系统进行su测试

    [tom@ess ~]$ su -
    密码:
    su: 拒绝权限
    [tom@ess ~]$

    说明:其他需要有权限root的用户需要添加至wheel组中,如下图:

    [root@ess ~]# usermod -G wheel networking

    [root@ess ~]# id networking
    uid=1001(networking) gid=1001(networking) 组=1001(networking),10(wheel)
    [root@ess ~]#
  • 相关阅读:
    [OpenJudge] 反正切函数的应用 (枚举)(数学)
    [OpenJudge] 摘花生 (模拟)
    [OpenJudge] 宇航员(模拟)
    [OpenJudge] 显示器(模拟)
    背包问题
    BFS_最短路径
    链表
    网站
    网站
    洛谷_递归整理
  • 原文地址:https://www.cnblogs.com/networking/p/10341093.html
Copyright © 2020-2023  润新知