用户提权
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
1. su 使用普通用户登录,然后执行su命令切换到root用户 优点:简单 缺点:需要知道root密码 2. sudo 使用普通用户管理,当需要使用root的权限的时候,进行提权 优点:安全、方便 缺点:复杂 shell的分类及执行的过程 交互式shell #终端操作 输入一条指令,需要等待系统的处理及返回结果 非交互式shell #脚本的执行方式就是 用户执行完指令 不需要跟系统进行交互 登录式shell #通过用户名和密码的方式进行登录的 非登录式shell #不是通过用户名和密码的方式进行登录的 执行一个bash,就是一个非登录式shell [root@qls ~]# yum install -y psmisc [root@qls ~]# pstree systemd─┬─NetworkManager───2*[{NetworkManager}] ├─VGAuthService ├─agetty ├─auditd───{auditd} ├─crond ├─dbus-daemon ├─firewalld───{firewalld} ├─master─┬─pickup │ └─qmgr ├─nginx───nginx ├─polkitd───6*[{polkitd}] ├─rsyslogd───2*[{rsyslogd}] ├─sshd─┬─sshd───bash───pstree │ └─sshd───bash───bash ├─systemd-journal ├─systemd-logind ├─systemd-udevd ├─tuned───4*[{tuned}] └─vmtoolsd───{vmtoolsd} 用户的工作环境相关文件 |
用户的工作环境相关文件
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
#个人配置文件 /root/.bash_profile /root/.bashrc #全局配置文件 /etc/bashrc /etc/profile /etc/profile.d/*.sh profile #环境变量配置文件 系统登录前执行的一些命令或者脚本 bashrc # 本地变量 别名 执行顺序 #在5个文件的第二行加入echo输出 [root@qls ~]# vim .bashrc [root@qls ~]# vim .bash_profile [root@qls ~]# vim /etc/bashrc [root@qls ~]# [root@qls ~]# vim /etc/profile [root@qls ~]# vim /etc/profile.d/test.sh #登录式Shell执行顺序 /etc/profile ---》 /etc/profile.d/*.sh ---》 .bash_profile ---》 .bashrc ---》 /etc/bashrc #非登录式shell执行顺序 .bashrc ---》 /etc/bashrc ---》 /etc/profile.d/*.sh |
su命令用户提权
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
su username #非登录式shell su - username #登录式shell 区别就是加载的配置文件不一样 root用户切换到普通用户是不需要密码的,而普通用户切换到root用户是需要密码的 [root@qls ~]# useradd test10 [root@qls ~]# echo "1" |passwd --stdin test10 Changing password for user test10. passwd: all authentication tokens updated successfully. [root@qls ~]# su test10 /etc/bashrc /etc/profile.d/*.sh [test10@qls root]$ [test10@qls root]$ pwd /root su username在切换用户的时候,只执行了 /etc/bashrc /etc/profile.d/*.sh 切换之后所在的目录是在从哪个用户切换过来的就是谁的家目录 [root@qls ~]# su - test10 Last login: Wed Jul 22 09:09:58 CST 2020 on pts/0 /etc/profile /etc/profile.d/*.sh /etc/bashrc [test10@qls ~]$ pwd /home/test10 su - username 在切换用户的时候属于一种登录式shell 跟su命令直接切换的区别就是是否加载了/etc/profile文件,切换之后,工作环境也已经改变了,是在自己的家目录下面 [root@qls ~]# su - test10 Last login: Wed Jul 22 09:13:03 CST 2020 on pts/0 [test10@qls ~]$ su - Password: Last login: Wed Jul 22 09:13:25 CST 2020 from 10.0.0.1 on pts/2 [root@qls ~]# su - test10 Last login: Wed Jul 22 09:16:33 CST 2020 on pts/0 [test10@qls ~]$ su - root Password: Last login: Wed Jul 22 09:16:59 CST 2020 on pts/0 [root@qls ~]# |
sudo用户提权
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
#日志审计 [root@qls ~]# grep 'wheel' /etc/group wheel:x:10: [root@qls ~]# usermod -aG wheel test10 [root@qls ~]# id test10 uid=1007(test10) gid=1007(test10) groups=1007(test10),10(wheel) [test10@qls ~]$ sudo -l [sudo] password for test10: Matching Defaults entries for test10 on qls: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User test10 may run the following commands on qls: (ALL) ALL [test10@qls ~]$ sudo tail -f /var/log/messages Jul 22 09:19:49 qls systemd-logind: Removed session 65. Jul 22 09:19:56 qls systemd: Created slice User Slice of test10. Jul 22 09:19:56 qls systemd: Started Session 66 of user test10. Jul 22 09:19:56 qls systemd-logind: New session 66 of user test10. Jul 22 09:20:11 qls su: (to root) test10 on pts/2 Jul 22 09:47:08 qls systemd-logind: Removed session 66. Jul 22 09:47:08 qls systemd: Removed slice User Slice of test10. Jul 22 09:47:12 qls systemd: Created slice User Slice of test10. Jul 22 09:47:12 qls systemd: Started Session 67 of user test10. Jul 22 09:47:12 qls systemd-logind: New session 67 of user test10. ^C [test10@qls ~]$ rm -rf /opt/ rm: cannot remove ‘/opt/hostname’: Permission denied rm: cannot remove ‘/opt/hostnamectl’: Permission denied rm: cannot remove ‘/opt/test_hostname’: Permission denied rm: cannot remove ‘/opt/test_hostname.txt’: Permission denied rm: cannot remove ‘/opt/.hostname.log’: Permission denied rm: cannot remove ‘/opt/HOSTNAMECTL’: Permission denied rm: cannot remove ‘/opt/user02’: Permission denied rm: cannot remove ‘/opt/user01’: Permission denied [test10@qls ~]$ sudo rm -rf /opt/ [test10@qls ~]$ ll /opt ls: cannot access /opt: No such file or directory #权限太大 怎么限制权限 visudo #进行设置 默认只能root用户使用sudo命令 普通用户是使用不了的 需要root用户设置 #只给开发人员只读权限 [root@qls ~]# visudo #简单 有语法检查功能 ==== [root@qls ~]# vi /etc/sudoers #在100行左右添加此行 test11 ALL=(ALL) /usr/bin/cat,/usr/bin/tail 用户 主机 角色 命令 ALL 所有命令 /usr/bin/cat #单个命令 /usr/bin/cat,/usr/bin/tail #多个用逗号分割 /usr/bin/* #目录下的所有命令 NOPASSWD: #免密执行 test11 ALL=(ALL) NOPASSWD: /usr/bin/tail /var/log/messages #限制某个文件操作 #检查语法 [root@qls ~]# visudo -c /etc/sudoers: parsed OK #普通用户测试 [sudo] password for test11: Matching Defaults entries for test11 on qls: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User test11 may run the following commands on qls: (ALL) /usr/bin/cat, /usr/bin/tail [test11@qls ~]$ tail -f /var/log/messages tail: cannot open ‘/var/log/messages’ for reading: Permission denied tail: no files remaining [test11@qls ~]$ sudo tail -f /var/log/messages Jul 22 09:47:12 qls systemd: Started Session 67 of user test10. Jul 22 09:47:12 qls systemd-logind: New session 67 of user test10. Jul 22 09:52:16 qls systemd: Created slice User Slice of test11. Jul 22 09:52:16 qls systemd: Started Session 68 of user test11. Jul 22 09:52:16 qls systemd-logind: New session 68 of user test11. Jul 22 09:57:26 qls systemd-logind: Removed session 68. Jul 22 09:57:26 qls systemd: Removed slice User Slice of test11. Jul 22 09:57:35 qls systemd: Created slice User Slice of test11. Jul 22 09:57:35 qls systemd: Started Session 69 of user test11. Jul 22 09:57:35 qls systemd-logind: New session 69 of user test11. ^C [test11@qls ~]$ rm -rf /mnt/ rm: cannot remove ‘/mnt/’: Permission denied [test11@qls ~]$ sudo rm -rf /mnt/ Sorry, user test11 is not allowed to execute '/bin/rm -rf /mnt/' as root on qls. #执行sodu命令的时候,不提示输入密码 [root@qls ~]# visudo test11 ALL=(ALL) NOPASSWD:/usr/bin/cat,/usr/bin/tail [root@qls ~]# visudo -c /etc/sudoers: parsed OK [test11@qls ~]$ sudo -l Matching Defaults entries for test11 on qls: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User test11 may run the following commands on qls: (ALL) NOPASSWD: /usr/bin/cat, /usr/bin/tail [test11@qls ~]$ 注意:设置命令权限的时候,多个可以使用逗号分割 也可以是/usr/bin/* ALL |
sudo设置组
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
两种方法: 利用sudo的自己的组 只在sudo里面生效 利用系统组 是一个真实存在的组 #利用sudo的自己的组 [root@qls ~]# useradd dev01 [root@qls ~]# useradd dev02 [root@qls ~]# echo "1" | passwd --stdin dev01 Changing password for user dev01. passwd: all authentication tokens updated successfully. [root@qls ~]# echo "1" | passwd --stdin dev02 Changing password for user dev02. passwd: all authentication tokens updated successfully. #用户别名组 User_Alias DEV = dev01,dev02 #命令别名组 Cmnd_Alias READ = /bin/cat,/bin/head,/bin/tail #调用 DEV ALL=(ALL) NOPASSWD: READ [root@qls ~]# visudo -c /etc/sudoers: parsed OK #测试 [dev01@qls ~]$ sudo -l Matching Defaults entries for dev01 on qls: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User dev01 may run the following commands on qls: (ALL) NOPASSWD: /bin/cat, /bin/head, /bin/tail [dev01@qls ~]$ sudo head -1 /etc/shadow root:$6$SoTZ3L8.5rI4l25X$WAqOKpP8BwpL/evQNV2RfaJnXn6AZepgQcwUjHTUoDSJz7InZPGUZbanfzCVtLUeSX1q6gbPTiP.vnKIVcW1t0::0:99999:7::: [dev01@qls ~]$ sudo tail -1 /etc/shadow dev02:$6$iZSmy0at$iDnyU7dcY1saiseJHT40Qw00.LildePgoG2j3ShODj1s69Z.aVpaj9vvoZLtCcMakQ0BDFdA5Lh3FstbnAKcf1:18465:0:99999:7::: 系统的组 真实组 [root@qls ~]# groupadd dev_group [root@qls ~]# useradd -g dev_group dev11 [root@qls ~]# useradd -g dev_group dev12 [root@qls ~]# echo "1" | passwd --stdin dev11 Changing password for user dev11. passwd: all authentication tokens updated successfully. [root@qls ~]# echo "1" | passwd --stdin dev12 Changing password for user dev12. passwd: all authentication tokens updated successfully. [root@qls ~]# visudo %dev_group ALL=(ALL) NOPASSWD: READ [root@qls ~]# visudo -c /etc/sudoers: parsed OK #测试 [dev11@qls ~]$ sudo -l Matching Defaults entries for dev11 on qls: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User dev11 may run the following commands on qls: (ALL) NOPASSWD: /bin/cat, /bin/head, /bin/tail [dev11@qls ~]$ head -1 /var/log/messages head: cannot open ‘/var/log/messages’ for reading: Permission denied [dev11@qls ~]$ sudo head -1 /var/log/messages Jul 16 04:01:01 qls systemd: Started Session 61 of user root. [dev11@qls ~]$ sudo tail -1 /var/log/messages Jul 22 10:54:33 qls systemd-logind: New session 79 of user dev11. |
sudo设置案例
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
禁止root用户登录,使用普通用户登录,并且普通用户能够免密的切换到root用户 #禁止root登录 [root@qls ~]# ll /etc/ssh/sshd_config -rw-------. 1 root root 3907 Apr 11 2018 /etc/ssh/sshd_config [root@qls ~]# grep -i 'rootlogin' /etc/ssh/sshd_config #PermitRootLogin yes # the setting of "PermitRootLogin without-password". [root@qls ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak [root@qls ~]# sed -i '/^#PermitRootLogin/s#.*#PermitRootLogin no#g' /etc/ssh/sshd_config [root@qls ~]# grep -i 'rootlogin' /etc/ssh/sshd_config PermitRootLogin no # the setting of "PermitRootLogin without-password". [root@qls ~]# systemctl restart sshd [root@qls ~]# useradd qiudao [root@qls ~]# echo "1" | passwd --stdin qiudao Changing password for user qiudao. passwd: all authentication tokens updated successfully. [C:\~]$ ssh qiudao@10.0.0.100 Connecting to 10.0.0.100:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Wed Jul 22 09:47:12 2020 from 10.0.0.1 [qiudao@qls ~]$ [root@qls ~]# visudo qiudao ALL=(ALL) NOPASSWD: /bin/su [root@qls ~]# visudo -c /etc/sudoers: parsed OK #测试 [qiudao@qls ~]$ sudo su - Last login: Wed Jul 22 11:08:51 CST 2020 on pts/1 Last failed login: Wed Jul 22 11:09:55 CST 2020 from 10.0.0.1 on ssh:notty There were 2 failed login attempts since the last successful login. [root@qls ~]# |