该/etc/sudoers文件的权限管理很完善,覆盖了linux中的各种命令,各种shell、编辑器等等,在此留作以后作为参考。

# This file MUST be edited with the 'visudo' command as root.

#

# Modification History

# -- CH10258614 Global Compliance changes with new Include lists

# This file MUST be edited with the 'visudo' command as root.

#

# See the sudoers man page for the details on how to write a sudoers file.

#

# Defaults specification

#Sets up the sudo log file.

#>> This isn't required, per documentation 'default' is to log via syslog

#>> which is certainly fine. This item was left in, as much as anything,

#>> to serve as a reminder that some 'per account ' customization is

#>> permitted, and may even be very important based on customer requirements.

Defaults logfile=/var/log/sudo.log

#>> The 'NA sudoers standard template' below content comes from

#>> https://ibm.biz/NAsudoTemplates

#>> entry: 201_NArevStandAliases_NA

#>> with customizations of:

#>> Eliminating change control information (most comments 'may' be removed,

#>> but do NOT eliminate the Begin / End comments).

#>> Eliminated 'sample' #include lines, which cause syntax errors.

#>> Commented out: # Defaults!IBM_SHELLESCAPE_ALL noexec

#>> as, for this example, the commercial customer has not approved

#>> this entry. Note: IBM Internal customers must accept this entry.

#>>

# Begin NA sudoers standard template Ver .1NA Date -- * Master * Refer NA14211028 Begin #

# Description Standard sudoers template

#

# Version control

# [ deleted version control data for conciseness, for details see pRAM ]

#------------------------------------------------------------------------------

# Sudo implementation team instruction:

# This special template is NOT to be # included. Instead, this template

# has content which must, for functional purposes, be 'spread over' the

# entire span of the /etc/sudoers file. For instance, the

# Defaults env_file=/etc/sudo.env

# line should be 'early' in the file, while the line:

# ALL ALL=!SUDOSUDO

# needs to be after the last 'additive' sudo entry to ensure all sudo entries

# are appropriately protected.

#

#------------------------------------------------------------------------------

# Defaults

#------------------------------------------------------------------------------

#

# The following entries are required if you allow users to run

# smit / smitty on AIX:

#

# For sudo 1.7. and up, include the following entries in the

# /etc/sudo.env file:

# SMIT_SHELL=n

# SMIT_SEMI_COLON=n

# SMIT_QUOTE=n

# and define sudo environment file within /etc/sudoers (or included

# file) via:

# Note: if you are using a sudo level older than 1.7. on AIX,

# contact 'Sudo Deployment AG/Hartford/IBM,' for guidance.

#

Defaults env_file=/etc/sudo.env # Includes the sudo environment file

#

#

#-----------------------------------------------------------------------------

#

# The following entry is only required if you are using a secondary logging

# method which cannot capture commands issued in shell outs.

# This will help ensure that commands with shell outs are

# appropriately controled:

#

Defaults!IBM_SHELLESCAPE_ALL noexec

### Account notes: This commercial customer has not approved this entry, and

### thus this entry has been commented out.

# CAUTION: This affects all entries; ensure your customer is aware this is being

# added on first implementation, and appropriate testing is done.

#

#-----------------------------------------------------------------------------

# User Aliases

#-----------------------------------------------------------------------------

# Add ant 'in line' User_Alias here.

#

#-----------------------------------------------------------------------------

# Host Aliases

#-----------------------------------------------------------------------------

# Add any 'in line' Host_Alias here.

#

#

#-----------------------------------------------------------------------------

# Required Command Aliases

#-----------------------------------------------------------------------------

#

# sudo

#

Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo

#

# Fully qualified commands not present on the server are not required to be in this list.

# Commands on this list that do not exist on the servers have no impact.

# Add any local paths.

#

# Forbidden commands: Commands only system admin might be permitted.

#

Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *, \

/bin/bash2bug, /usr/bin/bash2bug, \

/usr/bin/chuser *root*, /usr/bin/mkuser, \

/usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*, \

/usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*, \

/usr/bin/view *sudo*, /usr/bin/cp *sudo*, /usr/bin/mv *sudo*, \

/usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*, \

/usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*, \

/usr/bin/vi /etc/security/passwd*, \

/bin/view /etc/security/passwd*, /bin/vim /etc/security/passwd*, \

/bin/vi /etc/security/passwd*, \

/bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, \

/usr/sbin/sam, \

/usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command, \

/usr/bin/hostname, /usr/sbin/chdev *hostname*, \

/usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*, \

/bin/chmod * /root/*, /bin/chmod * /*, \

/bin/chown * /etc/*, /bin/chown * /etc/security/*, \

/bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo, \

/bin/chown * /usr/local/sbin/visudo, \

/bin/time *, /usr/bin/time *

# If you remove anything you need to provide documentation,rationale and

# secondary controls if required; if an alternative -technical- control

# is in place, document.

# Commands not present on the server are not required to be in this list.

# Commands on this list that do not exist on the servers have no impact.

# It is permissible to hard code these to the exact directory structure where

# the commands are present on the system if installed in a different location.

#

# su commands

#

Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, \

/bin/su, /bin/su root

# if you remove anything you need to provide documentation,rationale and

# secondary controls if required; if an alternative -technical- control is

# in place, document.

# Commands not present on the server are not required to be in this list.

# Commands on this list that do not exist on the servers have no impact.

#

# Shells

#

Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash, \

/bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash, \

/bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 , \

/bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh , \

/bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93, \

/bin/pfcsh, /usr/bin/pfcsh , \

/bin/pfksh, /usr/bin/pfksh, /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh, \

/bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh, \

/bin/rsh, /usr/bin/rsh, /usr/ucb/rsh, \

/bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh , \

/usr/shell, /usr/bin/shell, \

/bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, /usr/opt/freeware/bin/tclsh, \

/bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4, \

/usr/opt/freeware/bin/tclsh8.4, \

/bin/tcsh, /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh , \

/bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish, \

/bin/wish8.4, /usr/bin/wish8.4, /opt/freeware/bin/wish8.4, \

/usr/opt/freeware/bin/wish8.4, \

/bin/wishx, /usr/bin/wishx, \

/bin/zsh, /usr/bin/zsh

# Shells not present on the server are not required to be in this list.

# Shells on this list that do not exist on the servers have no impact.

# Add any local shells.

#

# Shell Escapes

#

Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed, \

/usr/bin/bash2bug, /usr/bin/bashbug, \

/usr/bin/find * -exec *, /usr/bin/find * -ok *, \

/bin/find * -exec *, /bin/find * -ok *, \

/usr/bin/find * -execdir *, /usr/bin/find * -okdir *, \

/bin/find * -execdir *, /bin/find * -okdir *, \

/bin/ftp, /usr/bin/ftp, \

/bin/ex, /usr/bin/ex, /usr/bin/less, /usr/bin/more, /bin/pg, /usr/bin/pg, \

/usr/bin/vi, /bin/vi, /bin/ex, /bin/view, /bin/gvim, /bin/gview, /bin/evim, \

/bin/eview, /bin/vimdiff, /bin/vim, /usr/bin/vim, /usr/bin/ex, \

/usr/bin/view, /usr/bin/gvim, \

/usr/bin/gview, /usr/bin/evim, /usr/bin/eview, /usr/bin/vimdiff, \

/bin/more

# Commands not present on the server are not required to be in this list.

# Commands on this list that do not exist on the servers have no impact.

# Add any local commands.

#

#

# Disallowed editors

#

Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi, /bin/vim, /bin/rvim, /bin/gvim, \

/bin/evim, /bin/emacs, /bin/ed, /usr/bin/vi, /usr/bin/tvi, /usr/bin/vim, \

/usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs, /usr/bin/ed, \

/bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi

#

# Commands not present on the server are not required to be in this list.

# Commands on this list that do not exist on the servers have no impact.

# Add any local commands.

#--------------------------------------------------------------------------------

#

# IBM SA command Aliases

#

Cmnd_Alias IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root, \

/bin/su - root

# This Cmnd_Alias can only be used if secondary logging are in place on the server.

#

#

## END 'top' part of 201_NArevStandAliases_NA

#>> The 'NA System Admin' below content comes from

#>> https://ibm.biz/NAsudoTemplates

#>> entry: 201_SystemAdmin_NA

#>> with the only customization being to set to the 'local' group used by the

#>> SA team:

#>> User_Alias IBM_SA_BAU = %uss

#>>

## Begin NA System Admin Ver 1.2.2 Date 2014-07-15 * Master * Refer NA1001415501 Begin #

# Description

# Software products and versions

# Supported OS platforms : All Unix/Linux variants.

# This sudo profile is the 'typical' system admin sudo entry

# where secondary logging is in use. This entry is only to

# be used where secondary logging 'like' the methods

# documented on: https://ibm.biz/NAsudo2log

# are in use. Implementing team is responsible to ensure

# logging methodology works in their environment. If secondary

# logging is not in use, then the SA team must request an

# 'account-level'override exception.

#

# Self serve access considerations are 'Not applicable' for this template

#

#

# Use of this IBM approved standard template must follow NA

# Sudo deployment requirements.

# Local adjustments, excepting the Host_Alias (For any needed

# segregation of hosts) and User_Alias (to identify the local

# group name in use) for specific customer environments

# must be approved by 'Sudo Deployment AG/Hartford/IBM'

#

#

# Version control

# V1.0 - highc@us.ibm.com - new template

# V1.1 - highc - add IBM_SA_AIXSMIT materials to allow for system

# system admins to use smit with appropriate logging.

# V1.2 - highc - based on v7.1 of standard aliases https://ibm.biz/GsudoStdAlias

# being released,remove 'EXEC: smit' type lines.

# Be certain to include the SMIT_SHELL=n materials from

# v7.1 of the standard aliases on AIX systems.

# V1.2.1 - highc- fix syntax/line continuation error.

# V1.2.2 - highc- adjust user alias to better conform to global standard.

#

# BEGIN the Middleware templates relevant for the server

#include /etc/sudoers.d/010_STD_NEG_GLB

#include /etc/sudoers.d/010_STD_SA_GLB

#include /etc/sudoers.d/102_AWS_GLB

#include /etc/sudoers.d/108_ORACLE_GLB

#include /etc/sudoers.d/113_TEM_GLB

#include /etc/sudoers.d/118_TSM_GLB

#include /etc/sudoers.d/120_WAS_GLB

#include /etc/sudoers.d/123_AE_GLB

#include /etc/sudoers.d/205_ITIMEPAIGANA_LINUX_NA

#include /etc/sudoers.d/217_TADDMDISC_NA

#include /etc/sudoers.d/228_DGNAE_NA

#include /etc/sudoers.d/237_DB2_NA

#include /etc/sudoers.d/402_AWS_NA_IGA_AHE_CPE_ADJ

#include /etc/sudoers.d/402_AWS_NA_IGA_AHE_EPRICER_ADJ

#include /etc/sudoers.d/413_TEM_NA_IGA_AHE_ADJ

#include /etc/sudoers.d/420_WAS_NA_IGA_AHE_CPE_ADJ

#include /etc/sudoers.d/420_WAS_NA_IGA_AHE_EPRICER_ADJ

#include /etc/sudoers.d/460_SAMETIME_NA_IGA_LCL

#include /etc/sudoers.d/461_NUS_W_SSLINUX_NA_IGA_LCL

#include /etc/sudoers.d/461_ODCSISS_NA_IGA_LCL

#include /etc/sudoers.d/462_MKT_NA_IGA_LCL

#include /etc/sudoers.d/476_LDAP_DB2_IGA_NA_LCL

#include /etc/sudoers.d/481_NESSUS_NA_IGA_LCL

#include /etc/sudoers.d/489_AvocentDSView_NA_IGA_AHE_LCL

# END the Middleware templates relevant for the server

#include /etc/sudoers.d/241_CHANGEMANAE_NA

# Start of CUSTOMER SECTION -------------------------------------------------

####

#>> Customer specific items have been removed from sample, but

#>> this would be any of your current content which are sudo entries

#>> for your customers.

####

# End of CUSTOMER SECTION -----------------------------------------------------

## Start of 'bottom' part of 201_NArevStandAliases_NA

#------------------------------------------------------------------------------

#

#

User_Alias ITIMADM5 = %itimadm

ITIMADM5 ALL=NOPASSWD: /bin/cat, /bin/chmod, /bin/cp, /bin/kill, /bin/ls, \

/usr/bin/chage, /bin/ed, /usr/bin/ed, /usr/bin/faillog, /usr/bin/groups, \

/usr/bin/passwd, /usr/bin/tee, /usr/sbin/groupadd, /usr/sbin/groupdel, \

/usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod

Host_Alias LINUX101TO199HOSTLIST = `bhusprv024.bhprod.ibm.com`

User_Alias LINUXV6GRPS = %#101,%#102,%#103,%#103,%#104,%#105,%#106,%#107,%#108,%#109, \

%#110,%#111,%#112,%#113,%#113,%#114,%#115,%#116,%#117,%#118,%#119, \

%#120,%#121,%#122,%#123,%#123,%#124,%#125,%#126,%#127,%#128,%#129, \

%#130,%#131,%#132,%#133,%#133,%#134,%#135,%#136,%#137,%#138,%#139, \

%#140,%#141,%#142,%#143,%#143,%#144,%#145,%#146,%#147,%#148,%#149, \

%#150,%#151,%#152,%#153,%#153,%#154,%#155,%#156,%#157,%#158,%#159, \

%#160,%#161,%#162,%#163,%#163,%#164,%#165,%#166,%#167,%#168,%#169, \

%#170,%#171,%#172,%#173,%#173,%#174,%#175,%#176,%#177,%#178,%#179, \

%#180,%#181,%#182,%#183,%#183,%#184,%#185,%#186,%#187,%#188,%#189, \

%#190,%#191,%#192,%#193,%#193,%#194,%#195,%#196,%#197,%#198,%#199

LINUXV6GRPS LINUX101TO199HOSTLIST = (nobody) /bin/df

#

#Temp sudo access

ghkong ALL=(ALL) ALL

dfcosta0 ALL=(ALL) NOPASSWD:ALL

# The following line must be after the last 'additive' line in this file, only

# 'negations' and comments should follow this:

#

ALL ALL=!SUDOSUDO

#

# End NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 End #

old

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

##

## This file must be edited with the 'visudo' command.

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhaps using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias     FILESERVERS = fs1, fs2

# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

## Command Aliases

## These are groups of related commands...

## Networking

# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software

# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database

# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage

# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions

# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes

# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers

# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#

# Refuse to run if unable to disable echo on the tty.

#

Defaults   !visiblepw

#

# Preserving HOME has security implications since many programs

# use it when searching for configuration files. Note that HOME

# is already set when the the env_reset option is enabled, so

# this option is only effective for configurations where either

# env_reset is disabled or HOME is present in the env_keep list.

#

Defaults    always_set_home

Defaults    match_group_by_gid

# Prior to version 1.8., groups listed in sudoers that were not

# found in the system group database were passed to the group

# plugin, if any. Starting with 1.8., only groups of the form

# %:group are resolved via the group plugin by default.

# We enable always_query_group_plugin to restore old behavior.

# Disable this option for new behavior.

Defaults    always_query_group_plugin

Defaults    env_reset

Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"

Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#

# Adding HOME to env_keep may enable a user to run unrestricted

# commands via sudo.

#

# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on

## which machines (the sudoers file can be shared between multiple

## systems).

## Syntax:

##

##      user    MACHINE=COMMANDS

##

## The COMMANDS section may have other options added to it.

##

## Allow root to run any commands anywhere

root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

%wheel  ALL=(ALL)       ALL

## Same thing without a password

# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system

# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)

#includedir /etc/sudoers.d

Defaults env_file=/etc/sudo.env  # Includes the sudo environment file

Defaults        !requiretty,authenticate,set_home

Defaults        tty_tickets,!root_sudo,umask=,ignore_dot,timestamp_timeout=

Defaults        syslog=auth

Defaults        logfile=/var/log/sudo.log

Defaults:tdiuser !requiretty

Defaults:uatagnt !requiretty

alias   SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo

Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *,   /bin/bash2bug, /usr/bin/bash2bug,   /usr/bin/chuser *root*, /usr/bin/mkuser, \

  /usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*,   /usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*,   /usr/bin/view *sudo*, \

  /usr/bin/cp *sudo*, /usr/bin/mv *sudo*,   /usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*,  \

  /usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*,   /usr/bin/vi /etc/security/passwd*, \

  /bin/view /etc/security/passwd*,   /bin/vim /etc/security/passwd*,  /bin/vi /etc/security/passwd*, \

  /bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, \

  /usr/sbin/sam,   /usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command,   /usr/bin/hostname, /usr/sbin/chdev *hostname*, \

  /usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*,   /bin/chmod * /root/*, /bin/chmod * /*,   /bin/chown * /etc/*, \

  /bin/chown * /etc/security/*,   /bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo,   /bin/chown * /usr/local/sbin/visudo,   \

  /bin/time *, /usr/bin/time *

Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, /bin/su, /bin/su root

Cmnd_Alias  IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root,    /bin/su - root

Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash,   /bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash,  \

  /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 ,   /bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh ,   \

  /bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93,  /bin/pfcsh, /usr/bin/pfcsh ,   /bin/pfksh, /usr/bin/pfksh, \

  /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh,   /bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh,   /bin/rsh, /usr/bin/rsh, /usr/ucb/rsh,\

  /bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh ,   /usr/shell, /usr/bin/shell,   /bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, \

  /usr/opt/freeware/bin/tclsh,   /bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4,   /usr/opt/freeware/bin/tclsh8.4,   /bin/tcsh, \

  /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh ,   /bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish,   /bin/wish8.4, \

  /usr/bin/wish8.4, /opt/freeware/bin/wish8.4,  /usr/opt/freeware/bin/wish8.4,   /bin/wishx, /usr/bin/wishx,   /bin/zsh, /usr/bin/zsh

Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed,   /usr/bin/bash2bug, /usr/bin/bashbug, \

  /usr/bin/find * -exec *,  /usr/bin/find * -ok *,   /bin/find * -exec *,      /bin/find * -ok *,   /usr/bin/find * -execdir *, /usr/bin/find * -okdir *, \

  /bin/find * -execdir *,     /bin/find * -okdir *,   /usr/bin/ftp, /bin/ftp,    /usr/bin/ex, /bin/ex,  /usr/bin/less, \

  /usr/bin/more, /bin/more, /usr/bin/pg, /bin/pg,   /usr/bin/vi, /bin/vi, /bin/view, /usr/bin/view,    /usr/bin/gview, /bin/gview, /usr/bin/eview, \

  /bin/eview,   /usr/bin/evim, /bin/evim, /usr/bin/gvim, /bin/gvim,   /usr/bin/vimdiff, /bin/vimdiff,    /usr/bin/vim, /bin/vim,    /usr/sbin/format

Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi,   /bin/vim, /bin/rvim, /bin/gvim, /bin/evim, /bin/emacs, /bin/ed,   /usr/bin/vi, /usr/bin/tvi,   \

  /usr/bin/vim, /usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs,   /usr/bin/ed, /bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi

Defaults: !IBM_SHELLESCAPE_ALL noexec

Cmnd_Alias   IBM_CAT_NEG  =     !/bin/cat /* *,!/bin/cat * /* *,!/bin/cat *..*,  !/bin/cat *./*

Cmnd_Alias   IBM_CHGRP_NEG =     !/bin/chgrp * /* *,!/bin/chgrp *..*,!/bin/chgrp *./*

Cmnd_Alias   IBM_CHMOD_NEG =      !/bin/chmod * /* *, !/bin/chmod *..*,!/bin/chmod *./*

Cmnd_Alias   IBM_CHOWN_NEG =     !/bin/chown * /* *,!/bin/chown *..*, !/bin/chown *./*

Cmnd_Alias   IBM_COMPRESS_NEG =     !/usr/bin/compress /* *,!/usr/bin/compress * /* *,!/usr/bin/compress *..*, !/usr/bin/compress *./*

Cmnd_Alias   IBM_CP_NEG =     !/bin/cp /* /* *, !/bin/cp * /* /* *, !/bin/cp *..*, !/bin/cp *./*

Cmnd_Alias   IBM_DIFF_NEG =     !/usr/bin/diff /* /* *,!/usr/bin/diff * /* /* *, !/usr/bin/diff *..*, !/usr/bin/diff *./*

Cmnd_Alias   IBM_FIND_NEG =     !/usr/bin/find * -exec *, !/usr/bin/find * -ok *, !/usr/bin/find *..*,     !/usr/bin/find * -execdir *, !/usr/bin/find * -okdir *

Cmnd_Alias   IBM_GUNZIP_NEG =     !/usr/bin/gunzip /* *,!/usr/bin/gunzip -* /* *,!/usr/bin/gunzip *..*, !/usr/bin/gunzip *./*

Cmnd_Alias   IBM_GZIP_NEG =     !/usr/bin/gzip /* *,!/usr/bin/gzip -* /* *,!/usr/bin/gzip *..*, !/usr/bin/gzip *./*

Cmnd_Alias   IBM_HEAD_NEG = !/usr/bin/head  /* *,!/usr/bin/head * /* *,!/usr/bin/head *..*, !/usr/bin/head *./*

        # Authorization of head is discouraged.  Instead, authorize the

        # the team to 'cat', team can then run 'sudo cat /tmp/specified file | head {any flags they need}'

        # While discouraged, negation is effective when head is authorized

Cmnd_Alias   IBM_LN_NEG =     !/bin/ln /* /* *, !/bin/ln -* /* /* *, !/bin/ln *..*, !/bin/ln *./*

Cmnd_Alias   IBM_LS_NEG =             !/bin/ls /* *, !/bin/ls -* /* *, !/bin/ls *..*, !/bin/ls *./*

Cmnd_Alias   IBM_MKDIR_NEG =     !/bin/mkdir /* *,!/bin/mkdir * /* *, !/bin/mkdir *..*, !/bin/mkdir *./*

Cmnd_Alias   IBM_MOUNT_NEG =     !/bin/mount /* *,!/bin/mount * /* *,!/bin/mount *..*, !/bin/mount *./* , !/usr/sbin/mount /* *, \

  !/usr/sbin/mount * /* *,!/usr/sbin/mount *..*, !/usr/sbin/mount *./*

    # Caution:  we have only coded a negation for the 'single directory/device' version of the mount command;

    #           if you need to 'permit' the 'two directory/device' version of the command, it will have to be

    #           with a different negation, and if this negation is used, must be specified AFTER use of this

    #           this negation or the use of IBM_NEG_ALL as this negation will block the two * version.

Cmnd_Alias   IBM_MV_NEG =     !/bin/mv /* /* *,!/bin/mv * /* /* *, !/bin/mv *..*, !/bin/mv *./*

Cmnd_Alias   IBM_RM_NEG =     !/bin/rm /* *,!/bin/rm * /* *, !/bin/rm *..*, !/bin/rm *./*

Cmnd_Alias   IBM_RMDIR_NEG =     !/bin/rmdir /* *,!/bin/rmdir * /* *,!/bin/rmdir *..*,!/bin/rmdir *./*

Cmnd_Alias   IBM_TAIL_NEG =     !/usr/bin/tail /* *,!/usr/bin/tail -* /* *,!/usr/bin/tail *..*,  !/usr/bin/tail *./*

        # authorization of tail 'except for' tail -f is discouraged.  Instead, authorize the

        # the team to 'cat', team can then run 'sudo cat /tmp/specified file | tail {any flags they need}'

        # While discouraged, negation is effective for when tail is authorized to be issued with no flags.

Cmnd_Alias   IBM_TAR_NEG =     !/bin/tar /* /* *,!/bin/tar * /* /* *, !/bin/tar *..*, !/bin/tar *./*

Cmnd_Alias   IBM_TOUCH_NEG =    !/bin/touch /* *, !/bin/touch * /* *, !/bin/touch *..*, !/bin/touch *./* # will block some complex parms such as "-r"

        #Note: PO will need to create custom negation if flags such as -r must be 'allowed for'.

Cmnd_Alias   IBM_UMOUNT_NEG =     !/bin/umount  /* *,!/bin/umount * /* *,!/bin/umount *..*, !/bin/umount *./*, !/usr/sbin/umount /* *, \

  !/usr/sbin/umount * /* *,!/usr/sbin/umount *..*, !/usr/sbin/umount *./*

Cmnd_Alias   IBM_UNCOMPRESS_NEG =     !/usr/bin/uncompress /* *,!/usr/bin/uncompress * /* *,!/usr/bin/uncompress *..*, !/usr/bin/uncompress *./*

Cmnd_Alias   IBM_ZCAT_NEG =     !/bin/zcat /* *, !/bin/zcat *..*, !/bin/zcat *./*

Cmnd_Alias   IBM_ALL_NEG =     IBM_CAT_NEG, IBM_CHGRP_NEG, IBM_CHMOD_NEG, IBM_CHOWN_NEG, IBM_COMPRESS_NEG, IBM_CP_NEG, IBM_DIFF_NEG, IBM_FIND_NEG, \

  IBM_GUNZIP_NEG, IBM_GZIP_NEG, IBM_HEAD_NEG, IBM_LS_NEG, IBM_LN_NEG, IBM_MKDIR_NEG,     IBM_MOUNT_NEG, IBM_MV_NEG, IBM_RM_NEG, IBM_RMDIR_NEG, \

  IBM_TAIL_NEG,     IBM_TAR_NEG, IBM_TOUCH_NEG, IBM_UMOUNT_NEG, IBM_UNCOMPRESS_NEG,IBM_ZCAT_NEG

User_Alias      IBM_SA_BAU = %wheel

Host_Alias      IBM_SA_HOSTS = ALL # Use ALL or indicate

IBM_SA_BAU  IBM_SA_HOSTS = ALL

User_Alias IBM_LIN_UAT_TOOL_BAU = %uatgroup

Host_Alias IBM_LIN_UAT_HOSTS = ALL

Cmnd_Alias IBM_LIN_UAT_BAU_CMDS = /bin/cat /etc/local/etc/sudoers, /bin/cat /etc/local/sudoers, /bin/cat /etc/shadow, \

  /bin/cat /etc/ssh/sshd_config, /bin/cat /etc/sudoers, /bin/cat /syslocal/config/common/sudo/etc/sudoers, \

  /bin/cat /var/log/messages, /bin/cat /var/log/sudo.log, /bin/cat /var/log/secure, /usr/bin/cat /etc/local/etc/sudoers, /usr/bin/cat /etc/local/sudoers, \

  /usr/bin/cat /etc/shadow, /usr/bin/cat /etc/ssh/sshd_config, /usr/bin/cat /etc/sudoers, /usr/bin/cat /syslocal/config/common/sudo/etc/sudoers, \

  /usr/bin/cat /var/log/messages, /usr/bin/cat /var/log/sudo.log, /usr/bin/cat /var/log/secure, /usr/bin/who, \

  /bin/who, /usr/bin/chage, /usr/bin/chmod [0-7][0-7][0145] /home/*, /bin/chmod [0-7][0-7][0145] /home/*, !/bin/chmod [1-7][0-7][0-7][0-7] /home/*, \

  !/usr/bin/chmod [1-7][0-7][0-7][0-7] /home/*, /usr/bin/faillog, /usr/bin/gpasswd, /usr/bin/ls, \

  /bin/ls, /usr/bin/passwd, /usr/sbin/chpasswd, /usr/sbin/faillog, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod, /sbin/groupmod, \

  /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/rm -rf /home/*, \

  /bin/rm -rf /home/*, /usr/bin/rm -r /home/*, /bin/rm -r /home/*, /usr/bin/rm /home/*, \

  /bin/rm /home/*, /usr/local/bin/uatscripts/uatoracle.sh, /usr/local/bin/uatscripts/uatdb2.sh, \

  /usr/local/bin/uatscripts/uatsap.sh, /usr/local/bin/uatscripts/uathyperion.sh, /usr/bin/find, /bin/find

IBM_LIN_UAT_TOOL_BAU IBM_LIN_UAT_HOSTS = (root) NOPASSWD: IBM_LIN_UAT_BAU_CMDS,IBM_CHMOD_NEG, IBM_FIND_NEG,IBM_RM_NEG

Defaults:%uatgroup !requiretty

%aseanuid ALL = NOPASSWD:\

        /usr/sbin/useradd *, /usr/sbin/userdel *, /usr/sbin/usermod *, \

        /usr/bin/chage *, /usr/bin/passwd *, /usr/bin/gpasswd *, /sbin/pam_tally2 *, \

        /usr/bin/faillog *

%hc ALL = NOPASSWD:\

        /bin/cat *, /bin/zcat *, /usr/bin/tail *, /usr/bin/head *, /bin/grep *, \

        /usr/bin/last *, /usr/bin/who *, /bin/ls *, /usr/bin/find *,/usr/bin/ssh-keygen *, /bin/tar *,\

        /bin/more *, /usr/bin/less * , NOEXEC:IBM_SHELLESCAPE_ALL

%lnxadm ALL=ALL,!IBM_NONE_SA,!IBM_SHELLS_ALL,/usr/bin/su -, NOEXEC: IBM_SHELLESCAPE_ALL

ALL ALL=!SUDOSUDO

new

refer:https://support.nagios.com/forum/viewtopic.php?f=6&t=43772&start=10

sudoers权限管理的更多相关文章

  1. CentOS用户权限管理--su与sudo

    Linux权限管理--su与sudo 1.su用来切换登录的用户,比如当前用户为chen,可以用su zhu,并输入用户zhu的登录密码,就可以切换到用户zhu.如果一个普通用户想切换到root用户, ...

  2. linux 学习8 权限管理

    第八章 权限管理 8.1 ACL权限 8.2 文件特殊权限 8.3 文件系统属性chattr权限 8.4 系统命令sudo权限 8.1 ACL权限 ACL权限简介与开启 查看与设定ACL权限 最大有效 ...

  3. (大数据工程师学习路径)第一步 Linux 基础入门----用户及文件权限管理

    用户及文件权限管理 实验介绍 1.Linux 中创建.删除用户,及用户组等操作. 2.Linux 中的文件权限设置. 一.Linux 用户管理 Linux 是一个可以实现多用户登陆的操作系统,比如“李 ...

  4. Linux系列教程(十七)——Linux权限管理之文件系统系统属性chattr权限和sudo命令

    上篇博客我们介绍了权限管理的ACL权限,通过设定 ACL 权限,我们为某个用户指定某个文件的特定权限.这篇博客我们将介绍权限管理中用的比较多的两个命令 chattr 和 sudo . 1.设定文件系统 ...

  5. inux权限管理(1)

    1.linux系统文件普通权限 2.文件所属主的设置,组的指定 3.特殊权限 4.acl权限 5.su命令及其注意事项和sudo权限 6.权限管理的注意点 0.首先,在linux下用户账户是分角色的, ...

  6. git远程仓库创建及权限管理(一)单个项目

    最近接手公司git权限管理,既然负责此事个人觉得应该深入学习下,不仅为当前工作也为进一步发展.网上查找了一番,找到了完整的教程,所以这里不再一步一步描述,具体链接已给出,本文只对操作过程中遇到的问题的 ...

  7. Linux 服务器用户权限管理改造方案与实施项目

    Linux 服务器用户权限管理改造方案与实施项目 在了解公司业务流程后,提出权限整改方案改进公司超级权限root泛滥的现状. 我首先撰写方案后,给boss看,取得boss的支持后,召集大家开会讨论. ...

  8. 【linux命令】权限管理命令(chattr、lsattr、sudo)

    目录 chattr lsattr sudo 一.chattr命令 chattr命令用来修改文件系统的权限属性,只有 root 用户可以使用,建立凌驾于 rwx 基础权限之上的授权. PS:chattr ...

  9. Linux的用户与用户组(权限管理)

    linux用户与用户.权限管理 用户管理: 1.useradd 创建用户 -c 指定用户描述 -d 指定家目录 默认家目录 /home下同名的目录 -g 指定主组 -G 指定附加组 [注意:一个用户主 ...

随机推荐

  1. 使用putty连接Ubuntu虚拟机,使用ssh方式访问

    1 前言 Ubuntu14.04版本是可以直接连接的,没想到新装的Ubuntu18.04竟然没有默认安装ssh. 则安装一下open-ssh-server就可以的. 2 步骤 2.1 更新一下源 命令 ...

  2. mysql 的crud操作(增删改查)

    1.mysql添加记录 --添加记录的语法(可添加单条记录或者多条记录),INTO是可以省略的,字段名也可以省略的,但是如果省略的话,后面对应的value的值就要全部填写 INSERT [INTO] ...

  3. Python内置模块之subprocess

    import subprocess ret = subprocess.Popen('netstat -ano',shell=True,stdout=subprocess.PIPE,stderr=sub ...

  4. docker部署项目 <三>

    使用docker运行一个控制台项目,新建一个控制台测试项目 一.安装mono,直接在网易镜像中心找下载路径 docker pull hub.c..com/library/mono:latest 二.安 ...

  5. Java Spring Boot VS .NetCore (一)来一个简单的 Hello World

    系列文章 Java Spring Boot VS .NetCore (一)来一个简单的 Hello World Java Spring Boot VS .NetCore (二)实现一个过滤器Filte ...

  6. IDEA 使用笔记

    IDEA 关闭默认打开上一个项目 File | Settings | Appearance & Behavior | System Settings=> Reopen last proj ...

  7. ssh-copy-id Permission denied (publickey,gssapi-keyex,gssapi-with-mic). 的解决方案

    -bash-4.2# ssh-copy-id 192.168.9.180 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new k ...

  8. webpack配置antd的按需加载

    安装babel-plugin-import插件.下面方法二选一,都可以实现antd的按需加载. 一.配置webpack.config.js文件 { test: /.jsx?$/, exclude: / ...

  9. css常用布局

    1.一列布局 html: <div class="header"></div> <div class="body">< ...

  10. CentOS下安装yum源的流程和操作

    一般公司都用Linux来搭建服务器,Linux安装软件时能够用yum安装依赖包是一件非常简单而幸福的事情,因为你只需一个简单的安装命令yum install []即可安装相应的软件,yum工具会自动的 ...