/etc/sudoer

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.

##

## Examples are provided at the bottom of the file for collections

## of related commands, which can then be delegated out to particular

## users or groups.

##

## This file must be edited with the 'visudo' command.

## Host Aliases

## Groups of machines. You may prefer to use hostnames (perhaps using

## wildcards for entire domains) or IP addresses instead.

# Host_Alias     FILESERVERS = fs1, fs2

# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases

## These aren't often necessary, as you can use regular groups

## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname

## rather than USERALIAS

# User_Alias ADMINS = jsmith, mikem

## Command Aliases

## These are groups of related commands...

## Networking

# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software

# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services

# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database

# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage

# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions

# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes

# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers

# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#

# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.

#         You have to run "ssh -t hostname sudo <cmd>".

#

Defaults    requiretty

#

# Refuse to run if unable to disable echo on the tty. This setting should also be

# changed in order to be able to use sudo without a tty. See requiretty above.

#

Defaults   !visiblepw

#

# Preserving HOME has security implications since many programs

# use it when searching for configuration files. Note that HOME

# is already set when the the env_reset option is enabled, so

# this option is only effective for configurations where either

# env_reset is disabled or HOME is present in the env_keep list.

#

Defaults    always_set_home

Defaults    env_reset

Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"

Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#

# Adding HOME to env_keep may enable a user to run unrestricted

# commands via sudo.

#

# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on

## which machines (the sudoers file can be shared between multiple

## systems).

## Syntax:

##

## 	user	MACHINE=COMMANDS

##

## The COMMANDS section may have other options added to it.

##

## Allow root to run any commands anywhere

root	ALL=(ALL) 	ALL

## Allows members of the 'sys' group to run networking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands

# %wheel	ALL=(ALL)	ALL

## Same thing without a password

# %wheel	ALL=(ALL)	NOPASSWD: ALL

## Allows members of the users group to mount and unmount the

## cdrom as root

# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system

# %users  localhost=/sbin/shutdown -h now

#includedir /etc/sudoers.d

examples

Below are example sudoers entries. Admittedly, some of these are a bit contrived. First, we allow a few environment variables to pass and then define our aliases:

# Run X applications through sudo; HOME is used to find the

# .Xauthority file.  Note that other programs use HOME to find

# configuration files and this may lead to privilege escalation!

Defaults env_keep += "DISPLAY HOME"

# User alias specification

User_Alias	FULLTIMERS = millert, mikef, dowdy

User_Alias	PARTTIMERS = bostley, jwfox, crawl

User_Alias	WEBMASTERS = will, wendy, wim

# Runas alias specification

Runas_Alias	OP = root, operator

Runas_Alias	DB = oracle, sybase

Runas_Alias	ADMINGRP = adm, oper

# Host alias specification

Host_Alias	SPARC = bigtime, eclipse, moet, anchor :\

		SGI = grolsch, dandelion, black :\

		ALPHA = widget, thalamus, foobar :\

		HPPA = boa, nag, python

Host_Alias	CUNETS = 128.138.0.0/255.255.0.0

Host_Alias	CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0

Host_Alias	SERVERS = master, mail, www, ns

Host_Alias	CDROM = orion, perseus, hercules

# Cmnd alias specification

Cmnd_Alias	DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\

			/usr/sbin/restore, /usr/sbin/rrestore,\

			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \

			/home/operator/bin/start_backups

Cmnd_Alias	KILL = /usr/bin/kill

Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm

Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown

Cmnd_Alias	HALT = /usr/sbin/halt

Cmnd_Alias	REBOOT = /usr/sbin/reboot

Cmnd_Alias	SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\

			 /usr/local/bin/tcsh, /usr/bin/rsh,\

			 /usr/local/bin/zsh

Cmnd_Alias	SU = /usr/bin/su

Cmnd_Alias	PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less

Here we override some of the compiled in default values. We want sudo to log via syslog(3) using the auth facility in all cases. We don't want to subject the full time staff to the sudo lecture, user millert need not give a password, and we don't want to reset the LOGNAME, USER or USERNAME environment variables when running commands as root. Additionally, on the machines in the SERVERS Host_Alias, we keep an additional local log file and make sure we log the year in each log line since the log entries will be kept around for several years. Lastly, we disable shell escapes for the commands in the PAGERS Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less). Note that this will not effectively constrain users with sudo ALL privileges.

# Override built-in defaults

Defaults		syslog=auth

Defaults>root		!set_logname

Defaults:FULLTIMERS	!lecture

Defaults:millert	!authenticate

Defaults@SERVERS	log_year, logfile=/var/log/sudo.log

Defaults!PAGERS		noexec

The User specification is the part that actually determines who may run what.

root		ALL = (ALL) ALL

%wheel		ALL = (ALL) ALL

We let root and any user in group wheel run any command on any host as any user.

FULLTIMERS	ALL = NOPASSWD: ALL

Full time sysadmins (millert, mikef, and dowdy) may run any command on any host without authenticating themselves.

PARTTIMERS	ALL = ALL

Part time sysadmins bostley, jwfox, and crawl) may run any command on any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag).

jack		CSNETS = ALL

The user jack may run any command on the machines in the CSNETS alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it is a class C network. For the other networks in CSNETS, the local machine's netmask will be used during matching.

lisa		CUNETS = ALL

The user lisa may run any command on any host in the CUNETS alias (the class B network 128.138.0.0).

operator	ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\

		sudoedit /etc/printcap, /usr/oper/bin/

The operator user may run commands limited to simple maintenance. Here, those are commands related to backups, killing processes, the printing system, shutting down the system, and any commands in the directory /usr/oper/bin/. Note that one command in the DUMPS Cmnd_Alias includes a sha224 digest, /home/operator/bin/start_backups. This is because the directory containing the script is writable by the operator user. If the script is modified (resulting in a digest mismatch) it will no longer be possible to run it via sudo.

joe		ALL = /usr/bin/su operator

The user joe may only su(1) to operator.

pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

 %opers		ALL = (: ADMINGRP) /usr/sbin/

Users in the opers group may run commands in /usr/sbin/ as themselves with any group in the ADMINGRP Runas_Alias (the adm and oper groups).

The user pete is allowed to change anyone's password except for root on the HPPA machines. Note that this assumes passwd(1) does not take multiple user names on the command line.

bob		SPARC = (OP) ALL : SGI = (OP) ALL

The user bob may run anything on the SPARC and SGI machines as any user listed in the OP Runas_Alias (root and operator.)

jim		+biglab = ALL

The user jim may run any command on machines in the biglab netgroup. sudo knows that “biglab” is a netgroup due to the ‘+’ prefix.

+secretaries	ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

Users in the secretaries netgroup need to help manage the printers as well as add and remove users, so they are allowed to run those commands on all machines.

fred		ALL = (DB) NOPASSWD: ALL

The user fred can run commands as any user in the DB Runas_Alias (oracle or sybase) without giving a password.

john		ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

On the ALPHA machines, user john may su to anyone except root but he is not allowed to specify any options to the su(1) command.

jen		ALL, !SERVERS = ALL

The user jen may run any command on any machine except for those in the SERVERS Host_Alias (master, mail, www and ns).

jill		SERVERS = /usr/bin/, !SU, !SHELLS

For any machine in the SERVERS Host_Alias, jill may run any commands in the directory /usr/bin/ except for those commands belonging to the SU and SHELLS Cmnd_Aliases. While not specifically mentioned in the rule, the commands in the PAGERS Cmnd_Alias all reside in /usr/bin and have the noexec option set.

steve		CSNETS = (operator) /usr/local/op_commands/

The user steve may run any command in the directory /usr/local/op_commands/ but only as user operator.

matt		valkyrie = KILL

On his personal workstation, valkyrie, matt needs to be able to kill hung processes.

WEBMASTERS	www = (www) ALL, (root) /usr/bin/su www

On the host www, any user in the WEBMASTERS User_Alias (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply su(1) to www.

ALL		CDROM = NOPASSWD: /sbin/umount /CDROM,\

		/sbin/mount -o nosuid,nodev /dev/cd0a /CDROM

Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias (orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candidate for


User_name Machine_name=(Effective_user) command

授权用户 主机=[(切换到哪些用户或用户组)] [是否需要密码验证] 命令1,[(切换到哪些用户或用户组)] [是否需要密码验证] [命令2],[(切换到哪些用户或用户组)] [是否需要密码验证] [命令3]......

/etc/sudoers.d/access

%app     ALL = (ALL) NOPASSWD: ALL, !/bin/su

%op      ALL = (ALL) NOPASSWD: ALL, !/bin/su

#查看当前用户sudo权限

sudo -l

http://www.blogjava.net/iLinux/archive/2011/12/08/365889.html

http://www.tecmint.com/su-vs-sudo-and-how-to-configure-sudo-in-linux/

sudoer解释的更多相关文章

  1. ZIP压缩算法详细分析及解压实例解释

    最近自己实现了一个ZIP压缩数据的解压程序,觉得有必要把ZIP压缩格式进行一下详细总结,数据压缩是一门通信原理和计算机科学都会涉及到的学科,在通信原理中,一般称为信源编码,在计算机科学里,一般称为数据 ...

  2. 说说BPM数据表和日志表中几个状态字段的详细解释

    有个客户说需要根据这些字段的值作为判断条件做一些定制化需求,所以需要知道这些字段的名词解释,以及里面存储的值具体代表什么意思 我只好为你们整理奉上这些了! Open Work Sheet  0 Sav ...

  3. 【完全开源】知乎日报UWP版:项目结构说明、关键源代码解释

    目录 说明 项目结构 关键代码 演示视频 说明 上一篇博客将源码放出来了,但是并没有做过多的介绍,所以如果自己硬看可能需要花费很长的时间,尤其这些代码并不是自己写的.项目不算复杂但是也不算简单,这篇文 ...

  4. nodejs、npm、grunt——名词解释

    最近着手开发一个新项目,打算从工程化的角度整理一套自己的前端开发.发布体系. grunt这些工具,之前别人用我也用,并没有认真想过它们的前世今生,正好趁着这个机会,我来理一理目前业界比较流行这些工具的 ...

  5. HTTP各状态码解释

      状态码 含义 100 客户端应当继续发送请求.这个临时响应是用来通知客户端它的部分请求已经被服务器接收,且仍未被拒绝.客户端应当继续发送请求的剩余部分,或者如果请求已经完成,忽略这个响应.服务器必 ...

  6. JavaScript中‘this’关键词的优雅解释

    本文转载自:众成翻译 译者:MinweiShen 链接:http://www.zcfy.cc/article/901 原文:https://rainsoft.io/gentle-explanation ...

  7. XML简介与CDATA解释

    简介XML 是一种受到广泛支持的 Internet 标准,用于以一种特殊的方式编码结构化数据.实际上,以 XML 编码的数据可以通过任何编程语言解码,人们甚至可以使用标准的文本编辑器来阅读或编写 XM ...

  8. free-简单明了解释清楚怎么看内存使用

    free命令可以用来查看系统内存使用情况.我一般习惯-m参数以MB的方式查看 [root@localhost ~]# free -m total used free shared buffers ca ...

  9. .htaccess语法之RewriteCond与RewriteRule指令格式详细解释

    htaccess语法之RewriteCond与RewriteRule指令格式详细解释 (2012-11-09 18:09:08) 转载▼ 标签:  htaccess it 分类: 网络 上文htacc ...

随机推荐

  1. Jenkins的Pipeline脚本在美团餐饮SaaS中的实践(转)

    一.背景 在日常开发中,我们经常会有发布需求,而且还会遇到各种环境,比如:线上环境(Online),模拟环境(Staging),开发环境(Dev)等.最简单的就是手动构建.上传服务器,但这种方式太过于 ...

  2. C语言中typedef的解释_1

    typedef是在计算机编程语言中用来为复杂的声明定义简单的别名,它与宏定义有些差异. 它本身是一种存储类的关键字,与auto.extern.mutable.static.register等关键字不能 ...

  3. Python十大应用领域与就业方向

    参考链接:https://baijiahao.baidu.com/s?id=1604847283884842928&wfr=spider&for=pc 正文: 近些年,编程语言Pyth ...

  4. day18 约束 异常

    1. 类的约束 方案一:抛出异常,子类必须重写父类方法,否则会报错 class Base: def login(self): #强制xxx做XXX事 raise NotImplementedError ...

  5. jenkins出现的问题

    1.增加服务器时 要修改时,,需要设置 2:出现这个问题是 执行了npm install node-sass

  6. linux查找重复文件

    >/dev/ >/dev/null|grep 02a42c7a845094a8904f7b3faf686b81 uniq -d, --repeated only print duplica ...

  7. jdk的环境配置

    今天在网上找了关于jdk配置的教程,发现比较繁琐,因此更新下jdk的简单配置教程 注意:jdk的安装必须正确,绝对不允许将jdk和jdr安装在同一层目录!!(建议在java目录下新建jdk和jdr目录 ...

  8. Python数据可视化--matplotlib

    抽象化|具体化: 如盒形图 | 现实中的图 功能性|装饰性:没有装饰和渲染 | 包含艺术性美学上的装饰 深度表达|浅度表达:深入层次的研究探索数据 | 易于理解的,直观的表示 多维度|单一维度:数据的 ...

  9. math.random()方法的使用

    一:导言 以前总是被数字的范围正则搞的头大,在此总结了一下 二:用法 Math.random()函数返回0和1之间的伪随机数,可能为0,但总是小于1,[0,1) 生成n-m,包含n但不包含m的整数: ...

  10. ORA-1000的问题 Cursor 过多 (文档 ID 18591.1)

      #查看用户cursor的使用情况 col sid for a9999999999 col osuser for a20 col machine for a20 col num_curs for a ...