一、sudo授权工具
授权工具;能够实现把有限的管理操作授权给某普通用户;且还能限定其仅能够在某些主机上执行此类的命令;操作过程还会被记录与日志中;以便于日后审计。
1、定义sudo授权;保存/etc/sudoers
visudo:编辑sudoers命令
格式:who which_host=(whom) command
添加删除用户
[root@localhost ~]# visudo jerry ALL=(root) /usr/sbin/useradd, /usr/sbin/userdel [root@localhost ~]# su - jerry [jerry@localhost ~]$ sudo useradd tom [sudo] password for jerry: [jerry@localhost ~]$ tail -1 /etc/passwd tom:x:503:503::/home/tom:/bin/bash [jerry@localhost ~]$ sudo userdel tom [jerry@localhost ~]$ tail -1 /etc/passwd jerry:x:502:502::/home/jerry:/bin/bash [jerry@localhost ~]$ #测试可以删除添加账户
别名:
Host_Alias FILESERVERS = fs1, fs2 #主机别名 User_Alias ADMINS = jsmith, mikem #用户别名 Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig...#命令别名 [root@localhost ~]# visudo ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d User_Alias USERADMIN = jerry,tom Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel USERADMIN ALL=(root) USERCMND [root@localhost ~]# su - jerry [sudo] password for jerry: useradd: warning: the home directory already exists. Not copying any file from skel directory into it. Creating mailbox file: File exists [jerry@localhost ~]$ [root@localhost ~]# su - tom [tom@localhost ~]$ sudo userdel -r jerry [sudo] password for tom: [tom@localhost ~]$ tail -3 /etc/passwd mockbuild:x:500:500::/home/mockbuild:/bin/bash soul:x:501:501::/home/soul:/bin/bash tom:x:503:503::/home/tom:/bin/bash [tom@localhost ~]$
命令取反
[root@localhost ~]# visudo #includedir /etc/sudoers.d User_Alias USERADMIN = jerry,tom Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/ usr/bin/passwd root #命令取反 USERADMIN ALL=(root) USERCMND [root@localhost ~]# su - jerry [jerry@localhost ~]$ sudo passwd tom [sudo] password for jerry: Changing password for user tom. New password: BAD PASSWORD: it is WAY too short BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully. [jerry@localhost ~]$ sudo passwd root Sorry, user jerry is not allowed to execute ‘/usr/bin/passwd root‘ as root on localhost.localdomain. [jerry@localhost ~]$
以哪些身份执行以及密码控制
[root@localhost ~]# visudo ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d User_Alias USERADMIN = jerry,tom Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/usr/bin/passwd root Runas_Alias ADMIN = root #已哪些身份运行 soul ALL=(ALL) ALL USERADMIN ALL=(ADMIN) NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,#前面的不需要输入密码 PASSWD: /usr/bin/passwd,!/usr/bin/passwd root #这几个需要输入密码 [root@localhost ~]# su - jerry [jerry@localhost ~]$ sudo useradd tom2 [jerry@localhost ~]$ sudo passwd tom2 [sudo] password for jerry: Changing password for user tom2. New password: BAD PASSWORD: it is WAY too short BAD PASSWORD: is too simple Retype new password: passwd: all authentication tokens updated successfully. [jerry@localhost ~]$
让普通用户执行管理员所有的命令
[root@localhost ~]# useradd -g wheel soul [root@localhost ~]# id soul uid=501(soul) gid=501(soul) groups=501(soul),10(wheel) ## Allows members of the ‘sys‘ group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL %wheel ALL=(ALL) ALL #该组用户可以执行所有权限 ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL %wheel ALL=(ALL) NOPASSWD: ALL #执行时无需输入密码 [soul@localhost ~]$ sudo useradd tom useradd: warning: the home directory already exists. Not copying any file from skel directory into it. Creating mailbox file: File exists [soul@localhost ~]$ sudo userdel tom [soul@localhost ~]$
2、常用选项
-V | 显示版本编号 |
-h | 会显示版本编号及指令的使用方式说明 |
-l | 显示出自己(执行sudo的使用者)的权限 |
-v | 因为sudo在第一次执行时或是在N分钟内没有执行(N预设为五)会询问密码;这个参数是重新做一次确认;如果超过N分钟;也会问密码 |
-k |
强迫使用者在下一次执行sudo时询问密码(不论有没有超过N分钟) |
-b | 将要执行的指令放在后台执行 |
二、tcp_wrapper(tcp包装器)基于主机的访问控制
tcp工作于tcp/ip协议栈中的tcp的协议上;守护进程tcpd。
配置文件:/etc/hosts.allow; /etc/hosts.deny
1、并非所有服务均能由tcp_wrapper控制
2、判断某服务程序是否能够由tcp_wrapper控制
动态编译:
ldd命令检测其是否链接至libwrap库上即可
libwrap.so.0 => /lib64/libwrap.so.0
静态编译:
strings /path/to/program如果有以下内容
hosts.allow
hosts.deny
配置文件语法格式:daemon_list:client_list [:options]
deamon_list:
应用程序名称;
应用程序列表;多个以逗号分隔;
ALL:匹配所有进程
1、hosts.allow;如果被允许;直接放行
2、hosts.deny;如果被匹配;则禁止访问
3、二者都无匹配;则默认放行
[:options]
在allow文件中使用deny选项:在allow文件中定义拒绝规则
在deny文件中使用allow选项:在deny文件中定义允许规则
[root@localhost ~]# vim /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # #详细可以man See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘ # for information on rule syntax. # See ‘man tcpd‘ for information on tcp_wrappers # vsftpd : 172.16.254.28 #放行这台机器; [root@localhost ~]# vim /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a ‘deny‘ option instead. # # 详细可以man See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘ # for information on rule syntax. # See ‘man tcpd‘ for information on tcp_wrappers # vsftpd: ALL : spawn echo `date` login attempts from %c to %s >> /var/log/deny.log #拒绝未Allow的所有主机;并对访问服务的机器记入日志 #spawn:发起一条命令 [root@dns ~]# lftp 172.16.251.85/pub Interrupt [root@dns ~]# lftp 172.16.251.85/pub Interrupt [root@dns ~]# [root@localhost ~]# tail /var/log/deny.log Mon Mar 31 22:50:18 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85 Mon Mar 31 22:50:48 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85 Mon Mar 31 22:57:58 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85 Mon Mar 31 22:58:43 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85 Mon Mar 31 22:59:50 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85 Mon Mar 31 23:00:31 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85 Mon Mar 31 23:00:44 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85 Mon Mar 31 23:01:14 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
内置的Macro
client_list
ALL
KNOWN
UNKOWN
PARANOID
daemon_list:ALL
EXCEPT:可以用于client和daemon之中;起到排除功能
三、pam模块
1、认证模块和配置文件存放位置
[root@localhost ~]# ls /lib64/security/ pam_access.so pam_faillock.so pam_localuser.so pam_rootok.so pam_tty_audit.so pam_cap.so pam_filter pam_loginuid.so pam_securetty.so pam_umask.so pam_chroot.so pam_filter.so pam_mail.so pam_selinux_permit.so pam_unix_acct.so pam_ck_connector.so pam_fprintd.so pam_mkhomedir.so pam_selinux.so pam_unix_auth.so pam_console.so pam_ftp.so pam_motd.so pam_sepermit.so pam_unix_passwd.so pam_cracklib.so pam_gnome_keyring.so pam_namespace.so pam_shells.so pam_unix_session.so pam_debug.so pam_group.so pam_nologin.so pam_smbpass.so pam_unix.so pam_deny.so pam_issue.so pam_passwdqc.so pam_stress.so pam_userdb.so pam_echo.so pam_keyinit.so pam_permit.so pam_succeed_if.so pam_warn.so pam_env.so pam_lastlog.so pam_postgresok.so pam_tally2.so pam_wheel.so pam_exec.so pam_limits.so pam_pwhistory.so pam_time.so pam_winbind.so pam_faildelay.so pam_listfile.so pam_rhosts.so pam_timestamp.so pam_xauth.so [root@localhost ~]# [root@localhost ~]# ls /etc/pam.d/ atd fingerprint-auth passwd setup system-auth authconfig fingerprint-auth-ac password-auth smartcard-auth system-auth-ac authconfig-gtk gdm password-auth-ac smartcard-auth-ac system-config-authentication authconfig-tui gdm-autologin polkit-1 smtp system-config-date chfn gdm-fingerprint poweroff smtp.postfix system-config-kdump chsh gdm-password ppp sshd system-config-keyboard config-util gnome-screensaver reboot ssh-keycat system-config-network crond halt remote su system-config-network-cmd cups login run_init sudo system-config-users cvs newrole runuser sudo-i xserver eject other runuser-l su-l [root@localhost ~]#
格式:/etc/pam.d/service
type control module-path [module-arguments]
TYPE: 栈;每项可以有多条 | |
account | 跟认证无关的账号检测机制;例如账号是否过期等 |
auth | 认证和授权 |
password | 用户在修改密码是要完成的检测 |
session | 建立会话前/后需要做一些侦测机制;例如有没有足够的内存等 |
control:在某个模块认证成功或失败时应该采取的行为;分为简单类型的control和复杂类型control
简单类型的control | |
substack | 与include相同,也是调用一个新的配置文件进行验证; |
required | 过滤不通过;仍需检测同一个栈中的其他模块;最后返回failure;认证失败;拥有参考其他模块意见基础之上的一票否决权 |
requisite | 一票否决;过滤不通过;立即返回failure;后续的不用再检查; |
sufficient | 一票通过;过滤条件通过;立即返回OK;后续无需检查 |
optional | 可选模块; |
include | 包含其他指定的配置文件中同名栈中的规则;并对此进行检测; |
2、模块
模块是由模块路径和模块的参数组成的。可以使用绝对路径和相对路径;参数是用来定义和调整模块的工作行为的。/etc/pam.d/*
pam_unix | 传统意义上的账号密码的认证方式{nullok|shadow|md5} |
pam_permit | 允许访问 |
pam_deny | 拒绝访问;other文件为其他每一个服务中栈提供默认策略 |
pam_cracklib |
在用户更改密码是限定密码策略的; |
pam_shells | 检查用户登录时的安全shells;远程是需要更改的是sshd配置文件 |
pam_securetty | 限定管理员只能通过安全tty登录;/etc/securetty文件中包含的 |
pam_listfile | 限定listfile文件中的用户可以登录; |
pam_rootok | 如果是root;su到其他用户不需要输入密码;wheel组中的也可以无需密码 |
pam_succeed_if | 指定条件的符合;su到其他用户也无需密码 |
pam_limits | /etc/security/limits.conf|limits.d/*;{hard|soft}/{nofile|nproc} |
3、例子
pam_shells [Linux85]#useradd -s /bin/cshgentoo [Linux85]#passwd gentoo [Linux85]#vim /etc/shells /bin/sh /bin/bash /sbin/nologin /bin/dash /bin/tcsh #暂时去掉csh [Linux85]#vim sshd #%PAM-1.0 auth required pam_shells.so #添加一行 auth required pam_sepermit.so #测试 [Linux86]#ssh gentoo@172.16.251.85 gentoo@172.16.251.85‘s password: Permission denied, please try again.
pam_securetty [Linux85]#cat /etc/securetty console tty1 tty2 tty3.... [Linux85]#cp /etc/securetty /etc/securetty.bak [Linux85]#vim /etc/securetty #仅留下面两项 console tty1 tty2 [Linux85]#vim sshd #%PAM-1.0 auth required pam_shells.so auth required pam_securetty.so #启用这项ssh无法登陆 [Linux86]#ssh root@172.16.251.85 root@172.16.251.85‘s password: Permission denied, please try again. #此时测试只有tty1/tty2可以在终端登陆
pam_listfile itme={tty|user|rhost|ruser|group|shell} sense={allow|deny} file=/path/to/filename onerr={succeed|fail} [apply=[user|@group]] [quiet] [Linux85]#groupadd soul [Linux85]#vim sshd #%PAM-1.0 auth required pam_listfile.so item=group sense=allow file=/etc/allowgroup #测试 [Linux85]#useradd -G soul centos [Linux85]#passwd centos [Linux86]#ssh gentoo@172.16.251.85 gentoo@172.16.251.85‘s password: Permission denied, please try again [Linux86]#ssh centos@172.16.251.85 centos@172.16.251.85‘s password: Permission denied, please try again. centos@172.16.251.85‘s password: Last login: Sun Apr 6 10:15:46 2014 from 172.16.254.28 [centos@soul ~]$
pam_rootok [Linux85]#vim su #%PAM-1.0 #auth sufficient pam_rootok.so 注释这项 [Linux85]#su - gentoo Password: [gentoo@soul ~]$ [Linux85]#vim su #%PAM-1.0 auth sufficient pam_rootok.so #定义root用户su到其他用户是否需要密码 auth sufficient pam_succeed_if.so uid = 500 use_uid quiet #定义uid=500的用户可以不用密码su到其他用户 # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid #组中的用户可以执行root权限 # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet #uid = N的用户su到其他用户也是无需密码的;前面的type需要更改为认证auth # # #[Linux85]#vim su #%PAM-1.0 #auth sufficient pam_rootok.so #注释后root也需要密码 auth sufficient pam_succeed_if.so uid = 500 use_uid quiet #uid=500的用户不需要密码 # Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid # #测试 [Linux85]#id gentoo uid=500(gentoo) gid=500(gentoo) groups=500(gentoo) [Linux85]#su - gentoo #root用户su到gentoo Password: [gentoo@soul ~]$ su - root #gentoo用户su到root [root@soul ~]# whoami root #测试正常
pam_limits /etc/security/limits.d/* | /etc/security/limits.conf [Linux85]#vim /etc/security/limits.conf # /etc/security/limits.conf #<domain> <type> <item> <value> # #Where: #<domain> can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, # for maxlogin limit #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits #<item> can be one of the following: 常用几项 # - core - limits the core file size (KB) **核心文件大小 # - data - max data size (KB) 数据大小;进程访问内存数据段 # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files ***所能打开的文件个数 # - rss - max resident set size (KB) 常驻内存集大小 # - stack - max stack size (KB) 进程栈空间大小 # - cpu - max CPU time (MIN) # - nproc - max number of processes ***所能打开的进程数 # - as - address space limit (KB) 线性物理空间 # - maxlogins - max number of logins for this user # - maxsyslogins - max number of logins on the system # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) # - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority
本文出自 “Soul” 博客,请务必保留此出处http://chenpipi.blog.51cto.com/8563610/1391076