一、sudo授权工具
授权工具;能够实现把有限的管理操作授权给某普通用户;且还能限定其仅能够在某些主机上执行此类的命令;操作过程还会被记录与日志中;以便于日后审计。
1、定义sudo授权;保存/etc/sudoers
visudo:编辑sudoers命令
格式:who which_host=(whom) command
添加删除用户
|
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@localhost ~]# visudo
jerry ALL=(root) /usr/sbin/useradd, /usr/sbin/userdel
[root@localhost ~]# su - jerry
[jerry@localhost ~]$ sudo useradd tom[sudo] password for jerry:
[jerry@localhost ~]$ tail -1 /etc/passwd
tom:x:503:503::/home/tom:/bin/bash
[jerry@localhost ~]$ sudo userdel tom[jerry@localhost ~]$ tail -1 /etc/passwd
jerry:x:502:502::/home/jerry:/bin/bash
[jerry@localhost ~]$#测试可以删除添加账户 |
别名:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
Host_Alias FILESERVERS = fs1, fs2 #主机别名
User_Alias ADMINS = jsmith, mikem #用户别名
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig...#命令别名
[root@localhost ~]# visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)#includedir /etc/sudoers.dUser_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel
USERADMIN ALL=(root) USERCMND
[root@localhost ~]# su - jerry
[sudo] password for jerry:
useradd: warning: the home directory already exists.Not copying any file from skel directory into it.
Creating mailbox file: File exists
[jerry@localhost ~]$[root@localhost ~]# su - tom
[tom@localhost ~]$ sudo userdel -r jerry
[sudo] password for tom:
[tom@localhost ~]$ tail -3 /etc/passwd
mockbuild:x:500:500::/home/mockbuild:/bin/bash
soul:x:501:501::/home/soul:/bin/bash
tom:x:503:503::/home/tom:/bin/bash
[tom@localhost ~]$ |
命令取反
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@localhost ~]# visudo
#includedir /etc/sudoers.dUser_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/
usr/bin/passwd root #命令取反
USERADMIN ALL=(root) USERCMND
[root@localhost ~]# su - jerry
[jerry@localhost ~]$ sudo passwd tom[sudo] password for jerry:
Changing password for user tom.
New password:BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:passwd: all authentication tokens updated successfully.
[jerry@localhost ~]$ sudo passwd rootSorry, user jerry is not allowed to execute '/usr/bin/passwd root' as root on localhost.localdomain.
[jerry@localhost ~]$ |
以哪些身份执行以及密码控制
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@localhost ~]# visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)#includedir /etc/sudoers.dUser_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd,!/usr/bin/passwd root
Runas_Alias ADMIN = root #已哪些身份运行
soul ALL=(ALL) ALL
USERADMIN ALL=(ADMIN) NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel,/usr/sbin/usermod,#前面的不需要输入密码
PASSWD: /usr/bin/passwd,!/usr/bin/passwd root #这几个需要输入密码
[root@localhost ~]# su - jerry
[jerry@localhost ~]$ sudo useradd tom2[jerry@localhost ~]$ sudo passwd tom2[sudo] password for jerry:
Changing password for user tom2.
New password:BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:passwd: all authentication tokens updated successfully.
[jerry@localhost ~]$ |
让普通用户执行管理员所有的命令
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@localhost ~]# useradd -g wheel soul
[root@localhost ~]# id soul
uid=501(soul) gid=501(soul) groups=501(soul),10(wheel)
## Allows members of the 'sys' group to run networking, software,## service management apps and more.# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS## Allows people in group wheel to run all commands# %wheel ALL=(ALL) ALL%wheel ALL=(ALL) ALL #该组用户可以执行所有权限
## Same thing without a password# %wheel ALL=(ALL) NOPASSWD: ALL%wheel ALL=(ALL) NOPASSWD: ALL #执行时无需输入密码
[soul@localhost ~]$ sudo useradd tomuseradd: warning: the home directory already exists.Not copying any file from skel directory into it.
Creating mailbox file: File exists
[soul@localhost ~]$ sudo userdel tom[soul@localhost ~]$ |
2、常用选项
| -V | 显示版本编号 |
| -h | 会显示版本编号及指令的使用方式说明 |
| -l | 显示出自己(执行sudo的使用者)的权限 |
| -v | 因为sudo在第一次执行时或是在N分钟内没有执行(N预设为五)会询问密码;这个参数是重新做一次确认;如果超过N分钟;也会问密码 |
| -k |
强迫使用者在下一次执行sudo时询问密码(不论有没有超过N分钟) |
| -b | 将要执行的指令放在后台执行 |
二、tcp_wrapper(tcp包装器)基于主机的访问控制
tcp工作于tcp/ip协议栈中的tcp的协议上;守护进程tcpd。
配置文件:/etc/hosts.allow; /etc/hosts.deny
1、并非所有服务均能由tcp_wrapper控制
2、判断某服务程序是否能够由tcp_wrapper控制
动态编译:
ldd命令检测其是否链接至libwrap库上即可
libwrap.so.0 => /lib64/libwrap.so.0
静态编译:
strings /path/to/program如果有以下内容
hosts.allow
hosts.deny
配置文件语法格式:daemon_list:client_list [:options]
deamon_list:
-
应用程序名称;
-
应用程序列表;多个以逗号分隔;
-
ALL:匹配所有进程
1、hosts.allow;如果被允许;直接放行
2、hosts.deny;如果被匹配;则禁止访问
3、二者都无匹配;则默认放行
[:options]
在allow文件中使用deny选项:在allow文件中定义拒绝规则
在deny文件中使用allow选项:在deny文件中定义允许规则
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
[root@localhost ~]# vim /etc/hosts.allow
## hosts.allow This file contains access rules which are used to# allow or deny connections to network services that# either use the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.##详细可以man See 'man 5 hosts_options' and 'man 5 hosts_access'# for information on rule syntax.# See 'man tcpd' for information on tcp_wrappers#vsftpd : 172.16.254.28 #放行这台机器;
[root@localhost ~]# vim /etc/hosts.deny
## hosts.deny This file contains access rules which are used to# deny connections to network services that either use# the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.## The rules in this file can also be set up in# /etc/hosts.allow with a 'deny' option instead.## 详细可以man See 'man 5 hosts_options' and 'man 5 hosts_access'# for information on rule syntax.# See 'man tcpd' for information on tcp_wrappers#vsftpd: ALL : spawn echo `date` login attempts from %c to %s >> /var/log/deny.log
#拒绝未Allow的所有主机;并对访问服务的机器记入日志#spawn:发起一条命令 [root@dns ~]# lftp 172.16.251.85/pub
Interrupt [root@dns ~]# lftp 172.16.251.85/pub
Interrupt [root@dns ~]#
[root@localhost ~]# tail /var/log/deny.log
Mon Mar 31 22:50:18 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 22:50:48 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 22:57:58 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 22:58:43 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 22:59:50 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 23:00:31 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 23:00:44 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
Mon Mar 31 23:01:14 CST 2014 login attempts from 172.16.251.84 to vsftpd@172.16.251.85
|
内置的Macro
client_list
-
ALL
-
KNOWN
-
UNKOWN
-
PARANOID
daemon_list:ALL
EXCEPT:可以用于client和daemon之中;起到排除功能
三、pam模块
1、认证模块和配置文件存放位置
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[root@localhost ~]# ls /lib64/security/
pam_access.so pam_faillock.so pam_localuser.so pam_rootok.so pam_tty_audit.sopam_cap.so pam_filter pam_loginuid.so pam_securetty.so pam_umask.sopam_chroot.so pam_filter.so pam_mail.so pam_selinux_permit.so pam_unix_acct.sopam_ck_connector.so pam_fprintd.so pam_mkhomedir.so pam_selinux.so pam_unix_auth.sopam_console.so pam_ftp.so pam_motd.so pam_sepermit.so pam_unix_passwd.sopam_cracklib.so pam_gnome_keyring.so pam_namespace.so pam_shells.so pam_unix_session.sopam_debug.so pam_group.so pam_nologin.so pam_smbpass.so pam_unix.sopam_deny.so pam_issue.so pam_passwdqc.so pam_stress.so pam_userdb.sopam_echo.so pam_keyinit.so pam_permit.so pam_succeed_if.so pam_warn.sopam_env.so pam_lastlog.so pam_postgresok.so pam_tally2.so pam_wheel.sopam_exec.so pam_limits.so pam_pwhistory.so pam_time.so pam_winbind.sopam_faildelay.so pam_listfile.so pam_rhosts.so pam_timestamp.so pam_xauth.so[root@localhost ~]#
[root@localhost ~]# ls /etc/pam.d/
atd fingerprint-auth passwd setup system-auth
authconfig fingerprint-auth-ac password-auth smartcard-auth system-auth-ac
authconfig-gtk gdm password-auth-ac smartcard-auth-ac system-config-authentication
authconfig-tui gdm-autologin polkit-1 smtp system-config-date
chfn gdm-fingerprint poweroff smtp.postfix system-config-kdump
chsh gdm-password ppp sshd system-config-keyboard
config-util gnome-screensaver reboot ssh-keycat system-config-network
crond halt remote su system-config-network-cmd
cups login run_init sudo system-config-users
cvs newrole runuser sudo-i xserver
eject other runuser-l su-l
[root@localhost ~]#
|
格式:/etc/pam.d/service
type control module-path [module-arguments]
| TYPE: 栈;每项可以有多条 | |
| account | 跟认证无关的账号检测机制;例如账号是否过期等 |
| auth | 认证和授权 |
| password | 用户在修改密码是要完成的检测 |
| session | 建立会话前/后需要做一些侦测机制;例如有没有足够的内存等 |
control:在某个模块认证成功或失败时应该采取的行为;分为简单类型的control和复杂类型control
| 简单类型的control | |
| substack | 与include相同,也是调用一个新的配置文件进行验证; |
| required | 过滤不通过;仍需检测同一个栈中的其他模块;最后返回failure;认证失败;拥有参考其他模块意见基础之上的一票否决权 |
| requisite | 一票否决;过滤不通过;立即返回failure;后续的不用再检查; |
| sufficient | 一票通过;过滤条件通过;立即返回OK;后续无需检查 |
| optional | 可选模块; |
| include | 包含其他指定的配置文件中同名栈中的规则;并对此进行检测; |
2、模块
模块是由模块路径和模块的参数组成的。可以使用绝对路径和相对路径;参数是用来定义和调整模块的工作行为的。/etc/pam.d/*
| pam_unix | 传统意义上的账号密码的认证方式{nullok|shadow|md5} |
| pam_permit | 允许访问 |
| pam_deny | 拒绝访问;other文件为其他每一个服务中栈提供默认策略 |
| pam_cracklib |
在用户更改密码是限定密码策略的; |
| pam_shells | 检查用户登录时的安全shells;远程是需要更改的是sshd配置文件 |
| pam_securetty | 限定管理员只能通过安全tty登录;/etc/securetty文件中包含的 |
| pam_listfile | 限定listfile文件中的用户可以登录; |
| pam_rootok | 如果是root;su到其他用户不需要输入密码;wheel组中的也可以无需密码 |
| pam_succeed_if | 指定条件的符合;su到其他用户也无需密码 |
| pam_limits | /etc/security/limits.conf|limits.d/*;{hard|soft}/{nofile|nproc} |
3、例子
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
pam_shells[Linux85]#useradd -s /bin/cshgentoo
[Linux85]#passwd gentoo
[Linux85]#vim /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/bin/tcsh
#暂时去掉csh [Linux85]#vim sshd
#%PAM-1.0auth required pam_shells.so #添加一行
auth required pam_sepermit.so #测试[Linux86]#ssh gentoo@172.16.251.85
gentoo@172.16.251.85's password:
Permission denied, please try again.
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
pam_securetty[Linux85]#cat /etc/securetty
consoletty1tty2tty3....[Linux85]#cp /etc/securetty /etc/securetty.bak
[Linux85]#vim /etc/securetty
#仅留下面两项consoletty1tty2[Linux85]#vim sshd
#%PAM-1.0auth required pam_shells.soauth required pam_securetty.so #启用这项ssh无法登陆
[Linux86]#ssh root@172.16.251.85
root@172.16.251.85's password:
Permission denied, please try again.
#此时测试只有tty1/tty2可以在终端登陆 |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
pam_listfileitme={tty|user|rhost|ruser|group|shell} sense={allow|deny} file=/path/to/filename onerr={succeed|fail} [apply=[user|@group]] [quiet]
[Linux85]#groupadd soul
[Linux85]#vim sshd
#%PAM-1.0auth required pam_listfile.so item=group sense=allow file=/etc/allowgroup
#测试[Linux85]#useradd -G soul centos
[Linux85]#passwd centos
[Linux86]#ssh gentoo@172.16.251.85
gentoo@172.16.251.85's password:
Permission denied, please try again
[Linux86]#ssh centos@172.16.251.85
centos@172.16.251.85's password:
Permission denied, please try again.
centos@172.16.251.85's password:
Last login: Sun Apr 6 10:15:46 2014 from 172.16.254.28
[centos@soul ~]$ |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
pam_rootok [Linux85]#vim su
#%PAM-1.0#auth sufficient pam_rootok.so 注释这项[Linux85]#su - gentoo
Password:[gentoo@soul ~]$[Linux85]#vim su
#%PAM-1.0auth sufficient pam_rootok.so #定义root用户su到其他用户是否需要密码
auth sufficient pam_succeed_if.so uid = 500 use_uid quiet #定义uid=500的用户可以不用密码su到其他用户
# Uncomment the following line to implicitly trust users in the "wheel" group.#auth sufficient pam_wheel.so trust use_uid #组中的用户可以执行root权限# Uncomment the following line to require a user to be in the "wheel" group.#auth required pam_wheel.so use_uidauth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet #uid = N的用户su到其他用户也是无需密码的;前面的type需要更改为认证auth
###[Linux85]#vim su#%PAM-1.0#auth sufficient pam_rootok.so #注释后root也需要密码auth sufficient pam_succeed_if.so uid = 500 use_uid quiet #uid=500的用户不需要密码
# Uncomment the following line to implicitly trust users in the "wheel" group.auth sufficient pam_wheel.so trust use_uid# Uncomment the following line to require a user to be in the "wheel" group.#auth required pam_wheel.so use_uid##测试[Linux85]#id gentoo
uid=500(gentoo) gid=500(gentoo) groups=500(gentoo)
[Linux85]#su - gentoo #root用户su到gentoo
Password:[gentoo@soul ~]$ su - root #gentoo用户su到root
[root@soul ~]# whoami
root#测试正常 |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
pam_limits/etc/security/limits.d/* | /etc/security/limits.conf
[Linux85]#vim /etc/security/limits.conf
# /etc/security/limits.conf #<domain> <type> <item> <value>##Where:#<domain> can be:# - an user name# - a group name, with @group syntax# - the wildcard *, for default entry# - the wildcard %, can be also used with %group syntax,# for maxlogin limit #<type> can have the two values:# - "soft" for enforcing the soft limits# - "hard" for enforcing hard limits #<item> can be one of the following: 常用几项# - core - limits the core file size (KB) **核心文件大小# - data - max data size (KB) 数据大小;进程访问内存数据段# - fsize - maximum filesize (KB)# - memlock - max locked-in-memory address space (KB)# - nofile - max number of open files ***所能打开的文件个数# - rss - max resident set size (KB) 常驻内存集大小# - stack - max stack size (KB) 进程栈空间大小# - cpu - max CPU time (MIN)# - nproc - max number of processes ***所能打开的进程数# - as - address space limit (KB) 线性物理空间# - maxlogins - max number of logins for this user# - maxsyslogins - max number of logins on the system# - priority - the priority to run user process with# - locks - max number of file locks the user can hold# - sigpending - max number of pending signals# - msgqueue - max memory used by POSIX message queues (bytes)# - nice - max nice priority allowed to raise to values: [-20, 19]# - rtprio - max realtime priority |
本文转自Mr_陈 51CTO博客,原文链接:http://blog.51cto.com/chenpipi/1391076,如需转载请自行联系原作者