一、sudo授权工具
授权工具;能够实现把有限的管理操作授权给某普通用户;且还能限定其仅能够在某些主机上执行此类的命令;操作过程还会被记录与日志中;以便于日后审计。
1、定义sudo授权;保存/etc/sudoers
visudo:编辑sudoers命令
格式:who which_host=(whom) command
添加删除用户
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@localhost ~] # visudo
jerry ALL = (root) / usr / sbin / useradd, / usr / sbin / userdel
[root@localhost ~] # su - jerry
[jerry@localhost ~]$ sudo useradd tom [sudo] password for jerry:
[jerry@localhost ~]$ tail - 1 / etc / passwd
tom:x: 503 : 503 :: / home / tom: / bin / bash
[jerry@localhost ~]$ sudo userdel tom [jerry@localhost ~]$ tail - 1 / etc / passwd
jerry:x: 502 : 502 :: / home / jerry: / bin / bash
[jerry@localhost ~]$ #测试可以删除添加账户 |
别名:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
Host_Alias FILESERVERS = fs1, fs2 #主机别名
User_Alias ADMINS = jsmith, mikem #用户别名
Cmnd_Alias NETWORKING = / sbin / route, / sbin / ifconfig... #命令别名
[root@localhost ~] # visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = / usr / sbin / useradd, / usr / sbin / userdel
USERADMIN ALL = (root) USERCMND
[root@localhost ~] # su - jerry
[sudo] password for jerry:
useradd: warning: the home directory already exists. Not copying any file from skel directory into it.
Creating mailbox file : File exists
[jerry@localhost ~]$ [root@localhost ~] # su - tom
[tom@localhost ~]$ sudo userdel - r jerry
[sudo] password for tom:
[tom@localhost ~]$ tail - 3 / etc / passwd
mockbuild:x: 500 : 500 :: / home / mockbuild: / bin / bash
soul:x: 501 : 501 :: / home / soul: / bin / bash
tom:x: 503 : 503 :: / home / tom: / bin / bash
[tom@localhost ~]$ |
命令取反
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@localhost ~] # visudo
#includedir /etc/sudoers.d User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = / usr / sbin / useradd, / usr / sbin / userdel, / usr / sbin / usermod, / usr / bin / passwd,! /
usr / bin / passwd root #命令取反
USERADMIN ALL = (root) USERCMND
[root@localhost ~] # su - jerry
[jerry@localhost ~]$ sudo passwd tom [sudo] password for jerry:
Changing password for user tom.
New password: BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password: passwd: all authentication tokens updated successfully.
[jerry@localhost ~]$ sudo passwd root Sorry, user jerry is not allowed to execute '/usr/bin/passwd root' as root on localhost.localdomain.
[jerry@localhost ~]$ |
以哪些身份执行以及密码控制
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@localhost ~] # visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d User_Alias USERADMIN = jerry,tom
Cmnd_Alias USERCMND = / usr / sbin / useradd, / usr / sbin / userdel, / usr / sbin / usermod, / usr / bin / passwd,! / usr / bin / passwd root
Runas_Alias ADMIN = root #已哪些身份运行
soul ALL = ( ALL ) ALL
USERADMIN ALL = (ADMIN) NOPASSWD: / usr / sbin / useradd, / usr / sbin / userdel, / usr / sbin / usermod, #前面的不需要输入密码
PASSWD: / usr / bin / passwd,! / usr / bin / passwd root #这几个需要输入密码
[root@localhost ~] # su - jerry
[jerry@localhost ~]$ sudo useradd tom2 [jerry@localhost ~]$ sudo passwd tom2 [sudo] password for jerry:
Changing password for user tom2.
New password: BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password: passwd: all authentication tokens updated successfully.
[jerry@localhost ~]$ |
让普通用户执行管理员所有的命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@localhost ~] # useradd -g wheel soul
[root@localhost ~] # id soul
uid = 501 (soul) gid = 501 (soul) groups = 501 (soul), 10 (wheel)
## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL % wheel ALL = ( ALL ) ALL #该组用户可以执行所有权限
## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL % wheel ALL = ( ALL ) NOPASSWD: ALL #执行时无需输入密码
[soul@localhost ~]$ sudo useradd tom useradd: warning: the home directory already exists. Not copying any file from skel directory into it.
Creating mailbox file : File exists
[soul@localhost ~]$ sudo userdel tom [soul@localhost ~]$ |
2、常用选项
-V | 显示版本编号 |
-h | 会显示版本编号及指令的使用方式说明 |
-l | 显示出自己(执行sudo的使用者)的权限 |
-v | 因为sudo在第一次执行时或是在N分钟内没有执行(N预设为五)会询问密码;这个参数是重新做一次确认;如果超过N分钟;也会问密码 |
-k |
强迫使用者在下一次执行sudo时询问密码(不论有没有超过N分钟) |
-b | 将要执行的指令放在后台执行 |
二、tcp_wrapper(tcp包装器)基于主机的访问控制
tcp工作于tcp/ip协议栈中的tcp的协议上;守护进程tcpd。
配置文件:/etc/hosts.allow; /etc/hosts.deny
1、并非所有服务均能由tcp_wrapper控制
2、判断某服务程序是否能够由tcp_wrapper控制
动态编译:
ldd命令检测其是否链接至libwrap库上即可
libwrap.so.0 => /lib64/libwrap.so.0
静态编译:
strings /path/to/program如果有以下内容
hosts.allow
hosts.deny
配置文件语法格式:daemon_list:client_list [:options]
deamon_list:
-
应用程序名称;
-
应用程序列表;多个以逗号分隔;
-
ALL:匹配所有进程
1、hosts.allow;如果被允许;直接放行
2、hosts.deny;如果被匹配;则禁止访问
3、二者都无匹配;则默认放行
[:options]
在allow文件中使用deny选项:在allow文件中定义拒绝规则
在deny文件中使用allow选项:在deny文件中定义允许规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
[root@localhost ~] # vim /etc/hosts.allow
# # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # #详细可以man See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # vsftpd : 172.16 . 254.28 #放行这台机器;
[root@localhost ~] # vim /etc/hosts.deny
# # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # 详细可以man See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # vsftpd: ALL : spawn echo `date` login attempts from % c to % s >> / var / log / deny.log
#拒绝未Allow的所有主机;并对访问服务的机器记入日志 #spawn:发起一条命令 [root@dns ~] # lftp 172.16.251.85/pub
Interrupt [root@dns ~] # lftp 172.16.251.85/pub
Interrupt [root@dns ~] #
[root@localhost ~] # tail /var/log/deny.log
Mon Mar 31 22 : 50 : 18 CST 2014 login attempts from 172.16 . 251.84 to vsftpd@ 172.16 . 251.85
Mon Mar 31 22 : 50 : 48 CST 2014 login attempts from 172.16 . 251.84 to vsftpd@ 172.16 . 251.85
Mon Mar 31 22 : 57 : 58 CST 2014 login attempts from 172.16 . 251.84 to vsftpd@ 172.16 . 251.85
Mon Mar 31 22 : 58 : 43 CST 2014 login attempts from 172.16 . 251.84 to vsftpd@ 172.16 . 251.85
Mon Mar 31 22 : 59 : 50 CST 2014 login attempts from 172.16 . 251.84 to vsftpd@ 172.16 . 251.85
Mon Mar 31 23 : 00 : 31 CST 2014 login attempts from 172.16 . 251.84 to vsftpd@ 172.16 . 251.85
Mon Mar 31 23 : 00 : 44 CST 2014 login attempts from 172.16 . 251.84 to vsftpd@ 172.16 . 251.85
Mon Mar 31 23 : 01 : 14 CST 2014 login attempts from 172.16 . 251.84 to vsftpd@ 172.16 . 251.85
|
内置的Macro
client_list
-
ALL
-
KNOWN
-
UNKOWN
-
PARANOID
daemon_list:ALL
EXCEPT:可以用于client和daemon之中;起到排除功能
三、pam模块
1、认证模块和配置文件存放位置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[root@localhost ~] # ls /lib64/security/
pam_access.so pam_faillock.so pam_localuser.so pam_rootok.so pam_tty_audit.so pam_cap.so pam_filter pam_loginuid.so pam_securetty.so pam_umask.so pam_chroot.so pam_filter.so pam_mail.so pam_selinux_permit.so pam_unix_acct.so pam_ck_connector.so pam_fprintd.so pam_mkhomedir.so pam_selinux.so pam_unix_auth.so pam_console.so pam_ftp.so pam_motd.so pam_sepermit.so pam_unix_passwd.so pam_cracklib.so pam_gnome_keyring.so pam_namespace.so pam_shells.so pam_unix_session.so pam_debug.so pam_group.so pam_nologin.so pam_smbpass.so pam_unix.so pam_deny.so pam_issue.so pam_passwdqc.so pam_stress.so pam_userdb.so pam_echo.so pam_keyinit.so pam_permit.so pam_succeed_if.so pam_warn.so pam_env.so pam_lastlog.so pam_postgresok.so pam_tally2.so pam_wheel.so pam_exec.so pam_limits.so pam_pwhistory.so pam_time.so pam_winbind.so pam_faildelay.so pam_listfile.so pam_rhosts.so pam_timestamp.so pam_xauth.so [root@localhost ~] #
[root@localhost ~] # ls /etc/pam.d/
atd fingerprint - auth passwd setup system - auth
authconfig fingerprint - auth - ac password - auth smartcard - auth system - auth - ac
authconfig - gtk gdm password - auth - ac smartcard - auth - ac system - config - authentication
authconfig - tui gdm - autologin polkit - 1 smtp system - config - date
chfn gdm - fingerprint poweroff smtp.postfix system - config - kdump
chsh gdm - password ppp sshd system - config - keyboard
config - util gnome - screensaver reboot ssh - keycat system - config - network
crond halt remote su system - config - network - cmd
cups login run_init sudo system - config - users
cvs newrole runuser sudo - i xserver
eject other runuser - l su - l
[root@localhost ~] #
|
格式:/etc/pam.d/service
type control module-path [module-arguments]
TYPE: 栈;每项可以有多条 | |
account | 跟认证无关的账号检测机制;例如账号是否过期等 |
auth | 认证和授权 |
password | 用户在修改密码是要完成的检测 |
session | 建立会话前/后需要做一些侦测机制;例如有没有足够的内存等 |
control:在某个模块认证成功或失败时应该采取的行为;分为简单类型的control和复杂类型control
简单类型的control | |
substack | 与include相同,也是调用一个新的配置文件进行验证; |
required | 过滤不通过;仍需检测同一个栈中的其他模块;最后返回failure;认证失败;拥有参考其他模块意见基础之上的一票否决权 |
requisite | 一票否决;过滤不通过;立即返回failure;后续的不用再检查; |
sufficient | 一票通过;过滤条件通过;立即返回OK;后续无需检查 |
optional | 可选模块; |
include | 包含其他指定的配置文件中同名栈中的规则;并对此进行检测; |
2、模块
模块是由模块路径和模块的参数组成的。可以使用绝对路径和相对路径;参数是用来定义和调整模块的工作行为的。/etc/pam.d/*
pam_unix | 传统意义上的账号密码的认证方式{nullok|shadow|md5} |
pam_permit | 允许访问 |
pam_deny | 拒绝访问;other文件为其他每一个服务中栈提供默认策略 |
pam_cracklib |
在用户更改密码是限定密码策略的; |
pam_shells | 检查用户登录时的安全shells;远程是需要更改的是sshd配置文件 |
pam_securetty | 限定管理员只能通过安全tty登录;/etc/securetty文件中包含的 |
pam_listfile | 限定listfile文件中的用户可以登录; |
pam_rootok | 如果是root;su到其他用户不需要输入密码;wheel组中的也可以无需密码 |
pam_succeed_if | 指定条件的符合;su到其他用户也无需密码 |
pam_limits | /etc/security/limits.conf|limits.d/*;{hard|soft}/{nofile|nproc} |
3、例子
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
pam_shells [Linux85] #useradd -s /bin/cshgentoo
[Linux85] #passwd gentoo
[Linux85] #vim /etc/shells
/ bin / sh
/ bin / bash
/ sbin / nologin
/ bin / dash
/ bin / tcsh
#暂时去掉csh [Linux85] #vim sshd
#%PAM-1.0 auth required pam_shells.so #添加一行
auth required pam_sepermit.so #测试 [Linux86] #ssh gentoo@172.16.251.85
gentoo@ 172.16 . 251.85 's password:
Permission denied, please try again.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
pam_securetty [Linux85] #cat /etc/securetty
console tty1 tty2 tty3.... [Linux85] #cp /etc/securetty /etc/securetty.bak
[Linux85] #vim /etc/securetty
#仅留下面两项 console tty1 tty2 [Linux85] #vim sshd
#%PAM-1.0 auth required pam_shells.so auth required pam_securetty.so #启用这项ssh无法登陆
[Linux86] #ssh root@172.16.251.85
root@ 172.16 . 251.85 's password:
Permission denied, please try again.
#此时测试只有tty1/tty2可以在终端登陆 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
pam_listfile itme = {tty|user|rhost|ruser|group|shell} sense = {allow|deny} file = / path / to / filename onerr = {succeed|fail} [ apply = [user|@group]] [quiet]
[Linux85] #groupadd soul
[Linux85] #vim sshd
#%PAM-1.0 auth required pam_listfile.so item = group sense = allow file = / etc / allowgroup
#测试 [Linux85] #useradd -G soul centos
[Linux85] #passwd centos
[Linux86] #ssh gentoo@172.16.251.85
gentoo@ 172.16 . 251.85 's password:
Permission denied, please try again
[Linux86] #ssh centos@172.16.251.85
centos@ 172.16 . 251.85 's password:
Permission denied, please try again.
centos@ 172.16 . 251.85 's password:
Last login: Sun Apr 6 10 : 15 : 46 2014 from 172.16 . 254.28
[centos@soul ~]$ |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
pam_rootok [Linux85] #vim su
#%PAM-1.0 #auth sufficient pam_rootok.so 注释这项 [Linux85] #su - gentoo
Password: [gentoo@soul ~]$ [Linux85] #vim su
#%PAM-1.0 auth sufficient pam_rootok.so #定义root用户su到其他用户是否需要密码
auth sufficient pam_succeed_if.so uid = 500 use_uid quiet #定义uid=500的用户可以不用密码su到其他用户
# Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid #组中的用户可以执行root权限 # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system - auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet #uid = N的用户su到其他用户也是无需密码的;前面的type需要更改为认证auth
# # #[Linux85]#vim su #%PAM-1.0 #auth sufficient pam_rootok.so #注释后root也需要密码 auth sufficient pam_succeed_if.so uid = 500 use_uid quiet #uid=500的用户不需要密码
# Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid # #测试 [Linux85] #id gentoo
uid = 500 (gentoo) gid = 500 (gentoo) groups = 500 (gentoo)
[Linux85] #su - gentoo #root用户su到gentoo
Password: [gentoo@soul ~]$ su - root #gentoo用户su到root
[root@soul ~] # whoami
root #测试正常 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
pam_limits / etc / security / limits.d / * | / etc / security / limits.conf
[Linux85] #vim /etc/security/limits.conf
# /etc/security/limits.conf #<domain> <type> <item> <value> # #Where: #<domain> can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, # for maxlogin limit #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits #<item> can be one of the following: 常用几项 # - core - limits the core file size (KB) **核心文件大小 # - data - max data size (KB) 数据大小;进程访问内存数据段 # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files ***所能打开的文件个数 # - rss - max resident set size (KB) 常驻内存集大小 # - stack - max stack size (KB) 进程栈空间大小 # - cpu - max CPU time (MIN) # - nproc - max number of processes ***所能打开的进程数 # - as - address space limit (KB) 线性物理空间 # - maxlogins - max number of logins for this user # - maxsyslogins - max number of logins on the system # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) # - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority |
本文转自Mr_陈 51CTO博客,原文链接:http://blog.51cto.com/chenpipi/1391076,如需转载请自行联系原作者