1.配置多用户挂载
再服务器上通过SMB共享目录/devops,并满足以下要求
1)共享名为devops
2)共享目录devops只能被192.168.100.0/24网段中的客户端使用
3)共享目录devops必须可以被浏览 browseable =Yes
4)用户xixi必须能以读的方式访问此共享,访问密码是redhat
5)用户heihei必须能以读写的方式访问此共享,访问密码是redhat
此共享永久挂载在192.168.171.144上的/devops/目录,并使用用户xixi作为认证任何用户可以通过用户heihei来临时获取写的权限
服务端:
【1】挂载、关闭防火墙和selinux以及下载和开启samba服务
[root@localhost ~]# mount /dev/sr0 /mnt
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install samba -y
[root@localhost ~]# systemctl start smb nmb
【2】配置主配置文件
[root@localhost ~]# vim /etc/samba/smb.conf
[devops]
path = /devops #共享名为devops
hosts allow = 192.168.43. #共享目录devops只能被192.168.100.0/24网段中的客户端使用
browseable = Yes #共享目录devops必须可以被浏览
writable = No #用户xixi必须能以读的方式访问此共享
write list = heihei #用户heihei必须能以读写的方式访问此共享
【3】创建相应用户以及设定相应密码
[root@localhost ~]# useradd xixi
[root@localhost ~]# useradd heihei
[root@localhost ~]# smbpasswd -a xixi
New SMB password: #此处输入密码redhat
Retype new SMB password: #此处确认密码redhat
Added user xixi.
[root@localhost ~]# smbpasswd -a heihei
New SMB password: #此处输入密码redhat
Retype new SMB password: #此处确认密码redhat
Added user heihei.
【4】创建共享目录/devops并设置相应权限
[root@localhost ~]# mkdir /devops
[root@localhost ~]# chmod o+w /devops
[root@localhost ~]# setfacl -m u:heihei:rwx /devops
[root@localhost ~]# ll -d /devops
drwxrwxrwx+ 2 root root 6 7月 17 07:19 /devops
【5】重启服务
[root@localhost ~]# systemctl restart smb nmb
客户端:
【1】挂载、关闭防火墙和selinux以及下载cifs-utlils服务 (实现多用户挂载,通过cifscreds提权)
[root@localhost ~]# mount /dev/sr0 /mnt
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install cifs-utils -y
【2】创建共享目录/devops并创建文件
[root@localhost ~]# mkdir /devops
[root@localhost ~]# touch /devops/{1..10}
【3】按照要求挂载
[root@localhost ~]# vim /etc/fstab
//192.168.43.128/devops /devops cifs defaults,multiuser,username=xixi,password=redhat,sec=ntlmssp 0 0
【4】启动挂载
[root@localhost ~]# mount -a
【5】创建相应用户
useradd xixi
useradd heihei
【6】通过不同用户提权测试
[root@localhost ~]# cd /devops/
[root@localhost devops]# ll
总用量 0
-rwxr-xr-x 1 root root 0 7月 17 07:48 1
-rwxr-xr-x 1 root root 0 7月 17 07:48 10
-rwxr-xr-x 1 root root 0 7月 17 07:48 2
-rwxr-xr-x 1 root root 0 7月 17 07:48 3
-rwxr-xr-x 1 root root 0 7月 17 07:48 4
-rwxr-xr-x 1 root root 0 7月 17 07:48 5
-rwxr-xr-x 1 root root 0 7月 17 07:48 6
-rwxr-xr-x 1 root root 0 7月 17 07:48 7
-rwxr-xr-x 1 root root 0 7月 17 07:48 8
-rwxr-xr-x 1 root root 0 7月 17 07:48 9
[root@localhost devops]# touch root1
touch: 无法创建 'root1': Permission denied
[root@localhost devops]# su - xixi
[xixi@localhost ~]$ cifscreds add 192.168.43.128
Password: #此处输入xixi用户的密码redhat
[xixi@localhost ~]$ cd /devops/
[xixi@localhost devops]$ ll
total 0
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 1
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 10
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 2
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 3
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 4
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 5
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 6
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 7
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 8
-rwxr-xr-x 1 xixi xixi 0 Jul 17 07:48 9
[xixi@localhost devops]$ touch xixi1
touch: cannot touch 'xixi1': Permission denied
[root@localhost ~]# su - heihei
[heihei@localhost ~]$ cifscreds add 192.168.43.128
Password:
[heihei@localhost ~]$ cd /devops/
[heihei@localhost devops]$ ll
total 0
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 1
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 10
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 2
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 3
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 4
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 5
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 6
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 7
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 8
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 9
[heihei@localhost devops]$ touch hei1
[heihei@localhost devops]$ ll
total 0
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 1
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 10
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 2
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 3
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 4
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 5
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 6
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 7
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 8
-rwxr-xr-x 1 heihei heihei 0 Jul 17 07:48 9
-rwxr-xr-x 1 heihei heihei 0 Jul 17 08:15 hei1
最后可以看到root用户和xixi用户都没有写的权限,所以只能读取到文件,不能增删改文件;而heihei用户有读写执行的权限,所以可以为所欲为!!!
2.配置dhcp实现动态分配和手动分分配方式
自动分配:
服务端:
【1】挂载、关闭防火墙和selinux以及下载并开启dhcp服务,而且要开启网络服务和查看IP地址
[root@localhost ~]# mount /dev/sr0 /mnt
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install dhcp-server -y
[root@localhost ~]# systemctl start dhcpd
[root@localhost ~]# dhclient
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:41:bd:3f brd ff:ff:ff:ff:ff:ff
inet 192.168.25.129/24 brd 192.168.25.255 scope global dynamic ens160
valid_lft 1807sec preferred_lft 1807sec #得知服务端ip地址为192.168.25.129/24
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:ee:51:aa brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:ee:51:aa brd ff:ff:ff:ff:ff:ff
【2】配置主配置文件
[root@localhost ~]# vim /etc/dhcp/dhcpd.conf
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp-server/dhcpd.conf.example
# see dhcpd.conf(5) man page
subnet 192.168.25.0 netmask 255.255.255.0 {
range 192.168.25.200 192.168.25.253;
option domain-name-servers 114.114.114.114;
option routers 192.168.25.2;
option subnet-mask 255.255.255.0;
default-lease-time 600;
max-lease-time 7200;
}
【3】重启dhcp服务
[root@localhost ~]# systemctl restart dhcpd
【4】设置虚拟网络编辑器
客户端:
【1】挂载、关闭防火墙和selinux以及下载并开启dhcp服务,随后开启网络服务和查看IP地址
[root@localhost ~]# mount /dev/sr0 /mnt
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum install dhcp-server -y
[root@localhost ~]# systemctl start dhcpd
[root@localhost ~]# dhclient
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:38:89:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.25.201/24 brd 192.168.25.255 scope global dynamic ens160
valid_lft 1857sec preferred_lft 1857sec #此处为获取到的IP地址对应服务端dhcp地址池中的地址区间
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:ee:51:aa brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:ee:51:aa brd ff:ff:ff:ff:ff:ff
手动分配:
服务端:
【1】配置主配置文件
[root@localhost ~]# vim /etc/dhcp/dhcpd.conf
# 往后加上以下内容
host A{
hardware ethernet 00:0c:29:38:89:1a; #此处为客户端虚拟网卡的MAC地址
fixed-address 192.168.25.250; #此处为给予客户端固定的IP地址
}
【2】重启dhcp服务
[root@localhost ~]# systemctl restart dhcpd
客户端:
【1】杀死dhclient进程,关闭网络服务,从而通过重启dhclient进程重新获取新的IP地址
[root@localhost ~]# dhclient
dhclient(3446) is already running - exiting. #此处为dhclient进程号,后面关闭网络服务需要用到
This version of ISC DHCP is based on the release available
on ftp.isc.org. Features have been added and other changes
have been made to the base software release in order to make
it work better with this distribution.
Please report issues with this software via:
https://bugzilla.redhat.com/
exiting.
[root@localhost ~]# kill -9 3446 #此处就是上面提到的dhclient进程号
[root@localhost ~]# dhclient #重新启动网络服务获取新的IP地址
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:38:89:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.25.250/24 brd 192.168.25.255 scope global dynamic ens160
valid_lft 1857sec preferred_lft 1857sec #此处为获取到的IP地址对应服务端手动分配的固定的IP地址
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:ee:51:aa brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:ee:51:aa brd ff:ff:ff:ff:ff:ff
实验完成