Linux Sudo 权限配置

2024-11-21 92 0

sunday 免密码 所有命令
www 免密码限定 只能执行ps和kill命令

visudo
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
sunday     ALL=(ALL:ALL) NOPASSWD:ALL
www     ALL=(ALL:ALL) NOPASSWD: /bin/ps, /bin/kill

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL) NOPASSWD: ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

查看用户sudo命令权限

sudo -l -U www

Matching Defaults entries for www on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www may run the following commands on localhost:
    (ALL : ALL) NOPASSWD: /bin/ps, /bin/kill

若多用户使用相同命令 可以使用组, 然后将用户加入组

groupadd webadmin
usermod -G webadmin sunday
visudo
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
#sunday     ALL=(ALL:ALL) NOPASSWD:ALL

# Allow members of group sudo to execute some command (No password required)
%webadmin ALL=(ALL:ALL) NOPASSWD: /bin/ps, /bin/kill

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

相关文章

UFW+IPSET 禁用非法IP
ip_local_port_range: prefer different parity for start/end values
阿里云ECS云盘IOPS压测
nextcloud preview-generate 报错文件无权限解决
tcpdump 抓包使用小结
Linux Tcpdump抓包

发布评论