Linux命令-sudo

sudo命令用于给普通用户提供额外权利来完成原本只有超级用户才有权限完成的任务，

格式：sudo [参数] 命令名称

sudo命令与su命令的区别是，su命令允许普通用户完全变更为超级管理员的身份，但

如此一来便增加了安全隐患，而使用sudo命令可以仅将特定的命令/程序执行权限赋予

指定的用户。

sudo命令的特色：

1：限制用户执行指定的命令
2：记录用户执行的每一条命令
3：验证过密码后5分钟（默认值）内无需再让用户验证密码，更加方便。

sudo程序的配置文件为/etc/sudoers，只有超级用户可以使用visudo编辑该文件。

实例1：使用visudo命令编辑sudo程序的配置文件，在第99行添加参数允许pentest用户

能够从任意主机执行任意命令的参数。

1  ## Sudoers allows particular users to run various commands as
2  ## the root user, without needing the root password.
3  ##
4  ## Examples are provided at the bottom of the file for collections
5  ## of related commands, which can then be delegated out to particular
6  ## users or groups.
7  ##
8  ## This file must be edited with the 'visudo' command.
9
10  ## Host Aliases
11  ## Groups of machines. You may prefer to use hostnames (perhaps using
12  ## wildcards for entire domains) or IP addresses instead.
13  # Host_Alias     FILESERVERS = fs1, fs2
14  # Host_Alias     MAILSERVERS = smtp, smtp2
15
16  ## User Aliases
17  ## These aren't often necessary, as you can use regular groups
18  ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
19  ## rather than USERALIAS
20  # User_Alias ADMINS = jsmith, mikem
21
22
23  ## Command Aliases
24  ## These are groups of related commands...
25
26  ## Networking
27  # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
28
29  ## Installation and management of software
30  # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
31
32  ## Services
33  # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
34
35  ## Updating the locate database
36  # Cmnd_Alias LOCATE = /usr/bin/updatedb
37
38  ## Storage
39  # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
40
41  ## Delegating permissions
42  # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
43
44  ## Processes
45  # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
46
47  ## Drivers
48  # Cmnd_Alias DRIVERS = /sbin/modprobe
49
50  # Defaults specification
51
52  #
53  # Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
54  #         You have to run "ssh -t hostname sudo <cmd>".
55  #
56  Defaults    requiretty
57
58  #
59  # Refuse to run if unable to disable echo on the tty. This setting should also be
60  # changed in order to be able to use sudo without a tty. See requiretty above.
61  #
62  Defaults   !visiblepw
63
64  #
65  # Preserving HOME has security implications since many programs
66  # use it when searching for configuration files. Note that HOME
67  # is already set when the the env_reset option is enabled, so
68  # this option is only effective for configurations where either
69  # env_reset is disabled or HOME is present in the env_keep list.
70  #
71  Defaults    always_set_home
72
73  Defaults    env_reset
74  Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
75  Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
76  Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
77  Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
78  Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
79
80  #
81  # Adding HOME to env_keep may enable a user to run unrestricted
82  # commands via sudo.
83  #
84  # Defaults   env_keep += "HOME"
85
86  Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
87
88  ## Next comes the main part: which users can run what software on
89  ## which machines (the sudoers file can be shared between multiple
90  ## systems).
91  ## Syntax:
92  ##
93  ##      user    MACHINE=COMMANDS
94  ##
95  ## The COMMANDS section may have other options added to it.
96  ##
97  ## Allow root to run any commands anywhere
98  root    ALL=(ALL)       ALL
99  pentest ALL=(ALL)       ALL
100  ## Allows members of the 'sys' group to run networking, software,
101  ## service management apps and more.
102  # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
103
104  ## Allows people in group wheel to run all commands
105  %wheel  ALL=(ALL)       ALL
106
107  ## Same thing without a password
108  # %wheel        ALL=(ALL)       NOPASSWD: ALL
109
110  ## Allows members of the users group to mount and unmount the
111  ## cdrom as root
112  # %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
113
114  ## Allows members of the users group to shutdown this system
115  # %users  localhost=/sbin/shutdown -h now
116
117  ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
118  #includedir /etc/sudoers.d
[root@localhost ~]#

切换到pentest用户查看可以执行的命令，提示为ALL，即可以执行所有超级管理员的命令。

[root@localhost ~]# su - pentest
上一次登录：五 9月  9 13:29:34 CST 2016pts/1 上
[pentest@localhost ~]$ sudo -l
[sudo] password for pentest:
匹配此主机上 pentest 的默认条目：
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 pentest 可以在该主机上运行以下命令：
(ALL) ALL

使用普通ls命令来查看/root文件夹出现“权限不够”，然后使用sudo ls后便可以查看了。

[pentest@localhost ~]$ ls /root/
ls: 无法打开目录/root/: 权限不够
[pentest@localhost ~]$ sudo ls /root/
[sudo] password for pentest:
anaconda-ks.cfg       testA  testC  公共  视频  文档  音乐
initial-setup-ks.cfg  testB  yum    模板  图片  下载  桌面
[pentest@localhost ~]$

实例2：仅允许pentest以root身份执行cat命令

pentest用户先以普通权限cat文件/etc/shadow发现权限不够
[pentest@localhost ~]$ cat /etc/shadow
cat: /etc/shadow: 权限不够

切换至root用户给予pentest用户cat权限
[pentest@localhost ~]$ su - root
密码：
上一次登录：五 9月  9 14:12:10 CST 2016pts/1 上
[root@localhost ~]# visudo
[root@localhost ~]# su - pentest
上一次登录：五 9月  9 14:12:30 CST 2016pts/1、 上

赋予执行cat权限
[root@localhost ~]# visudo
root    ALL=(ALL)       ALL
pentest ALL=(root)      /bin/cat

继续使用普通cat确认是否可以查看/etc/shadow提示权限不够
[pentest@localhost ~]$ cat /etc/shadow
cat: /etc/shadow: 权限不够

使用sudo cat查看/etc/shadow发现可以查看了。
[pentest@localhost ~]$ sudo cat /etc/shadow
root:$6$Y6LHG5EEAGs3JMUM$jcEE.RZgMF9mO/xiPVA522l1Ek8JZ2Nkl.9nCBuiUWAH/.F84Kj6XyNxbuecW1M4BNGpryB/10Ncp.EGu9VhZ/::0:99999:7:::
bin:*:16579:0:99999:7:::
daemon:*:16579:0:99999:7:::
adm:*:16579:0:99999:7:::
lp:*:16579:0:99999:7:::
sync:*:16579:0:99999:7:::
shutdown:*:16579:0:99999:7:::
halt:*:16579:0:99999:7:::
mail:*:16579:0:99999:7:::
operator:*:16579:0:99999:7:::
games:*:16579:0:99999:7:::
ftp:*:16579:0:99999:7:::
nobody:*:16579:0:99999:7:::
avahi-autoipd:!!:17050::::::
ods:!!:17050::::::
pegasus:!!:17050::::::
systemd-bus-proxy:!!:17050::::::
systemd-network:!!:17050::::::
dbus:!!:17050::::::
polkitd:!!:17050::::::
sssd:!!:17050::::::
colord:!!:17050::::::
apache:!!:17050::::::
tss:!!:17050::::::
unbound:!!:17050::::::
usbmuxd:!!:17050::::::
abrt:!!:17050::::::
amandabackup:!!:17050::::::
saslauth:!!:17050::::::
libstoragemgmt:!!:17050::::::
geoclue:!!:17050::::::
memcached:!!:17050::::::
rpc:!!:17050:0:99999:7:::
postfix:!!:17050::::::
setroubleshoot:!!:17050::::::
rtkit:!!:17050::::::
chrony:!!:17050::::::
mysql:!!:17050::::::
qemu:!!:17050::::::
ntp:!!:17050::::::
rpcuser:!!:17050::::::
nfsnobody:!!:17050::::::
radvd:!!:17050::::::
named:!!:17050::::::
pcp:!!:17050::::::
pulse:!!:17050::::::
hsqldb:!!:17050::::::
tomcat:!!:17050::::::
pkiuser:!!:17050::::::
gdm:!!:17050::::::
gnome-initial-setup:!!:17050::::::
avahi:!!:17050::::::
postgres:!!:17050::::::
dovecot:!!:17050::::::
dovenull:!!:17050::::::
sshd:!!:17050::::::
oprofile:!!:17050::::::
tcpdump:!!:17050::::::
pentest:$6$6U3Z2n.sd63M32ZS$tzQJg852/1G3Mw7uv1.Ipbh.lOusvfd47Ih52xxku7okBBb/nu.Vn5V4mB50SSCMfaspqeGSDLcPM7XdgLE2w/::0:99999:7:::
[pentest@localhost ~]$