如何在Linux中配置sudo访问权限

如何在Linux中配置sudo访问权限

Linux 系统中 root 用户拥有 Linux 中全部控制权力。Linux 系统中 root 是拥有***权力的用户,可以在系统中实施任意的行为。

如果其他用户想去实施一些行为,不能为所有人都提供 root 访问权限。因为如果他或她做了一些错误的操作,没有办法去纠正它。

为了解决这个问题,有什么方案吗?

我们可以把 sudo 权限发放给相应的用户来克服这种情况。

sudo 命令提供了一种机制,它可以在不用分享 root 用户的密码的前提下,为信任的用户提供系统的管理权限。

他们可以执行大部分的管理操作,但又不像 root 一样有全部的权限。

什么是 sudo?

sudo 是一个程序,普通用户可以使用它以超级用户或其他用户的身份执行命令,是由安全策略指定的。

sudo 用户的访问权限是由 /etc/sudoers 文件控制的。

sudo 用户有什么优点?

在 Linux 系统中,如果你不熟悉一个命令,sudo 是运行它的一个安全方式。

  • Linux 系统在 /var/log/secure/var/log/auth.log 文件中保留日志,并且你可以验证 sudo 用户实施了哪些行为操作。
  • 每一次它都为当前的操作提示输入密码。所以,你将会有时间去验证这个操作是不是你想要执行的。如果你发觉它是不正确的行为,你可以安全地退出而且没有执行此操作。

基于 RHEL 的系统(如 Redhat (RHEL)、 CentOS 和 Oracle Enterprise Linux (OEL))和基于 Debian 的系统(如 Debian、Ubuntu 和 LinuxMint)在这点是不一样的。

我们将会教你如何在本文中提及的两种发行版中执行该操作。

这里有三种方法可以应用于两个发行版本。

  • 增加用户到相应的组。基于 RHEL 的系统,我们需要添加用户到 wheel 组。基于 Debain 的系统,我们添加用户到 sudoadmin 组。
  • 手动添加用户到 /etc/group 文件中。
  • visudo 命令添加用户到 /etc/sudoers 文件中。

如何在 RHEL/CentOS/OEL 系统中配置 sudo 访问权限?

在基于 RHEL 的系统中(如 Redhat (RHEL)、 CentOS 和 Oracle Enterprise Linux (OEL)),使用下面的三个方法就可以做到。

方法 1:在 Linux 中如何使用 wheel 组为普通用户授予超级用户访问权限?

wheel 是基于 RHEL 的系统中的一个特殊组,它提供额外的权限,可以授权用户像超级用户一样执行受到限制的命令。

注意,应该在 /etc/sudoers 文件中激活 wheel 组来获得该访问权限。

  1. <span class="com">#</span><span class="pln"> </span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i wheel </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">sudoers</span>
  2.  
  3. <span class="com">##</span><span class="pln"> </span><span class="typ">Allows</span><span class="pln"> people </span><span class="kwd">in</span><span class="pln"> group wheel to run all commands</span>
  4. <span class="pun">%</span><span class="pln">wheel ALL</span><span class="pun">=(</span><span class="pln">ALL</span><span class="pun">)</span><span class="pln"> ALL</span>
  5. <span class="com">#</span><span class="pln"> </span><span class="pun">%</span><span class="pln">wheel ALL</span><span class="pun">=(</span><span class="pln">ALL</span><span class="pun">)</span><span class="pln"> NOPASSWD</span><span class="pun">:</span><span class="pln"> ALL</span>

假设我们已经创建了一个用户账号来执行这些操作。在此,我将会使用 daygeek 这个用户账号。

执行下面的命令,添加用户到 wheel 组。

  1. <span class="com">#</span><span class="pln"> </span><span class="kwd">usermod</span><span class="pln"> </span><span class="pun">-</span><span class="pln">aG wheel daygeek</span>

我们可以通过下面的命令来确定这一点。

  1. <span class="com">#</span><span class="pln"> getent group wheel</span>
  2. <span class="pln">wheel</span><span class="pun">:</span><span class="pln">x</span><span class="pun">:</span><span class="lit">10</span><span class="pun">:</span><span class="pln">daygeek</span>

我将要检测用户 daygeek 是否可以访问属于 root 用户的文件。

  1. <span class="pln">$ </span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="lit">5</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure</span>
  2. <span class="kwd">tail</span><span class="pun">:</span><span class="pln"> cannot open </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure </span><span class="kwd">for</span><span class="pln"> reading</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Permission</span><span class="pln"> denied</span>

当我试图以普通用户身份访问 /var/log/secure 文件时出现错误。 我将使用 sudo 访问同一个文件,让我们看看这个魔术。

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="lit">5</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure</span>
  2. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> daygeek</span><span class="pun">:</span>
  3. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">01</span><span class="pun">:</span><span class="lit">56</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> daygeek </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">daygeek </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="lit">5</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure</span>
  4. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">01</span><span class="pun">:</span><span class="lit">56</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> pam_unix</span><span class="pun">(</span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln">session</span><span class="pun">):</span><span class="pln"> session opened </span><span class="kwd">for</span><span class="pln"> user root by daygeek</span><span class="pun">(</span><span class="pln">uid</span><span class="pun">=</span><span class="lit">0</span><span class="pun">)</span>
  5. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">01</span><span class="pun">:</span><span class="lit">56</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> pam_unix</span><span class="pun">(</span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln">session</span><span class="pun">):</span><span class="pln"> session closed </span><span class="kwd">for</span><span class="pln"> user root</span>
  6. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">05</span><span class="pun">:</span><span class="lit">10</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> daygeek </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">daygeek </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="lit">5</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure</span>
  7. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">05</span><span class="pun">:</span><span class="lit">10</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> pam_unix</span><span class="pun">(</span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln">session</span><span class="pun">):</span><span class="pln"> session opened </span><span class="kwd">for</span><span class="pln"> user root by daygeek</span><span class="pun">(</span><span class="pln">uid</span><span class="pun">=</span><span class="lit">0</span><span class="pun">)</span>

方法 2:在 RHEL/CentOS/OEL 中如何使用 /etc/group 文件为普通用户授予超级用户访问权限?

我们可以通过编辑 /etc/group 文件来手动地添加用户到 wheel 组。

只需打开该文件,并在恰当的组后追加相应的用户就可完成这一点。

  1. <span class="pln">$ </span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i wheel </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">group</span>
  2. <span class="pln">wheel</span><span class="pun">:</span><span class="pln">x</span><span class="pun">:</span><span class="lit">10</span><span class="pun">:</span><span class="pln">daygeek</span><span class="pun">,</span><span class="pln">user1</span>

在该例中,我将使用 user1 这个用户账号。

我将要通过在系统中重启 Apache httpd 服务来检查用户 user1 是不是拥有 sudo 访问权限。让我们看看这个魔术。

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">systemctl</span><span class="pln"> restart httpd</span>
  2. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> user1</span><span class="pun">:</span>
  3.  
  4. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i user1 </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure</span>
  5. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> user1</span><span class="pun">:</span>
  6. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">09</span><span class="pun">:</span><span class="lit">47</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> user1 </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">user1 </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">systemctl</span><span class="pln"> restart httpd</span>
  7. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">10</span><span class="pun">:</span><span class="lit">40</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> user1 </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">user1 </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">systemctl</span><span class="pln"> restart httpd</span>
  8. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">12</span><span class="pun">:</span><span class="lit">35</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> user1 </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">user1 </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i httpd </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure</span>

方法 3:在 Linux 中如何使用 /etc/sudoers 文件为普通用户授予超级用户访问权限?

sudo 用户的访问权限是被 /etc/sudoers 文件控制的。因此,只需将用户添加到 sudoers 文件中 的 wheel 组下即可。

只需通过 visudo 命令将期望的用户追加到 /etc/sudoers 文件中。

  1. <span class="com">#</span><span class="pln"> </span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i user2 </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">sudoers</span>
  2. <span class="pln">user2 ALL</span><span class="pun">=(</span><span class="pln">ALL</span><span class="pun">)</span><span class="pln"> ALL</span>

在该例中,我将使用 user2 这个用户账号。

我将要通过在系统中重启 MariaDB 服务来检查用户 user2 是不是拥有 sudo 访问权限。让我们看看这个魔术。

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">systemctl</span><span class="pln"> restart mariadb</span>
  2. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> user2</span><span class="pun">:</span>
  3.  
  4. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i mariadb </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure</span>
  5. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> user2</span><span class="pun">:</span>
  6. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">23</span><span class="pun">:</span><span class="lit">10</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> user2 </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">user2 </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">systemctl</span><span class="pln"> restart mariadb</span>
  7. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">07</span><span class="pun">:</span><span class="lit">26</span><span class="pun">:</span><span class="lit">52</span><span class="pln"> </span><span class="typ">CentOS7</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> user2 </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">user2 </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i mariadb </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">secure</span>

在 Debian/Ubuntu 系统中如何配置 sudo 访问权限?

在基于 Debian 的系统中(如 Debian、Ubuntu 和 LinuxMint),使用下面的三个方法就可以做到。

方法 1:在 Linux 中如何使用 sudo 或 admin 组为普通用户授予超级用户访问权限?

sudoadmin 是基于 Debian 的系统中的特殊组,它提供额外的权限,可以授权用户像超级用户一样执行受到限制的命令。

注意,应该在 /etc/sudoers 文件中激活 sudoadmin 组来获得该访问权限。

  1. <span class="com">#</span><span class="pln"> </span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i </span><span class="str">'sudo\|admin'</span><span class="pln"> </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">sudoers</span>
  2.  
  3. <span class="com">#</span><span class="pln"> </span><span class="typ">Members</span><span class="pln"> of the admin group may gain root privileges</span>
  4. <span class="pun">%</span><span class="pln">admin ALL</span><span class="pun">=(</span><span class="pln">ALL</span><span class="pun">)</span><span class="pln"> ALL</span>
  5.  
  6. <span class="com">#</span><span class="pln"> </span><span class="typ">Allow</span><span class="pln"> members of group </span><span class="kwd">sudo</span><span class="pln"> to execute any command</span>
  7. <span class="pun">%</span><span class="kwd">sudo</span><span class="pln"> ALL</span><span class="pun">=(</span><span class="pln">ALL</span><span class="pun">:</span><span class="pln">ALL</span><span class="pun">)</span><span class="pln"> ALL</span>

假设我们已经创建了一个用户账号来执行这些操作。在此,我将会使用 2gadmin 这个用户账号。

执行下面的命令,添加用户到 sudo 组。

  1. <span class="com">#</span><span class="pln"> </span><span class="kwd">usermod</span><span class="pln"> </span><span class="pun">-</span><span class="pln">aG </span><span class="kwd">sudo</span><span class="pln"> </span><span class="lit">2gadmin</span>

我们可以通过下面的命令来确定这一点。

  1. <span class="com">#</span><span class="pln"> getent group </span><span class="kwd">sudo</span>
  2. <span class="kwd">sudo</span><span class="pun">:</span><span class="pln">x</span><span class="pun">:</span><span class="lit">27</span><span class="pun">:</span><span class="lit">2gadmin</span>

我将要检测用户 2gadmin 是否可以访问属于 root 用户的文件。

  1. <span class="pln">$ </span><span class="kwd">less</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log</span>
  2. <span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Permission</span><span class="pln"> denied</span>

当我试图以普通用户身份访问 /var/log/auth.log 文件时出现错误。 我将要使用 sudo 访问同一个文件,让我们看看这个魔术。

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="lit">5</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log</span>
  2. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> </span><span class="lit">2gadmin</span><span class="pun">:</span>
  3. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">20</span><span class="pun">:</span><span class="lit">39</span><span class="pun">:</span><span class="lit">47</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> </span><span class="lit">2gadmin</span><span class="pln"> </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="lit">2gadmin</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">bash</span>
  4. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">20</span><span class="pun">:</span><span class="lit">39</span><span class="pun">:</span><span class="lit">47</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> pam_unix</span><span class="pun">(</span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln">session</span><span class="pun">):</span><span class="pln"> session opened </span><span class="kwd">for</span><span class="pln"> user root by </span><span class="lit">2gadmin</span><span class="pun">(</span><span class="pln">uid</span><span class="pun">=</span><span class="lit">0</span><span class="pun">)</span>
  5. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">20</span><span class="pun">:</span><span class="lit">40</span><span class="pun">:</span><span class="lit">23</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> pam_unix</span><span class="pun">(</span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln">session</span><span class="pun">):</span><span class="pln"> session closed </span><span class="kwd">for</span><span class="pln"> user root</span>
  6. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">20</span><span class="pun">:</span><span class="lit">40</span><span class="pun">:</span><span class="lit">48</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> </span><span class="lit">2gadmin</span><span class="pln"> </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="lit">2gadmin</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">bin</span><span class="pun">/</span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="lit">5</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log</span>
  7. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">20</span><span class="pun">:</span><span class="lit">40</span><span class="pun">:</span><span class="lit">48</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> pam_unix</span><span class="pun">(</span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln">session</span><span class="pun">):</span><span class="pln"> session opened </span><span class="kwd">for</span><span class="pln"> user root by </span><span class="lit">2gadmin</span><span class="pun">(</span><span class="pln">uid</span><span class="pun">=</span><span class="lit">0</span><span class="pun">)</span>

或者,我们可以通过添加用户到 admin 组来执行相同的操作。

运行下面的命令,添加用户到 admin 组。

  1. <span class="com">#</span><span class="pln"> </span><span class="kwd">usermod</span><span class="pln"> </span><span class="pun">-</span><span class="pln">aG admin user1</span>

我们可以通过下面的命令来确定这一点。

  1. <span class="com">#</span><span class="pln"> getent group admin</span>
  2. <span class="pln">admin</span><span class="pun">:</span><span class="pln">x</span><span class="pun">:</span><span class="lit">1011</span><span class="pun">:</span><span class="pln">user1</span>

让我们看看输出信息。

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="lit">2</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log</span>
  2. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> user1</span><span class="pun">:</span>
  3. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">20</span><span class="pun">:</span><span class="lit">53</span><span class="pun">:</span><span class="lit">36</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> user1 </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">user1 </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">bin</span><span class="pun">/</span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="lit">2</span><span class="pln"> </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log</span>
  4. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">20</span><span class="pun">:</span><span class="lit">53</span><span class="pun">:</span><span class="lit">36</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> pam_unix</span><span class="pun">(</span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln">session</span><span class="pun">):</span><span class="pln"> session opened </span><span class="kwd">for</span><span class="pln"> user root by user1</span><span class="pun">(</span><span class="pln">uid</span><span class="pun">=</span><span class="lit">0</span><span class="pun">)</span>

方法 2:在 Debian/Ubuntu 中如何使用 /etc/group 文件为普通用户授予超级用户访问权限?

我们可以通过编辑 /etc/group 文件来手动地添加用户到 sudo 组或 admin 组。

只需打开该文件,并在恰当的组后追加相应的用户就可完成这一点。

  1. <span class="pln">$ </span><span class="kwd">grep</span><span class="pln"> </span><span class="pun">-</span><span class="pln">i </span><span class="kwd">sudo</span><span class="pln"> </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">group</span>
  2. <span class="kwd">sudo</span><span class="pun">:</span><span class="pln">x</span><span class="pun">:</span><span class="lit">27</span><span class="pun">:</span><span class="lit">2gadmin</span><span class="pun">,</span><span class="pln">user2</span>

在该例中,我将使用 user2 这个用户账号。

我将要通过在系统中重启 Apache httpd 服务来检查用户 user2 是不是拥有 sudo 访问权限。让我们看看这个魔术。

  1. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">systemctl</span><span class="pln"> restart apache2</span>
  2. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> user2</span><span class="pun">:</span>
  3.  
  4. <span class="pln">$ </span><span class="kwd">sudo</span><span class="pln"> </span><span class="kwd">tail</span><span class="pln"> </span><span class="pun">-</span><span class="pln">f </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">auth</span><span class="pun">.</span><span class="pln">log</span>
  5. <span class="pun">[</span><span class="kwd">sudo</span><span class="pun">]</span><span class="pln"> password </span><span class="kwd">for</span><span class="pln"> user2</span><span class="pun">:</span>
  6. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">21</span><span class="pun">:</span><span class="lit">01</span><span class="pun">:</span><span class="lit">04</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">systemd</span><span class="pun">-</span><span class="pln">logind</span><span class="pun">[</span><span class="lit">559</span><span class="pun">]:</span><span class="pln"> </span><span class="typ">New</span><span class="pln"> session </span><span class="lit">22</span><span class="pln"> of user user2</span><span class="pun">.</span>
  7. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">21</span><span class="pun">:</span><span class="lit">01</span><span class="pun">:</span><span class="lit">04</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">systemd</span><span class="pun">:</span><span class="pln"> pam_unix</span><span class="pun">(</span><span class="kwd">systemd</span><span class="pun">-</span><span class="pln">user</span><span class="pun">:</span><span class="pln">session</span><span class="pun">):</span><span class="pln"> session opened </span><span class="kwd">for</span><span class="pln"> user user2 by </span><span class="pun">(</span><span class="pln">uid</span><span class="pun">=</span><span class="lit">0</span><span class="pun">)</span>
  8. <span class="typ">Mar</span><span class="pln"> </span><span class="lit">17</span><span class="pln"> </span><span class="lit">21</span><span class="pun">:</span><span class="lit">01</span><span class="pun">:</span><span class="lit">33</span><span class="pln"> </span><span class="typ">Ubuntu18</span><span class="pln"> </span><span class="kwd">sudo</span><span class="pun">:</span><span class="pln"> user2 </span><span class="pun">:</span><span class="pln"> TTY</span><span class="pun">=</span><span class="pln">pts</span><span class="pun">/</span><span class="lit">0</span><span class="pln"> </span><span class="pun">;</span><span class="pln"> PWD</span><span class="pun">=</span><span class="str">/home/</span><span class="pln">user2 </span><span class="pun">;</span><span class="pln"> USER</span><span class="pun">=</span><span class="pln">root </span><span class="pun">;</span><span class="pln"> COMMAND</span><span class="pun">=</span><span class="str">/bin/</span><span class="kwd">systemctl</span><span class="pln"> restart apache2</span>

方法 3:在 Linux 中如何使用 /etc/sudoers 文件为普通用户授予超级用户访问权限?

sudo 用户的访问权限是被 /etc/sudoers 文件控制的。因此,只需将用户添加到 sudoers

相关推荐