[root@controller-0 sudoers.d]# su --help Usage: su [options] [-] [USER [arg]...] Change the effective user id and group id to that of USER. A mere - implies -l. If USER not given, assume root. Options: -m, -p, --preserve-environment do not reset environment variables -g, --group <group> specify the primary group -G, --supp-group <group> specify a supplemental group -, -l, --login make the shell a login shell -c, --command <command> pass a single command to the shell with -c --session-command <command> pass a single command to the shell with -c and do not create a new session -f, --fast pass -f to the shell (for csh or tcsh) -s, --shell <shell> run shell if /etc/shells allows it -h, --help display this help and exit -V, --version output version information and exit
[lianhua@***n ~]$ su - root Password: Last login: Sat Mar 7 17:55:48 CST 2020 on pts/0 [root@*** ~]# env XDG_SESSION_ID=5763 HOSTNAME=*** SHELL=/bin/bash TERM=xterm HISTSIZE=1000 http_proxy=http://10.110.***.*** USER=root LS_COLORS=36:*.xspf=01;36: MAIL=/var/spool/mail/root PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin PWD=/root LANG=en_US.UTF-8 HISTCONTROL=ignoredups SHLVL=1 HOME=/root LOGNAME=root LESSOPEN=||/usr/bin/lesspipe.sh %s _=/bin/env
[lianhua@*** ~]$ su root Password: [root@*** ~]# env XDG_SESSION_ID=5763 HOSTNAME=*** TERM=xterm SHELL=/bin/bash HISTSIZE=1000 USER=lianhua http_proxy=http://10.110.***.*** LS_COLORS=36:*.xspf=01;36: PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/lianhua/.local/bin:/home/lianhua/bin MAIL=/var/spool/mail/lianhua PWD=/home/lianhua LANG=en_US.UTF-8 HISTCONTROL=ignoredups HOME=/root SHLVL=2 LOGNAME=lianhua LESSOPEN=||/usr/bin/lesspipe.sh %s _=/bin/env
Options: -A, --askpass use a helper program for password prompting -b, --background run command in the background -C, --close-from=num close all file descriptors >= num -E, --preserve-env preserve user environment when running command --preserve-env=list preserve specific environment variables -e, --edit edit files instead of running a command -g, --group=group run command as the specified group name or ID -H, --set-home set HOME variable to target user‘s home dir -h, --help display help message and exit -h, --host=host run command on host (if supported by plugin) -i, --login run login shell as the target user; a command may also be specified -K, --remove-timestamp remove timestamp file completely -k, --reset-timestamp invalidate timestamp file -l, --list list user‘s privileges or check a specific command; use twice for longer format -n, --non-interactive non-interactive mode, no prompts are used -P, --preserve-groups preserve group vector instead of setting to target‘s -p, --prompt=prompt use the specified password prompt -r, --role=role create SELinux security context with specified role -S, --stdin read password from standard input -s, --shell run shell as the target user; a command may also be specified -t, --type=type create SELinux security context with specified type -T, --command-timeout=timeout terminate command after the specified time limit -U, --other-user=user in list mode, display privileges for user -u, --user=user run command (or edit file) as specified user name or ID -V, --version display version information and exit -v, --validate update user‘s timestamp without running a command -- stop processing command line arguments
[lianhua@*** ~]$ sudo passwd [sudo] password for lianhua: Sorry, user lianhua is not allowed to execute ‘/bin/passwd‘ as root on controller-0-forestgreen.
[root@test ~]visudo ... root ALL=(ALL) ALL ...
用户账号 登陆者的来源主机名=[可切换的身份] 可执行的命令
root ALL = (ALL) ALL
[root@*** ~]visudo ... huasheng ALL=(ALL) NOPASSWD:/usr/sbin/visudo ...
[root@*** ~]# hostname test [root@*** ~]# hostname -I 10.57.0.1 [root@*** ~]# visudo ... huasheng 10.57.0.1=(ALL) NOPASSWD:/usr/sbin/visudo ... [root@*** ~]# su - huasheng Last login: Sat Mar 7 16:06:10 CST 2020 on pts/0 [huasheng@*** ~]$ sudo visudo visudo: /etc/sudoers.tmp unchanged
[huasheng@*** ~]# visudo ... huasheng 10.57.1.1=(ALL) NOPASSWD:/usr/sbin/visudo ... [huasheng@*** ~]$ sudo visudo [sudo] password for huasheng: huasheng is not allowed to run sudo on test. This incident will be reported.
[root@test ~]# visudo [root@test ~]# su - huasheng Last login: Sat Mar 7 19:27:29 CST 2020 on pts/0 [huasheng@test ~]$ sudo visudo [sudo] password for huasheng: Sorry, user huasheng is not allowed to execute ‘/sbin/visudo‘ as root on test.
[lianhua@test ~]$ su - huasheng Password: Last login: Sat Mar 7 19:52:44 CST 2020 on pts/0 [huasheng@test ~]$ which su /bin/su [huasheng@controller-0-forestgreen ~]$ sudo visudo ... lianhua ALL=(ALL) NOPASSWD: /bin/su ... [huasheng@test ~]$ exit logout [lianhua@test ~]$ sudo su [root@test lianhua]#
[root@test lianhua]# visudo ... lianhuasheng ALL=(ALL) NOPASSWD: /bin/su ...
[root@test lianhua]# groupadd ADMINGROUP [root@test lianhua]# visudo ... %ADMINGROUP ALL=(ALL) NOPASSWD: /bin/su, !/bin/passwd, !/bin/passwd root ... [root@test lianhua]# usermod -G ADMINGROUP lianhua [root@test lianhua]# usermod -G ADMINGROUP huasheng [root@test lianhua]# usermod -G ADMINGROUP lianhuasheng [root@test lianhua]# su - lianhua Last login: Sat Mar 7 19:56:00 CST 2020 on pts/0 [lianhua@test ~]$ sudo su [root@test lianhua]#
[root@test ~]# cat /etc/sudoers | grep sudoers.d ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d
[root@test lianhua]# cd /etc/sudoers.d/ [root@test sudoers.d]# vi ADMINGROUP %ADMINGROUP ALL=(ALL) NOPASSWD: /bin/su [root@test sudoers.d]# visudo [root@test sudoers.d]# su - lianhua Last login: Sat Mar 7 20:17:35 CST 2020 on pts/0 [lianhua@test ~]$ sudo su [root@test lianhua]#
原文:https://www.cnblogs.com/xingzheanan/p/12436943.html