Linux使用sudo权限执行部分命令不需要密码配置:修订间差异

来自三线的随记
无编辑摘要
无编辑摘要
 
(未显示同一用户的5个中间版本)
第1行: 第1行:
===相关配置文件===
===相关配置文件===
  /etc/sudoers
  /etc/sudoers
/etc/sudoers.d
<br />
<br />


=== 使用 <code>#'''include'''</code> '''和''' <code>#includedir</code> 插入别的配置文件 ===
===使用 <code>#'''include'''</code> '''和''' <code>#includedir</code> 插入别的配置文件===
  ## Read drop-in files from /private/etc/sudoers.d
  ## Read drop-in files from /private/etc/sudoers.d
  ## (the '#' here does not indicate a comment)
  ## (the '#' here does not indicate a comment)
第16行: 第18行:
     #include /etc/sudoers.local
     #include /etc/sudoers.local


* ⚠️注意, 此处的 <code>#includedir</code> 中的<code>#</code>并不是代表注释该行
*⚠️注意, 此处的 <code>#includedir</code> 中的<code>#</code>并不是代表注释该行
*如果用的是 #includedir 指令,目标目录下面的规则文件,不要有文件拓展名(.xxx),否则很有可能不生效,原因如下


root@ubuntu:/etc/sudoers.d# cat README
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
#
# #includedir /etc/sudoers.d
#
# This will cause sudo to read and parse any files in the /etc/sudoers.d
# directory that do not end in '~' or contain a '.' character.
#
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
#
# Note also, that because sudoers contents can vary widely, no attempt is
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#
<br />
<br />
===配置用户拥有sudo权限===
===配置用户拥有sudo权限===
第24行: 第49行:




===配置sudo不需要密码认证===
===配置sudo所有命令不需要密码认证===
  your-user-name ALL = (ALL) NOPASSWD:ALL
  your-user-name ALL = (ALL) NOPASSWD:ALL


第34行: 第59行:
  user-id        ALL = (ALL) NOPASSWD:/sbin/route
  user-id        ALL = (ALL) NOPASSWD:/sbin/route
  user-id        ALL = (ALL) NOPASSWD:/usr/local/bin/openconnect
  user-id        ALL = (ALL) NOPASSWD:/usr/local/bin/openconnect
     
[[分类:Linux]]
      [[分类:Linux]]

2021年2月5日 (五) 16:10的最新版本

相关配置文件

/etc/sudoers
/etc/sudoers.d


使用 #include #includedir 插入别的配置文件

## Read drop-in files from /private/etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /private/etc/sudoers.d
Including other files from within sudoers
    It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives.

    This can be used, for example, to keep a site-wide sudoers file in addition to a local, per-machine file.  For the sake of this example the site-wide sudoers file will be
    /etc/sudoers and the per-machine one will be /etc/sudoers.local.  To include /etc/sudoers.local from within /etc/sudoers we would use the following line in /etc/sudoers:

    #include /etc/sudoers.local
  • ⚠️注意, 此处的 #includedir 中的#并不是代表注释该行
  • 如果用的是 #includedir 指令,目标目录下面的规则文件,不要有文件拓展名(.xxx),否则很有可能不生效,原因如下
root@ubuntu:/etc/sudoers.d# cat README 
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
# 
# 	#includedir /etc/sudoers.d
# 
# This will cause sudo to read and parse any files in the /etc/sudoers.d 
# directory that do not end in '~' or contain a '.' character.
# 
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
# 
# Note also, that because sudoers contents can vary widely, no attempt is 
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable 
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#


配置用户拥有sudo权限

root		ALL = (ALL) ALL
%group-id	ALL = (ALL) ALL


配置sudo所有命令不需要密码认证

your-user-name	ALL = (ALL) NOPASSWD:ALL
  • ⚠️注意,配置参数能被下文覆盖,所以如果前文中配置了NOPASSWD:ALL,但是假设后文又重新配置了(ALL) ALL ,则会在执行sudo的时候还是需要密码


配置sudo对于特定命令不需要密码认证

user-id         ALL = (ALL) NOPASSWD:/usr/sbin/tcpdump
user-id         ALL = (ALL) NOPASSWD:/sbin/route
user-id         ALL = (ALL) NOPASSWD:/usr/local/bin/openconnect