Linux使用sudo权限执行部分命令不需要密码配置:修订间差异
来自三线的随记
小无编辑摘要 |
小无编辑摘要 |
||
| (未显示同一用户的2个中间版本) | |||
| 第1行: | 第1行: | ||
===相关配置文件=== | ===相关配置文件=== | ||
/etc/sudoers | /etc/sudoers | ||
/etc/sudoers.d | |||
<br /> | <br /> | ||
| 第19行: | 第21行: | ||
*如果用的是 #includedir 指令,目标目录下面的规则文件,不要有文件拓展名(.xxx),否则很有可能不生效,原因如下 | *如果用的是 #includedir 指令,目标目录下面的规则文件,不要有文件拓展名(.xxx),否则很有可能不生效,原因如下 | ||
root@ubuntu:/etc/sudoers.d# cat README | |||
# | |||
# | # As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on | ||
# installation of the package now includes the directive: | |||
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on | # | ||
# #includedir /etc/sudoers.d | |||
# installation of the package now includes the directive: | # | ||
# This will cause sudo to read and parse any files in the /etc/sudoers.d | |||
# | # directory that do not end in '~' or contain a '.' character. | ||
# | |||
# #includedir /etc/sudoers.d | # Note that there must be at least one file in the sudoers.d directory (this | ||
# one will do), and all files in this directory should be mode 0440. | |||
# | # | ||
# Note also, that because sudoers contents can vary widely, no attempt is | |||
# This will cause sudo to read and parse any files in the /etc/sudoers.d | # made to add this directive to existing sudoers files on upgrade. Feel free | ||
# to add the above directive to the end of your /etc/sudoers file to enable | |||
# directory that do not end in '~' or contain a '.' character. | # this functionality for existing installations if you wish! | ||
# | |||
# | # Finally, please note that using the visudo command is the recommended way | ||
# to update sudoers content, since it protects against many failure modes. | |||
# Note that there must be at least one file in the sudoers.d directory (this | # See the man page for visudo for more information. | ||
# | |||
# one will do), and all files in this directory should be mode 0440. | <br /> | ||
# | |||
# Note also, that because sudoers contents can vary widely, no attempt is | |||
# made to add this directive to existing sudoers files on upgrade. | |||
# to add the above directive to the end of your /etc/sudoers file to enable | |||
# this functionality for existing installations if you wish! | |||
# | |||
# Finally, please note that using the visudo command is the recommended way | |||
# to update sudoers content, since it protects against many failure modes. | |||
# See the man page for visudo for more information. | |||
# | |||
===配置用户拥有sudo权限=== | ===配置用户拥有sudo权限=== | ||
root ALL = (ALL) ALL | root ALL = (ALL) ALL | ||
| 第69行: | 第49行: | ||
=== | ===配置sudo所有命令不需要密码认证=== | ||
your-user-name ALL = (ALL) NOPASSWD:ALL | your-user-name ALL = (ALL) NOPASSWD:ALL | ||
| 第79行: | 第59行: | ||
user-id ALL = (ALL) NOPASSWD:/sbin/route | user-id ALL = (ALL) NOPASSWD:/sbin/route | ||
user-id ALL = (ALL) NOPASSWD:/usr/local/bin/openconnect | user-id ALL = (ALL) NOPASSWD:/usr/local/bin/openconnect | ||
[[分类:Linux]] | |||
2021年2月5日 (五) 16:10的最新版本
相关配置文件
/etc/sudoers
/etc/sudoers.d
使用 #include 和 #includedir 插入别的配置文件
## Read drop-in files from /private/etc/sudoers.d ## (the '#' here does not indicate a comment) #includedir /private/etc/sudoers.d
Including other files from within sudoers
It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives.
This can be used, for example, to keep a site-wide sudoers file in addition to a local, per-machine file. For the sake of this example the site-wide sudoers file will be
/etc/sudoers and the per-machine one will be /etc/sudoers.local. To include /etc/sudoers.local from within /etc/sudoers we would use the following line in /etc/sudoers:
#include /etc/sudoers.local
- ⚠️注意, 此处的
#includedir中的#并不是代表注释该行 - 如果用的是 #includedir 指令,目标目录下面的规则文件,不要有文件拓展名(.xxx),否则很有可能不生效,原因如下
root@ubuntu:/etc/sudoers.d# cat README # # As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on # installation of the package now includes the directive: # # #includedir /etc/sudoers.d # # This will cause sudo to read and parse any files in the /etc/sudoers.d # directory that do not end in '~' or contain a '.' character. # # Note that there must be at least one file in the sudoers.d directory (this # one will do), and all files in this directory should be mode 0440. # # Note also, that because sudoers contents can vary widely, no attempt is # made to add this directive to existing sudoers files on upgrade. Feel free # to add the above directive to the end of your /etc/sudoers file to enable # this functionality for existing installations if you wish! # # Finally, please note that using the visudo command is the recommended way # to update sudoers content, since it protects against many failure modes. # See the man page for visudo for more information. #
配置用户拥有sudo权限
root ALL = (ALL) ALL %group-id ALL = (ALL) ALL
配置sudo所有命令不需要密码认证
your-user-name ALL = (ALL) NOPASSWD:ALL
- ⚠️注意,配置参数能被下文覆盖,所以如果前文中配置了NOPASSWD:ALL,但是假设后文又重新配置了
(ALL) ALL,则会在执行sudo的时候还是需要密码
配置sudo对于特定命令不需要密码认证
user-id ALL = (ALL) NOPASSWD:/usr/sbin/tcpdump user-id ALL = (ALL) NOPASSWD:/sbin/route user-id ALL = (ALL) NOPASSWD:/usr/local/bin/openconnect
