基础篇

作者: 柒月的天空 | 来源:发表于2018-09-23 23:42 被阅读0次

最新web前端相关课程学习链接
Java工程师成神之路
iOS 动画基础总结篇
axios进阶之路——基础篇
线上思维导图课程总结
一、基础
java多线程相关
Hybrid APP - 混合式开发
基础篇_1.音视频学习框架
基础篇_8.音频编码MP3\AAC

Linux学习

一、su命令
二、sudo命令
三、 限制root远程登录

一、su命令

1、su命令用来切换用户，- 参数切换到自己的家目录下配置文件及环境变量

[root@01 ~]# su - admin
Last login: Thu Sep 20 11:18:16 EDT 2018 on pts/0
[admin@01 ~]$ whoami
admin

2、su - -c “touch /tmp/admin.txt1” admin 以普通用户admin的身份在/tmp/下创建admin.txt1这个文件

[root@01 ~]# su - -c "touch /tmp/admin.txt1" admin
[root@01 ~]# cd /tmp/
[root@01 tmp]# ls -li
16784117 -rw-rw-r--  1 admin admin      0 Sep 23 09:57 admin.txt1

3、在普通用户admin下使用su - user1切换到user1用户下；如果切换的用户user2没有家目录，需要在root下/home/user2，然后chown user2:user2 /home/user2/；把etc/skel/目录下.bash文件全部拷贝到home/user2/目录下并更改权限；先在home下创建user2目录：mkdir /home/user2/；chown user2:user2 /home/user2；cp /etc/skel/.bash* /home/user2/；chown -R user2:suer2 /home/user2/。

[root@01 ~]# su - admin
Last login: Sun Sep 23 10:01:48 EDT 2018 on pts/0
[admin@01 ~]$ su - user1
Password: 
Last login: Sun Sep 23 10:01:54 EDT 2018 on pts/0
[user1@01 ~]$ su - user2
Password: 
Last login: Sun Sep 23 09:50:28 EDT 2018 on pts/0
Last failed login: Sun Sep 23 10:02:08 EDT 2018 on pts/0
There was 1 failed login attempt since the last successful login.
su: warning: cannot change directory to /home/user2: No such file or directory
-bash-4.2$ 
[root@01 ~]# cd /home/
[root@01 home]# ls
admin  linux-01  linux-02  linux-03  user1
[root@01 home]# mkdir user2
[root@01 home]# ls
admin  linux-01  linux-02  linux-03  user1  user2
[root@01 ~]# chown user2:user2 /home/user2
[root@01 ~]# cp /etc/skel/.bash* /home/user2/
[root@01 ~]# chown -R user2:user2 /home/user2/
[root@01 ~]# su - admin
Last login: Sun Sep 23 10:02:41 EDT 2018 on pts/0
[admin@01 ~]$ su - user1
Password: 
Last login: Sun Sep 23 10:02:47 EDT 2018 on pts/0
[user1@01 ~]$ su - user2
Password: 
Last login: Sun Sep 23 10:02:57 EDT 2018 on pts/0
[user2@01 ~]$

三、sudo命令

1、sudo可以让普通用户拥有指定用户的权限执行命令（root）。编辑sudo文件的命令：visudo。编辑sudo第92行：admin ALL=（ALL） /usr/bin/ls, /usr/bin/mv, /usr/bin/cat 让普通用户admin可以拥有root权限去执行ls，mv，cat这些命令；在vi模式先输入：set nu显示行数

 91 ## Allow root to run any commands anywhere
 92 root    ALL=(ALL)       ALL
 93 admin    ALL=(ALL)       /usr/bin/ls,/usr/bin/mv,/usr/bin/cat
 94 ## Allows members of the 'sys' group to run networking, software,
 95 ## service management apps and more.
:x            //:x保存命令

2、切换到普通用户admin，然后sudo /usr/bin/ls /root/

 [root@01 ~]# su - admin
 Last login: Sun Sep 23 10:11:14 EDT 2018 on pts/0
 [admin@01 ~]$ sudo /usr/bin/ls /root/

 We trust you have received the usual lecture from the local System
 Administrator. It usually boils down to these three things:

     #1) Respect the privacy of others.
     #2) Think before you type.
     #3) With great power comes great responsibility.

 [sudo] password for admin:                  //提示输入admin用户的密码
 11.txt 12345  12.log  1.png  1.txt  2  222.txt  23.txt  2.txt  3  4  66  666  admin  anaconda-ks.cfg  passwd test
 [admin@01 ~]$

3、在visudo添加普通用户执行命令的前面加NOPASSWD:就可以在执行sudo /usr/bin/ls /root/时不需要输入用户的密码；

  92 root    ALL=(ALL)       ALL
  93 admin    ALL=(ALL)      NOPASSWD: /usr/bin/ls,/usr/bin/mv,/usr/bin/cat
 [root@01 ~]# visudo
 [root@01 ~]# su - admin
 Last login: Sun Sep 23 10:21:47 EDT 2018 on pts/0
 [admin@01 ~]$ sudo /usr/bin/cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

4、visudo下还可以给命令做别名、添加用户组。

 30 # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
 31   Cmnd_Alias AA = /usr/bin/ls , /usr/bin/cat             //做别名：AA
 32 ## Services
 34 
 35 ## Updating the locate database
 36 # Cmnd_Alias LOCATE = /usr/bin/updatedb
 37 
 38 ## Storage
 39 # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
 40 
 41 ## Delegating permissions
 42 # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
 43 
 44 ## Processes
 45 # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
 46 
 47 ## Drivers
 48 # Cmnd_Alias DRIVERS = /sbin/modprobe
 49 
 50 # Defaults specification
 51 
 52 #
 53 # Refuse to run if unable to disable echo on the tty.
 54 #
 55 Defaults   !visiblepw
 56 
 57 #
 58 # Preserving HOME has security implications since many programs
 59 # use it when searching for configuration files. Note that HOME
 60 # is already set when the the env_reset option is enabled, so
 61 # this option is only effective for configurations where either
 62 # env_reset is disabled or HOME is present in the env_keep list.
 63 #
 64 Defaults    always_set_home
 65 Defaults    match_group_by_gid
 66 
 67 Defaults    env_reset
 68 Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
 69 Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
 70 Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
 71 Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
 72 Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
 73 
 74 #
 75 # Adding HOME to env_keep may enable a user to run unrestricted
 76 # commands via sudo.
 77 #
 78 # Defaults   env_keep += "HOME"
 79 
 80 Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
 81 
 82 ## Next comes the main part: which users can run what software on
 83 ## which machines (the sudoers file can be shared between multiple
 84 ## systems).
 85 ## Syntax:
 86 ##
 87 ##      user    MACHINE=COMMANDS
 88 ##
 89 ## The COMMANDS section may have other options added to it.
 90 ##
 91 ## Allow root to run any commands anywhere 
 92 root    ALL=(ALL)       ALL
 93 admin    ALL=(ALL)      NOPASSWD: AA              //调用AA
 94 ## Allows members of the 'sys' group to run networking, software,
 95 ## service management apps and more.
 96 # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
 97 
 98 ## Allows people in group wheel to run all commands
 99 %wheel  ALL=(ALL)       ALL            //添加用户组

 [admin@01 ~]$ sudo ls /root/
 11.txt 12345  12.log  1.png  1.txt  2  222.txt  23.txt  2.txt  3  4  66  666  admin  anaconda-ks.cfg  passwd  test
 [admin@01 ~]$ sudo cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash

三、限制root远程登录

1、用root身份登陆服务器时会有风险；visudo；root不能登陆，只能登陆普通用户，su - root ，没有root的密码；sudo su。

 16 ## User Aliases
 17 ## These aren't often necessary, as you can use regular groups
 18 ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
 19 ## rather than USERALIAS
 20 # User_Alias ADMINS = jsmith, mikem
 21   User_Alias AA = admin, user1, user2     //定义AA，设定AA下包含哪些用户；
 87 ##      user    MACHINE=COMMANDS
 88 ##
 89 ## The COMMANDS section may have other options added to it.
 90 ##
 91 ## Allow root to run any commands anywhere
 92 root    ALL=(ALL)       ALL
 93 admin    ALL=(ALL)      NOPASSWD: AA
 94 AA       ALL=(ALL)      NOPASSWD: /usr/bin/su       //调用AA，赋予AA允许运行的命令为：/usr/bin/su

 [root@01 ~]# su - admin  
 Last login: Sun Sep 23 11:16:00 EDT 2018 on pts/0
 [admin@01 ~]$ sudo su -
 Last login: Sun Sep 23 11:14:58 EDT 2018 on pts/0                     //测试结果
 [root@01 ~]#

2、限制root用户登陆，vi /etc/ssh/sshd_config，按/Root搜索Root；把#去掉（#为注释符号），然后把yes改成no，保存退出即可；然后需要重启服务：systemctl restart sshd.service。

[root@01 ~]# vim /etc/ssh/sshd_config
 #LoginGraceTime 2m
 PermitRootLogin no
 #StrictModes yes
[root@01 ~]# systemctl restart sshd.service

image.png

Connecting to 192.168.73.128:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

3、用普通用户admin登陆成功，普通用户admin切换至root下sudo su -。

WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sun Sep 23 11:31:21 2018
[admin@01 ~]$ sudo su -
Last login: Sun Sep 23 11:31:25 EDT 2018 on pts/0
Last failed login: Sun Sep 23 11:39:02 EDT 2018 from 192.168.73.1 on ssh:notty
There were 2 failed login attempts since the last successful login.
[root@01 ~]#