我正在嘗試進行配置sudo
,以便從特定 IP 範圍連接時無需輸入密碼。我嘗試在文件中使用以下行/etc/sudoers
:
%wheel 10.1.2.0/24 = (ALL) NOPASSWD: ALL
visudo
當我關閉它時不會給出錯誤,因此語法是有效的。但是當我使用wheel群組中的使用者從ip範圍內的伺服器登入時10.1.2.0/24
,我仍然需要提供帳戶的密碼:
[cybertinus@server ~]$ id
uid=500(cybertinus) gid=500(cybertinus) groups=500(cybertinus),10(wheel),48(apache)
[cybertinus@server ~]$ who
cybertinus pts/0 2015-09-30 09:57 (10.1.2.3)
cybertinus pts/1 2015-09-30 13:03 (10.1.2.3)
[cybertinus@server ~]$ sudo -i
[sudo] password for cybertinus:
然而,我注意到的是,/var/log/secure
當我在此提示下輸入不正確的密碼時,將以下行添加到我的密碼中:
Sep 30 13:04:31 server sudo: pam_unix(sudo-i:auth): authentication failure; logname=cybertinus uid=500 euid=0 tty=/dev/pts/1 ruser=cybertinus rhost= user=cybertinus
rhost=
是空的。所以我的理論是 sudo 不會從 ssh 會話傳遞遠端主機。有沒有辦法讓我們sudo
知道這個互動式會話正在哪個主機ssh
上運行?
我確實知道這是一個安全風險。但所討論的 IP 範圍是我在 VPN 網路上使用的 IP 範圍。換句話說:它沒有直接連接到互聯網。如果駭客進入我的 VPN 網絡,我就會遇到另一個問題;)。
為了讓您了解完整的情況,這是我的整個/etc/sudoers
文件:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
#Defaults requiretty
#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults !visiblepw
#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
%wheel 10.1.2.3=(ALL) NOPASSWD: ALL
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
/etc/sudoers.d
您會在最後看到 的引用。這是該目錄的內容:
[root@server ~]# ls /etc/sudoers.d | wc -l
0
換句話說: In/etc/sudoers.d
沒有任何東西可以推翻普通/etc/sudoers
文件。
答案1
主機清單功能sudo
檢查/符合執行的主機的主機名稱、IP 位址、網路號碼、網路群組sudo
,而不是遠端主機的主機名稱、IP 位址、網路號碼、網路群組。
這個想法是,單一通用sudoers
檔案可以分發到大量伺服器/工作站,並且某些權限僅授予系統子集上的使用者。
檢查底部的範例部分手動的
# /etc/sudoers
# Runas alias specification
Runas_Alias OP = root, operator
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
# example users
jack CSNETS = ALL
jen ALL, !SERVERS = ALL
bob SPARC = (OP) ALL : SGI = (OP) ALL
使用者 jack 可以在 CSNETS 別名(網路 128.138.243.0、128.138.204.0 和 128.138.242.0)中的電腦上執行任何指令。在這些網路中,只有 128.138.204.0 具有明確網路遮罩(以 CIDR 表示法),顯示它是 C 類網路。對於CSNETS中的其他網絡,配對時將使用本機的網路遮罩。
使用者 bob 可以作為 OP Runas_Alias 中列出的任何使用者(root 和操作員)在 SPARC 和 SGI 電腦上執行任何內容。
使用者 jen 可以在除 SERVERS Host_Alias(master、mail、www 和 ns)之外的任何機器上執行任何命令。