现在有两台服务器server1 (s1)和server2(s2),我想实现的功能是,设置在s1上给一个叫tom的用户授权 能使用useradd 功能,但是只允许tom这个用户在s1上使用这个命令。
操作
在s1上的/etc/sudoers 文件中添加了这么几行来修改
Host_Alias HOSTGROUNP = 127.0.0.1
tom HOSTGROUNP=(root) /usr/sbin/useradd
测试过在s1 上使用tom 用户确实可以 sudo useradd userx ,功能正常。但是在s2上使用ssh 登录到s1 的tom用户,结果也可以使用 sudo useraddusery 成功。
我一直没相通的是,Host_Alias这么填写的意义是什么? 任何人远程登录过来(包括s2本地登录) 使用tom的身份做一些操作,为什么这个host的配置不是限制从远端ssh过来的地址呢?请求各位大神解答
A Host_List is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with ‘+’) and other aliases. Again, the value of an item may be negated with the ‘!’ operator. Host netgroups are matched using the host (both qualified and unqualified) and domain members only; the user member is not used when matching. If you specify a network number without a netmask, sudo will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network interfaces, will use the netmask of that interface. The netmask may be specified either in standard IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation (number of bits, e.g. 24 or 64). A host name may include shell-style wildcards (see the Wildcards section below), but unless the host name command on your machine returns the fully qualified host name, you'll need to use the fqdn option for wildcards to be useful. Note that sudo only inspects actual network interfaces; this means that IP address 127.0.0.1 (localhost) will never match. Also, the host name “localhost” will only match if that is the actual host name, which is usually only the case for non-networked systems.
127.0.0.1是不能被匹配的,你换成内网地址试试看。
提供主机和主机组的设置,对于某个主机来说并没有细化权限配置的功能,只是为给管理员提供这样一个功能:只需要维护一份/etc/sudoers文件,复制到其他机器既可以,sudoers文件相同,但在每台机器上产生的作用不同。