[root@rh ~]# su - user1
[user1@rh ~]$ ifconfig eth0
-bash: ifconfig: command not found
[user1@rh ~]$ su - root -c "ifconfig eth0"
Password:
eth0 Link encap:Ethernet HWaddr 00:0C:29:0E:96:2D
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe0e:962d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:169473 errors:0 dropped:0 overruns:0 frame:0
TX packets:186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10794784 (10.2 MiB) TX bytes:16345 (15.9 KiB)
Interrupt:10 Base address:0x1400
[user1@rh ~]$
sudo用法
[root@rh ~]# visudo
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
User_Alias WWWADMIN=www1,www2 用户代码组WWWADMIN中有两个成员www1和www2
# Cmnd alias specification
Cmnd_Alias WWW=/etc/init.d/httpd 命令代码
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
WWWADMIN ALL=WWW ALL表示任何地点,整行表示WWWADMIN中的成员可以在任何地点执行WWW代码指定的工作
[root@rh ~]# useradd www1
[root@rh ~]# echo 123|passwd --stdin www1
Changing password for user www1.
passwd: all authentication tokens updated successfully.
[root@rh ~]# su - www1
[www1@rh ~]$ /etc/init.d/httpd restart
rm: cannot remove `/var/run/httpd.pid': Permission denied [FAILED]
Starting httpd:
touch: cannot touch `/var/lock/subsys/httpd': Permission denied
[www1@rh ~]$ sudo /etc/init.d/httpd restart
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:
Stopping httpd: [ OK ]
Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[www1@rh ~]$
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
[root@rh ~]# useradd www2
[root@rh ~]# echo 456|passwd --stdin www2
Changing password for user www2.
passwd: all authentication tokens updated successfully.
[root@rh ~]# su - www2
[www2@rh ~]$ sudo /etc/init.d/httpd restart
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:
Stopping httpd: [ OK ]
Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
[www2@rh ~]$
suid sgid sticky
suid不能对目录进行设置,chmod 4755 filename或chmod u+s filename,如果在一个可执行文件上设置了SUID,那么使用人就可以以文件所有者的身份执行这个文件.
sgid chmod 2755 filename/directoryname 或chmod g+s filename/directoryname 目录中的所有文件都属于目录的属组,如果目录的属组有执行权限,那么使用者对文件也有执行权限.
sticky不能对文件进行设置,chmod 1755 directoryname 或chmod o+t directoryname 如果目录具有sticky权限,那么目录中的文件只能被它的所有者删除.files could be deleted only by its owner.
[root@rh ~]# ls -l /usr/bin/passwd
-r-s--x--x 1 root root 19336 Sep 7 2004 /usr/bin/passwd
[root@rh ~]# ps aux |grep passwd
root 746 0.0 0.2 4116 652 pts/0 R+ 20:00 0:00 grep passwd
[root@rh ~]# su - mike
[mike@rh ~]$ passwd
Changing password for user mike.
Changing password for mike
(current) UNIX password:
[root@rh ~]# ps aux |grep passwd
root 776 0.0 0.4 3936 1048 pts/0 S+ 20:02 0:00 passwd
root 814 0.0 0.2 4108 652 pts/1 R+ 20:03 0:00 grep passwd
[root@rh ~]#
本来是mike在执行passwd文件,但是/usr/bin/passwd具有suid的权限,所以mike用户在执行这个文件时会以passwd的所有者(root)的身份来执行.
[user1@rh ~]$ ls -ld /tmp/
drwxrwxrwt 4 root root 4096 Oct 13 15:49 /tmp/
[user1@rh ~]$ touch /tmp/user1.txt
[user1@rh ~]$ ls -l !$
ls -l /tmp/user1.txt
-rw-rw-r-- 1 user1 user1 0 Oct 13 20:32 /tmp/user1.txt
[user1@rh ~]$ chmod 777 !$
chmod 777 /tmp/user1.txt
[user1@rh ~]$ ls -l !$
ls -l /tmp/user1.txt
-rwxrwxrwx 1 user1 user1 0 Oct 13 20:32 /tmp/user1.txt
[user1@rh ~]$
[root@rh ~]# su - user2
[user2@rh ~]$ ls -l /tmp/user1.txt
-rwxrwxrwx 1 user1 user1 0 Oct 13 20:32 /tmp/user1.txt
[user2@rh ~]$ rm -rf !$
rm -rf /tmp/user1.txt
rm: cannot remove `/tmp/user1.txt': Operation not permitted
[user2@rh ~]$
虽然user2对/tmp/user1.txt文件也有w权限,但是仍不能删除,这是因为/tmp具有sticky的权限.
sgid示例:
[root@rhel ~]# groupadd project1
[root@rhel ~]# vi /etc/group
project1:x:503:user1,www1,nfs1
[root@rhel ~]# mkdir /project1
[root@rhel ~]# chmod 3771 /project1
[root@rhel ~]# chown user1.project1 /project1
[root@rhel ~]# ls -ld /project1
drwxrws--t 2 user1 project1 4096 10-13 20:25 /project1
[root@rhel ~]# su - user1
[user1@rhel ~]$ ls /project1
[user1@rhel ~]$ ls -ld /project1
drwxrws--t 2 user1 project1 4096 10-13 20:25 /project1
[user1@rhel ~]$ touch /project1/p1
[user1@rhel ~]$ ls -l !$
ls -l /project1/p1
-rw-rw-r-- 1 user1 project1 0 10-13 20:32 /project1/p1
[user1@rhel ~]$ touch abc
[user1@rhel ~]$ ls -l abc
-rw-rw-r-- 1 user1 user1 0 10-13 20:33 abc
因为/project1具有SGID权限,所以在这个目录中的文件的属组是该目录的属组.
getfacl setfacl
[root@rh ~]# ls -ld /pt1/
drwxrwx--x 2 user1 user1 4096 Oct 14 08:58 /pt1/
[root@rh ~]# ls -l /pt1/
total 0
-rw-rw-r-- 1 user1 user1 0 Oct 14 08:58 p1
[root@rh ~]# su - user2
[user2@rh ~]$ ls -ld /pt1
drwxrwx--x 2 user1 user1 4096 Oct 14 08:58 /pt1
[user2@rh ~]$ ls -l /pt1/
ls: /pt1/: Permission denied
[root@rh ~]# vi /etc/fstab
/dev/VolGroup00/LogVol00 / ext3 defaults,acl 1 1
[root@rh ~]# mount -o remount /
[root@rh ~]# setfacl -m u:user2:r-x /pt1/
[root@rh ~]# getfacl /pt1/
getfacl: Removing leading '/' from absolute path names
# file: pt1
# owner: user1
# group: user1
user::rwx
user:user2:r-x
group::rwx
mask::rwx
other::--x
[root@rh ~]#
[root@rh ~]# su - user2
[user2@rh ~]$ ls -l /pt1/
total 0
-rw-rw-r-- 1 user1 user1 0 Oct 14 08:58 p1
[user2@rh ~]$