全部博文(16)
分类: LINUX
2009-05-03 19:54:09
赋予普通用户挂载光驱的权限
默认普通用户不能挂载光驱,提示只有root可以
[root@mylab ~]# su - lab
[lab@mylab ~]$ mount /dev/cdrom /mnt/
mount: only root can do that
假设机器上有几个普通用户,想让他们用光驱,但是又不能告知root密码,
这就要求赋予他们最少的权限但是又可以用光驱,可以用sudo来实现。
以下是测试实例
1,root当然可以挂载
[root@mylab ~]# mount /dev/cdrom /mnt/
mount: block device /dev/cdrom is write-protected, mounting read-only
2,普通用户lab不行啦
[root@mylab ~]# su - lab
[lab@mylab ~]$ mount /dev/cdrom /mnt/
mount: only root can do that
3,尝试用sudo来执行,提示sudoers里边没有lab,惨,还被人记录了
[lab@mylab ~]$ sudo mount /dev/cdrom /mnt/
Password:
lab is not in the sudoers file. This incident will be reported.
4,下边就用visudo来修改权限了(/etc/sudoers文件有提示要用visudo修改)
[root@mylab ~]# visudo
搜索关键字cdrom找到如下的行
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
%users表示users组 ALL表示hostlist(主机列表) 等号后边的表示可以执行的命令
上边这一行的意思是users组中的成员,可以执行/sbin/mount /mnt/cdrom 和/sbin/umount /mnt/cdrom这两个命令
RHEL5.3实际中的mount命令是在/bin 下的,而不是/sbin
[root@mylab ~]# which mount
/bin/mount
[root@mylab ~]# which umount
/bin/umount
现在要赋予lab用户可以挂载和卸载光驱的权限,添加如下行,多个命令间用逗号隔开,保存退出
lab ALL=/bin/mount /dev/cdrom /mnt, /bin/umount /dev/cdrom
5,测试,成功挂载
[root@mylab ~]# su - lab
[lab@mylab ~]$ sudo mount /dev/cdrom /mnt (此时会提示输入lab自己的密码而不是root的密码)
mount: block device /dev/cdrom is write-protected, mounting read-only
[lab@mylab ~]$ mount
/dev/sda3 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
/dev/hdc on /mnt type iso9660 (ro)
下边是成功卸载
[lab@mylab ~]$ sudo umount /dev/cdrom
[lab@mylab ~]$ mount
/dev/sda3 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
6,怎么又不行了
[lab@mylab ~]$ sudo mount /dev/cdrom /mnt/
Sorry, user lab is not allowed to execute '/bin/mount /dev/cdrom /mnt/' as root on mylab.
看出以上的错误在哪里了吗?
错误在于/mnt的后边加了一个slash “/”,测试好久才发现这个问题
下边就是成功的
[lab@mylab ~]$ sudo mount /dev/cdrom /mnt
mount: block device /dev/cdrom is write-protected, mounting read-only
以下是需要注意的地方
7,/etc/sudoers中没写的命令肯定不能执行,虽然/dev/cdrom就是/dev/hdc但是仍然不能执行
[lab@mylab ~]$ ll /dev/cdrom
lrwxrwxrwx 1 root root 3 May 2 19:48 /dev/cdrom -> hdc
[lab@mylab ~]$ sudo mount /dev/hdc /mnt
Sorry, user lab is not allowed to execute '/bin/mount /dev/hdc /mnt' as root on mylab.
[lab@mylab ~]$ sudo mount /dev/cdrom /mnt
mount: block device /dev/cdrom is write-protected, mounting read-only
下边也是同理,虽然在/dev/cdrom挂载之后就是/mnt,但是执行umount /mnt会报错
[lab@mylab ~]$ sudo mount /dev/cdrom /mnt
mount: block device /dev/cdrom is write-protected, mounting read-only
[lab@mylab ~]$ sudo umount /mnt
Sorry, user lab is not allowed to execute '/bin/umount /mnt' as root on mylab.
[lab@mylab ~]$ sudo umount /dev/cdrom
[lab@mylab ~]$
