Preface

Due to the recent assistance, etc , I studied it Centos Permission configuration , There are some new understandings , So write a document to supplement the previous security settings

by:
I wrote half of my old manuscript before , There is nothing to change , First serve ..

su

Any identity can be switched , Common operations are as follows , Other parameters are not commonly used

 su -      On behalf of the use of  login-shell  Variable file read mode to log in to the system 
           If you do not add a user name , Then it means switching to  root  The identity of the 
           If you don't add -, Add user name directly , It means that the read variable mode is  non-login shell  The way 

Example ：
When su - root when , In addition to root The identity given to the current user , The environment will be set as the environment variable of the login user
It means that you use ordinary users to cut root, added -, Not only are you now root. Environment variables are also root Environment variables of , Use any root The environment command will not report an error

When su root when , take root The identity of gives the current users , But still keep the environment variables of the current user
It means that you use ordinary users to cut root, No addition -, But you are now root. Environment variables are still normal user environment variables , Use root Some commands of will report errors

Verification method ：
Try switching users ,echo $PATH, Observe environmental variables

sudo

It is mainly used to execute commands as other users , Restore your original identity after executing the command

Common parameters ：

-b     Put the subsequent commands in the background and let the system execute by itself , Not with the current shell An impact 
-u     Followed by the account you want to execute the command , If you omit -u, The default is root

Usually and su Use it with
https://blog.csdn.net/GX_1_11_real/article/details/89334708

Add ：
sudo When executing a command as someone else , Input your own password , Not someone else's password
When switching users , Even if the password is entered correctly , Report the following error , Prove that the user is not /etc/sudoers Configuration in progress
（xxxx be not in sudoers In file . It will be reported ）

sudoers Configuration skills

/etc/sudoers Format in file ：
ALL On behalf of all

root	            ALL=(ALL) 	                           ALL

 The user account               Where can I log in =（ Can switch identities ）           Orders that can be executed , To use absolute paths 

have access to visudo Command to change

Example ：

<1> Set up user groups , Sure sudo( You still need to enter the password )

%wheel      ALL=(ALL)                        ALL
% User group name      Where can I log in =（ Can switch identities ）     You can execute those commands 

All members of this user group can use sudo,sudo Any user can be switched after , You can use any command

<2> Set up users or user groups , Sure sudo( No need to enter a password )

monitor      ALL=(ALL)                        NOPASSWD:ALL
 user name         Where can I log in =（ Can switch identities ）      You can execute those commands 

%wheel       ALL=(ALL)                        NOPASSWD:ALL
% User group name       Where can I log in =（ Can switch identities ）      You can execute those commands 

This user or all members of this user group can use without entering a password sudo,sudo Any user can be switched after , You can use any command
NOPASSWD Add... Before which commands can be executed , Password free

<3> Set up users or user groups , Sure sudo( No need to enter a password ), Limit can only be switched root

monitor      ALL=(root)                        NOPASSWD:ALL
 user name         Where can I log in =（ Can switch identities ）      You can execute those commands 

%wheel       ALL=(root)                        NOPASSWD:ALL
% User group name       Where can I log in =（ Can switch identities ）      You can execute those commands 

This user or all members of this user group can use without entering a password sudo,sudo Only switch after root, You can use any command

<4> Set up users or user groups , Sure sudo( No need to enter a password ), Limit can only be switched root, Limit the commands available

monitor      ALL=(root)                        NOPASSWD:/bin/cat, /bin/netstat, /usr/bin/iostate, /usr/sbin/iftop, /usr/bin/top, /bin/grep, /bin/find, /usr/bin/rsync, /usr/bin/iotop, /usr/bin/top, /usr/bin/ps, /usr/bin/pidstat, /usr/bin/less
 user name         Where can I log in =（ Can switch identities ）      You can execute those commands 

%wheel       ALL=(root)                        NOPASSWD:/bin/cat, /bin/netstat, /usr/bin/iostate, /usr/sbin/iftop, /usr/bin/top, /bin/grep, /bin/find, /usr/bin/rsync, /usr/bin/iotop, /usr/bin/top, /usr/bin/ps, /usr/bin/pidstat, /usr/bin/less
% User group name       Where can I log in =（ Can switch identities ）      You can execute those commands 

This user or all members of this user group can use without entering a password sudo,sudo Only switch after root, Use only the specified commands

<5> Set some users , Sure sudo( No need to enter a password ), Limit the commands available

User_Alias Monitor = monitor1, monitor2
 User alias （ have sudo List of users with permissions ） =   user 1, user 2...

Monitor              ALL=(ALL)                         NOPASSWD: /bin/cat, /bin/netstat, /usr/bin/iostate, /usr/sbin/iftop, /usr/bin/top, /bin/grep, /bin/find, /usr/bin/rsync, /usr/bin/iotop, /usr/bin/top, /usr/bin/ps, /usr/bin/pidstat, /usr/bin/less 
 user name / User alias         Where can I log in =（ Can switch identities ）      You can execute those commands 

All members of this user alias , Can be used without entering a password sudo, Use only the specified commands
The difference from user groups is that they are not used to sudo, To modify the user group for the user
To configure User_Alias, The configuration has sudo List of users with permissions , It is equivalent to configuring a variable

<6> Set some users , Sure sudo( No need to enter a password ), Limit can only be switched root, Limit the commands available

User_Alias Monitor = monitor1, monitor2
 User alias （ have sudo List of users with permissions ） =   user 1, user 2...

Cmnd_Alias WATCH = /bin/cat, /bin/netstat, /usr/bin/iostate, /usr/sbin/iftop, /usr/bin/top, /bin/grep, /bin/find, /usr/bin/rsync, /usr/bin/iotop, /usr/bin/ps ,!/usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd, !/usr/bin/passwd root,!/bin/rm *
 Command alias （ The list of commands ） =   command 1, command 2...

Monitor              ALL=(ALL)                         NOPASSWD: WATCH
 user name / User alias         Where can I log in =（ Can switch identities ）      You can execute those commands 

All members of this user alias , Can be used without entering a password sudo, Use only the specified commands
To configure Cmnd_Alias, The configuration has sudo List of commands for permissions , It is equivalent to configuring a variable

!/usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd, !/usr/bin/passwd root ,!/bin/rm *
 This is restricted to users sudo Change passwords and delete files for other users 
 If you don't sudo, You can delete the files you have permission by using the command directly 

<7> other

Host_Alias Login user alias
Runas_Alias User alias can be switched
this 2 Ge is also the same usage as above , But I don't use it very often

Etc

It is required to divide the roles and separate the permissions of the management users , Such as system administrator 、 Security administrator and audit administrator .

According to the demand , At least you need to configure 3 Permissions or users . A user with minimum authority is used for auditing , Check the log ; A system administrator needs to be able to switch to root, With all authority ; Ordinary users , can sudo, Unavoidably secret , Limit some commands . It can be configured according to the above demonstration .

In fact, only through jumpserver Configure server assets and login user permissions , It can meet multiple waiting insurance needs , There is no need to configure multiple services . If required, specify which configurations meet which requirements , Take the configuration screenshot and explain clearly
（ Role division and permission separation , Log audit , Identification , Login operation review ）
https://github.com/jumpserver/jumpserver

Add

Limit the methods of some commands ：

Go to the user's home directory to modify ,.bash_profile or .bashrc, Add an alias or environment variable , and soure

export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
alias rm='echo "do not use rm command"'
alias passwd='echo "do not use passwd command"'

If the extreme point ：
Make a copy of the command you need , Change the environment variable of that special user

When su,sudoers The configuration is normal , and su Switching users , The following error messages always appear ：
su: cannot open session: Permission denied

see /etc/security/limits.conf Set up , And change to normal
https://blog.csdn.net/GX_1_11_real/article/details/120549038

Be careful ：
<1>nofile Of soft limit No more than hard limit
nofile Of hard limit No more than /proc/sys/fs/nr_open
nofile The upper limit of the value of is determined by /proc/sys/fs/nr_open The limit , The default is 1048576
If you modify limit.conf Of nofile, Exceeding this value will result in a connection ssh Failure
When the configuration is greater than 100 ten thousand , Pay attention to the

<2> It is not recommended to adjust the previous users （ namely *）, There are often accidents caused by adjusting users
<3> The third column of parameters , The old version Centos6.X Only numbers are supported , It is not recommended to set to... Without reading the version unlimited