[完成翻译] 10 Useful Sudoers Configurations for Setting sudo in Linux.

This commit is contained in:
Fuliang.Li 2017-01-17 20:09:56 +08:00 committed by GitHub
parent 76b01a678d
commit 7ebde7ab77
2 changed files with 246 additions and 251 deletions

View File

@ -1,251 +0,0 @@
GHLandy Translating
10 Useful Sudoers Configurations for Setting sudo in Linux
============================================================
In Linux and other Unix-like operating systems, only the root user can run all commands and perform certain critical operations on the system such as install and update, remove packages, [create users and groups][1], modify important system configuration files and so on.
However, a system administrator who assumes the role of the root user can permit other normal system users with the help of [sudo command][2] and a few configurations to run some commands as well as carry out a number of vital system operations including the ones mentioned above.
Alternatively, the system administrator can share the root user password (which is not a recommended method) so that normal system users have access to the root user account via su command.
sudo allows a permitted user to execute a command as root (or another user), as specified by the security policy:
1. It reads and parses /etc/sudoers, looks up the invoking user and its permissions,
2. then prompts the invoking user for a password (normally the users password, but it can as well be the target users password. Or it can be skipped with NOPASSWD tag),
3. after that, sudo creates a child process in which it calls setuid() to switch to the target user
4. next, it executes a shell or the command given as arguments in the child process above.
Below are ten /etc/sudoers file configurations to modify the behavior of sudo command using Defaults entries.
```
$ sudo cat /etc/sudoers
```
/etc/sudoers File
```
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults logfile="/var/log/sudo.log"
Defaults lecture="always"
Defaults badpass_message="Password is wrong, please try again"
Defaults passwd_tries=5
Defaults insults
Defaults log_input,log_output
```
#### Types of Defaults Entries
```
Defaults parameter, parameter_list #affect all users on any host
Defaults@Host_List parameter, parameter_list #affects all users on a specific host
Defaults:User_List parameter, parameter_list #affects a specific user
Defaults!Cmnd_List parameter, parameter_list #affects a specific command
Defaults>Runas_List parameter, parameter_list #affects commands being run as a specific user
```
For the scope of this guide, we will zero down to the first type of Defaults in the forms below. Parameters may be flags, integer values, strings, or lists.
You should note that flags are implicitly boolean and can be turned off using the `'!'` operator, and lists have two additional assignment operators, `+=` (add to list) and `-=` (remove from list).
```
Defaults parameter
OR
Defaults parameter=value
OR
Defaults parameter -=value
Defaults parameter +=value
OR
Defaults !parameter
```
### 1\. Set a Secure PATH
This is the path used for every command run with sudo, it has two importances:
1. Used when a system administrator does not trust sudo users to have a secure PATH environment variable
2. To separate “root path” and “user path”, only users defined by exempt_group are not affected by this setting.
To set it, add the line:
```
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
```
### 2\. Enable sudo on TTY User Login Session
To enable sudo to be invoked from a real tty but not through methods such as cron or cgi-bin scripts, add the line:
```
Defaults requiretty
```
### 3\. Run Sudo Command Using a pty
A few times, attackers can run a malicious program (such as a virus or malware) using sudo, which would again fork a background process that remains on the users terminal device even when the main program has finished executing.
To avoid such a scenario, you can configure sudo to run other commands only from a psuedo-pty using the `use_pty` parameter, whether I/O logging is turned on or not as follows:
```
Defaults use_pty
```
### 4\. Create a Sudo Log File
By default, sudo logs through syslog(3). However, to specify a custom log file, use the logfile parameter like so:
```
Defaults logfile="/var/log/sudo.log"
```
To log hostname and the four-digit year in the custom log file, use log_host and log_year parameters respectively as follows:
```
Defaults log_host, log_year, logfile="/var/log/sudo.log"
```
Below is an example of a custom sudo log file:
[
![Create Custom Sudo Log File](http://www.tecmint.com/wp-content/uploads/2017/01/Create-Sudo-Log-File.png)
][3]
Create Custom Sudo Log File
### 5\. Log Sudo Command Input/Output
The log_input and log_output parameters enable sudo to run a command in pseudo-tty and log all user input and all output sent to the screen receptively.
The default I/O log directory is /var/log/sudo-io, and if there is a session sequence number, it is stored in this directory. You can specify a custom directory through the iolog_dir parameter.
```
Defaults log_input, log_output
```
There are some escape sequences are supported such as `%{seq}` which expands to a monotonically increasing base-36 sequence number, such as 000001, where every two digits are used to form a new directory, e.g. 00/00/01 as in the example below:
```
$ cd /var/log/sudo-io/
$ ls
$ cd 00/00/01
$ ls
$ cat log
```
[
![Log sudo Input Output](http://www.tecmint.com/wp-content/uploads/2017/01/Log-sudo-Input-Output.png)
][4]
Log sudo Input Output
You can view the rest of the files in that directory using the [cat command][5].
### 6\. Lecture Sudo Users
To lecture sudo users about password usage on the system, use the lecture parameter as below.
It has 3 possible values:
1. always always lecture a user.
2. once only lecture a user the first time they execute sudo command (this is used when no value is specified)
3. never never lecture the user.
```
Defaults lecture="always"
```
Additionally, you can set a custom lecture file with the lecture_file parameter, type the appropriate message in the file:
```
Defaults lecture_file="/path/to/file"
```
[
![Lecture Sudo Users](http://www.tecmint.com/wp-content/uploads/2017/01/Lecture-Sudo-Users.png)
][6]
Lecture Sudo Users
### 7\. Show Custom Message When You Enter Wrong sudo Password
When a user enters a wrong password, a certain message is displayed on the command line. The default message is “sorry, try again”, you can modify the message using the badpass_message parameter as follows:
```
Defaults badpass_message="Password is wrong, please try again"
```
### 8\. Increase sudo Password Tries Limit
The parameter passwd_tries is used to specify the number of times a user can try to enter a password.
The default value is 3:
```
Defaults passwd_tries=5
```
[
![Increase Sudo Password Attempts](http://www.tecmint.com/wp-content/uploads/2017/01/Increase-Sudo-Password-Attempts.png)
][7]
Increase Sudo Password Attempts
To set a password timeout (default is 5 minutes) using passwd_timeout parameter, add the line below:
```
Defaults passwd_timeout=2
```
### 9\. Let Sudo Insult You When You Enter Wrong Password
In case a user types a wrong password, sudo will display insults on the terminal with the insults parameter. This will automatically turn off the badpass_message parameter.
```
Defaults insults
```
[
![Let's Sudo Insult You When Enter Wrong Password](http://www.tecmint.com/wp-content/uploads/2017/01/Sudo-Insult-Message.png)
][8]
Lets Sudo Insult You When Enter Wrong Password
### 10\. Learn More Sudo Configurations
Additionally, you can learn more sudo command configurations by reading: [Difference Between su and sudo and How to Configure sudo in Linux][9].
Thats it! You can share other useful sudo command configurations or [tricks and tips with Linux][10] users out there via the comment section below.
--------------------------------------------------------------------------------
作者简介Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.
![](http://1.gravatar.com/avatar/4e444ab611c7b8c7bcb76e58d2e82ae0?s=128&d=blank&r=g)
--------------------------------------------------------------------------------
via: http://www.tecmint.com/sudoers-configurations-for-setting-sudo-in-linux/
作者:[Aaron Kili][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/author/aaronkili/
[1]:http://www.tecmint.com/add-users-in-linux/
[2]:http://www.tecmint.com/su-vs-sudo-and-how-to-configure-sudo-in-linux/
[3]:http://www.tecmint.com/wp-content/uploads/2017/01/Create-Sudo-Log-File.png
[4]:http://www.tecmint.com/wp-content/uploads/2017/01/Log-sudo-Input-Output.png
[5]:http://www.tecmint.com/13-basic-cat-command-examples-in-linux/
[6]:http://www.tecmint.com/wp-content/uploads/2017/01/Lecture-Sudo-Users.png
[7]:http://www.tecmint.com/wp-content/uploads/2017/01/Increase-Sudo-Password-Attempts.png
[8]:http://www.tecmint.com/wp-content/uploads/2017/01/Sudo-Insult-Message.png
[9]:http://www.tecmint.com/su-vs-sudo-and-how-to-configure-sudo-in-linux/
[10]:http://www.tecmint.com/tag/linux-tricks/

View File

@ -0,0 +1,246 @@
Linux 中设置 sudo 的十条使用的 Sudoers 配置
===================
在 Linux 和其他的类 Unix 操作系统中,只有 root 用户可以运行所有的命令,以及在系统中执行那些需要鉴权的操作,比如安装、升级和移除软件包、[创建用户和用户组][1]、修改系统重要的配置文件等等。
然而,作为使用 root 用户角色的系统管理员可以通过 [sudo 命令][2] 和一些配置选项来给普通用户进行授权,从而让该普通用户可以运行某些命令已经上述的那些相当重要的系统级操作。
另外,系统管理员还可以共用 root 用户密码 (这个做法是不值得提倡的),这样普通用户就可以通过 su 命令来转化为 root 用户角色。
sudo 允许已授权用户按照指定的安全策略、以 root 用户 (或者是其他的用户角色) 权限来执行某个命令。
1. sudo 会读取和解析 /etc/sudoer 文件、查找调用命令的用户及其权限。
2. 然后提示调用命令的用户输入密码 (通常是用户密码,但也可能是目标用户的密码。也可以通过 NOPASSWD 标志来跳过密码验证)。
3. after that, sudo creates a child process in which it calls setuid() to switch to the target user
4. next, it executes a shell or the command given as arguments in the child process above.
一下列出十个 /etc/sudoers 文件配置,使用默认入口来执行 sudo 命令是会有不同的动作。
```
$ sudo cat /etc/sudoers
```
/etc/sudoers 文件
```
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults logfile="/var/log/sudo.log"
Defaults lecture="always"
Defaults badpass_message="Password is wrong, please try again"
Defaults passwd_tries=5
Defaults insults
Defaults log_input,log_output
```
#### 默认入口的类型
```
Defaults parameter, parameter_list #对任意主机登录的所有用户起作用
Defaults@Host_List parameter, parameter_list #对指定主机登录的所有用户起作用
Defaults:User_List parameter, parameter_list #对指定用户起作用
Defaults!Cmnd_List parameter, parameter_list #对指定命令起作用
Defaults>Runas_List parameter, parameter_list #对指定目标用户运行命令起作用
```
在本文讨论范围内,我们下面的将以第一个 Defaults 作为基准来参考。Parameter 可以是标记 (flags)、整数值或者是列表 (lists)。
值得注意的是,标记 (flag) 是指布尔类型值,可以使用 `'!'` 操作符来进行取反,列表 (lists) 有两个赋值运算符:`+=` (添加到列表) and `-=` (从列表中移除)。
```
Defaults parameter
Defaults parameter=值
Defaults parameter -=值
Defaults parameter +=值
Defaults !parameter
```
### 1\. 安置一个安全的 PATH
该 PATH 应用于每个通过 sudo 执行的命令,需要注意两点:
1. 当系统管理员不信任 sudo 用户,便可以设置一个安全的 PATH 环境变量。
2. 该设置将 “root PATH” 和 “user PATH” 分离,只有在 exempt_group 组的用户不受该设置的影响。
可以添加一下内容来设置:
```
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
```
### 2\. 启用允许 tty 用户回话使用 sudo
该设置允许在一个真实的 tty 中进行调用,但不允许通过 cron 或者 cgi-bin 脚本等方法来调用。添加一下内容来设置:
```
Defaults requiretty
```
### 3\. 使用 pty 运行 sudo 命令
少数情况下,攻击者可以通过 sudo 来运行一个而已程序 (比如病毒或者恶意代码),这种恶意程序可能会复制一个后台运行的进程,即时主程序完成执行,它仍能够运行在用户的终端设备上。
为了防止出现这样的情况,你可以通过 `use_pty` 参数来设置 sudo 使用伪终端来运行其他命令,而不必管 I/O 登录的开启状态。如下:
```
Defaults use_pty
```
### 4\. 创建 sudo log 文件
默认下sudo 通过 syslog(3) 来记录到 logs。但是我们可以通过 logfile 参数来指定一个自定义的 log 文件。如下:
```
Defaults logfile="/var/log/sudo.log"
```
使用 use log_host 和 log_year 参数可以对应记录登录主机名和 4 位数年份到自定义 log 文件。如下:
```
Defaults log_host, log_year, logfile="/var/log/sudo.log"
```
下面是自定义 sudo log 文件的例示:
[![Create Custom Sudo Log File](http://www.tecmint.com/wp-content/uploads/2017/01/Create-Sudo-Log-File.png)][3]
创建 sudo log 文件
### 5\. 记录 sudo 命令的输入/输出
log_input  log_output 参数可以让 sudo 命令运行在伪终端,并可以对应的记录所有用户在屏幕上的输入和输出。
默认的 I/O log 目录为 /var/log/sudo-io如果存在一个会话的话它将被存储到该目录。你可以通过 iolog_dir 参数来指定一个目录.
```
Defaults log_input, log_output
```
这其中支持转义字符,像 `%{seq}` —— 以 36 为基数的单调递增序列,比如 000001这里每两个数字都分别用来形成一个新目录。请看下边例示 00/00/01
```
$ cd /var/log/sudo-io/
$ ls
$ cd 00/00/01
$ ls
$ cat log
```
[![Log sudo Input Output](http://www.tecmint.com/wp-content/uploads/2017/01/Log-sudo-Input-Output.png)][4]
记录 sudo 命令的输入/输出
[cat 命令][5] 来查看 该目录的其余部分。
### 6\. 为 sudo 用户提示命令用法
如下,使用 lecture 参数可以在系统中为 sudo 用户提示命令的用法:
参数属性值有三个选择:
1. always 一直提示
2. once 用户首次运行 sudo 时提示 (未指定参数属性值时的默认值)
3. never 从不提示
```
Defaults lecture="always"
```
此外,你还可以使用 lecture_file 参数类自定义提示内容,在指定的文件中输入适当的提示内容即可:
```
Defaults lecture_file="/path/to/file"
```
[![Lecture Sudo Users](http://www.tecmint.com/wp-content/uploads/2017/01/Lecture-Sudo-Users.png)][6]
为 sudo 用户提示命令用法
### 7\. 输入错误的 sudo 密码是显示自定义信息
当某个用户输错密码时,会有一个对应的信息显示在屏幕上。默认是“抱歉,请重新尝试。(sorry, try again)”,你可以通过 badpass_message 参数来修改该信息:
```
Defaults badpass_message="Password is wrong, please try again"
```
### 8\. 增加 sudo 密码尝试限制次数
passwd_tries 参数用于指定用户尝试输入密码的次数。
默认为 3。
```
Defaults passwd_tries=5
```
[![Increase Sudo Password Attempts](http://www.tecmint.com/wp-content/uploads/2017/01/Increase-Sudo-Password-Attempts.png)][7]
增加 sudo 密码尝试限制次数
使用 passwd_timeout 参数设置密码超时 (默认为 5 分钟),如下:
```
Defaults passwd_timeout=2
```
### 9\. 在输错密码时让 sudo 羞辱用户
使用了 insults 参数之后一旦你输出了密码sudo 便会在命令窗口中显示羞辱你的信息。这个参数会自动关闭 badpass_message 参数。
```
Defaults insults
```
[![Let's Sudo Insult You When Enter Wrong Password](http://www.tecmint.com/wp-content/uploads/2017/01/Sudo-Insult-Message.png)][8]
在输错密码时让 sudo 羞辱用户
### 10\. 更多关于 sudo 的配置
此外,欲了解更多 sudo 命令的配置,请自行阅读:[su 与 sudo 的差异以及如何配置 sudo][9]。
文毕。你也可以在评论区分享其他有用的 sudo 配置或者 [Linux 技巧][10]。
---------------------------------------------------------------------
作者简介Aaron Kili 是一名 Linux 和 F.O.S.S 忠实拥护者、高级 Linux 系统管理员、Web 开发者,目前在 TecMint 是一名活跃的博主,热衷于计算机并有着强烈的只是分享意愿。
![](http://1.gravatar.com/avatar/4e444ab611c7b8c7bcb76e58d2e82ae0?s=128&d=blank&r=g)
译者简介:[GHLandy](http://GHLandy.com) —— 欲得之,则为之奋斗 (If you want it, work for it.)。
![GHLandy](http://GHLandy.com/images/GHLandy.ico)
---------------------------------------------------------------------
via: http://www.tecmint.com/sudoers-configurations-for-setting-sudo-in-linux/
作者:[Aaron Kili][a]
译者:[GHLandy](https://github.com/GHLandy)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/author/aaronkili/
[1]:http://www.tecmint.com/add-users-in-linux/
[2]:http://www.tecmint.com/su-vs-sudo-and-how-to-configure-sudo-in-linux/
[3]:http://www.tecmint.com/wp-content/uploads/2017/01/Create-Sudo-Log-File.png
[4]:http://www.tecmint.com/wp-content/uploads/2017/01/Log-sudo-Input-Output.png
[5]:http://www.tecmint.com/13-basic-cat-command-examples-in-linux/
[6]:http://www.tecmint.com/wp-content/uploads/2017/01/Lecture-Sudo-Users.png
[7]:http://www.tecmint.com/wp-content/uploads/2017/01/Increase-Sudo-Password-Attempts.png
[8]:http://www.tecmint.com/wp-content/uploads/2017/01/Sudo-Insult-Message.png
[9]:http://www.tecmint.com/su-vs-sudo-and-how-to-configure-sudo-in-linux/
[10]:http://www.tecmint.com/tag/linux-tricks/