修改密碼信息與用戶切換相關(guān)權(quán)限

目錄

一.chage修改密碼過期信息 1

二.su用戶身份切換 3

三.SUID與SUDO 4

四.sudo允許指定用戶執(zhí)行某命令期間擁有root權(quán)限 4

一.chage修改密碼過期信息

-l列表顯示用戶密碼信息

-E修改賬戶過期時(shí)間

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : never

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

[root@oldboyedu ~]# chage -E "2020/10/1" oldboy

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : never

Password inactive : never

Account expires : Oct 01, 2020

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

范例14-17：創(chuàng)建新用戶range,要求該用戶7天內(nèi)不能更改密碼，

60天以后必須修改密碼，過期前10天通知用戶，過期后30天后禁止用戶登錄。

chage -m7 -M60 -W10 -I30 oldboy

聯(lián)系英文：

Options:

-d, --lastday LAST_DAY set date of last password change to LAST_DAY

-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE

-h, --help display this help message and exit

-I, --inactive INACTIVE set password inactive after expiration

                            to INACTIVE

-l, --list show account aging information

-m, --mindays MIN_DAYS set minimum number of days before password

                            change to MIN_DAYS

-M, --maxdays MAX_DAYS set maximim number of days before password

                            change to MAX_DAYS

-R, --root CHROOT_DIR directory to chroot into

-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : never

Password inactive : never

Account expires : Oct 01, 2020

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

You have new mail in /var/spool/mail/root

[root@oldboyedu ~]# chage -m7 -M60 -W10 -I30 oldboy

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : Dec 06, 2020

Password inactive : Jan 05, 2021

Account expires : Oct 01, 2020

Minimum number of days between password change : 7

Maximum number of days between password change : 60

Number of days of warning before password expires : 10

passwd -n70 -x600 -w100 -i300 oldboy

[root@oldboyedu ~]# passwd -n70 -x600 -w100 -i300 oldboy

Adjusting aging data for user oldboy.

passwd: Success

You have new mail in /var/spool/mail/root

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : May 30, 2022

Password inactive : Mar 26, 2023

Account expires : Oct 01, 2020

Minimum number of days between password change : 70

Maximum number of days between password change : 600

Number of days of warning before password expires : 100

-n, --minimum DAYS

This will set the minimum password lifetime, in days, if the user's account supports password life‐

          times.  Available to root only.

-x, --maximum DAYS

This will set the maximum password lifetime, in days, if the user's account supports password life‐

          times.  Available to root only.

-w, --warning DAYS

          This  will  set  the number of days in advance the user will begin receiving warnings that her password

          will expire, if the user's account supports password lifetimes.  Available to root only.

-i, --inactive DAYS

二.su用戶身份切換

-攜帶環(huán)境變量登錄

-c以指定用戶身份執(zhí)行命令

[root@oldboyedu ~]# su - oldboy -c pwd

/home/oldboy

[root@oldboyedu ~]# su - oldboy -c whoami

oldboy

怎么用su。

1、先登錄普通用戶，沒事不允許登錄root。

只有執(zhí)行的任務(wù)需要root權(quán)限的時(shí)候才允許你登錄root。

系統(tǒng)維護(hù)通道。

用su管理，必須知道root密碼，安全隱患。

10個(gè)運(yùn)維，都得知道root密碼，安全隱患。

需求：

1、不用知道root密碼還能管理服務(wù)器。

2、最小化管理服務(wù)器，想關(guān)機(jī)，就只給你halt權(quán)限。

sudo命令：

可以以最小化的權(quán)限（單個(gè)命令），執(zhí)行命令時(shí)擁有root用戶的權(quán)限

三.SUID與SUDO

SUID針對命令，任何用戶執(zhí)行命令都有root身份。 任何用戶執(zhí)行某個(gè)命令：模糊

SUDO針對用戶，給某個(gè)用戶以root身份執(zhí)行某個(gè)命令。指定用戶執(zhí)行某個(gè)命令：具體。

四.sudo允許指定用戶執(zhí)行某命令期間擁有root權(quán)限

-l查看獲得的權(quán)限

如何編輯配置sudo？

sudo是一個(gè)提權(quán)的命令（對應(yīng)權(quán)限通過讀取/etc/sudoers（嚴(yán)格語法）文件實(shí)現(xiàn)的）

配置/etc/sudoers可以使用visudo命令，或vim /etc/sudoers（不推薦）

[oldboy@oldboyedu ~]$ ls /root

ls: cannot open directory /root: Permission denied

完成上面的動(dòng)作。

給oldboy用戶，針對ls設(shè)置權(quán)限。

visudo進(jìn)入編輯狀態(tài)，100G

Allow root to run any commands anywhere

root ALL=(ALL) ALL

oldboy ALL=(ALL) /usr/bin/ls,/bin/cp #<===增加一行

用戶主機(jī)=（角色） 命令

注意：

1、路徑要全路徑：

which cp查

2、不要vim /etc/sudoers編輯，如果非要用編輯完visudo -c檢查語法

oldboy是管理員，并且不要密碼：

oldboy ALL=(ALL) NOPASSWD: ALL

登錄后切到root運(yùn)行。

[oldboy@oldboyedu ~]$ sudo su - root

Last login: Tue Mar 26 10:32:57 CST 2019 on pts/3

[root@oldboyedu ~]#

為了安全禁止root遠(yuǎn)程連接linux。

工作中如何登錄？使用普通用戶登錄然后利用sudo提權(quán)到root。

Wecomle to oldboy training 58期。

[oldboy@oldboyedu ~]$ whoami

oldboy

[oldboy@oldboyedu ~]$ sudo ls /root

a.txt c.txt data1 etc oldboy oldboy_b oldboy_soft_link pass test.txt user.log

b.txt d d.txt grep.txt oldboy_1.txt oldboyedu.txt oldboy.txt test test.txt.ori

[oldboy@oldboyedu ~]$

[oldboy@oldboyedu ~]$

[oldboy@oldboyedu ~]$ sudo su -

Last login: Tue Mar 26 11:42:09 CST 2019 on pts/0

[root@oldboyedu ~]#

[root@oldboyedu ~]# su - oldboy

Last login: Tue Mar 26 10:44:08 CST 2019 on pts/3

[oldboy@oldboyedu ~]$ ls /root

ls: cannot open directory /root: Permission denied

[oldboy@oldboyedu ~]$ sudo -l

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for oldboy:

Matching Defaults entries for oldboy on oldboyedu:

User oldboy may run the following commands on oldboyedu:

(ALL) /bin/ls

[oldboy@oldboyedu ~]$ sudo ls /root

a.txt c.txt data1 etc oldboy oldboy_b oldboy_soft_link pass test.txt user.log

b.txt d d.txt grep.txt oldboy_1.txt oldboyedu.txt oldboy.txt test test.txt.ori

[oldboy@oldboyedu ~]$ ls /root

ls: cannot open directory /root: Permission denied

[oldboy@oldboyedu ~]$