在 /etc/sudoers.d/ 中添加本地内容,而不是直接通过 visudo 修改 sodoers 文件

tag-icon tag-icon permissions sudo security users user-management
在 /etc/sudoers.d/ 中添加本地内容,而不是直接通过 visudo 修改 sodoers 文件

您能否给我提供一些有关 /etc/sudoers.d/ 的示例和更详细的说明?

我想授予某些组使用 sudo 执行某些命令的权限,但要以适当的方式,避免在多用户机器上的 Ubuntu 安全模型中造成不必要的漏洞。

以前我做过一些简单的 sudoers 定制,但显然现在 /etc/sudoers.d/ 是一种更合适的方式,我想更好地理解它。

答案1

作为这个问题据说,/etc/sudoers这是一个系统范围的配置文件,可以通过系统升级自动更改,并且很容易受到不当更改的影响。不当更改可能会导致您失去访问权限或使系统无法启动。

$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#

(... some other content ...)

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

与你的预期相反,该#includedir指令不是评论. 它会导致sudo读取和解析/etc/sudoers.d目录中的任何文件(不以“~”结尾或包含“。”字符)。

$ ls -l /etc/sud*
-r--r----- 1 root root  755 sty 20 17:03 /etc/sudoers

/etc/sudoers.d:
total 7
-r--r----- 1 root root 958 mar 30  2016 README
$ sudo cat /etc/sudoers.d/README
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
# 
#   #includedir /etc/sudoers.d
# 
# This will cause sudo to read and parse any files in the /etc/sudoers.d 
# directory that do not end in '~' or contain a '.' character.
# 
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
# 
# Note also, that because sudoers contents can vary widely, no attempt is 
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable 
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#

与 不同/etc/sudoers,幸存系统的内容/etc/sudoers.d会升级,因此最好在那里创建文件而不是修改/etc/sudoers

您可能需要使用以下命令编辑此目录中的文件visudo

$ sudo visudo -f /etc/sudoers.d/veracrypt
  GNU nano 2.5.3        File: /etc/sudoers.d/veracrypt.tmp                      

# Users in the veracryptusers group are allowed to run veracrypt as root.
%veracryptusers ALL=(root) NOPASSWD:/usr/bin/veracrypt

请注意,visudo可以使用不同的编辑器,而不是nano按照所述https://help.ubuntu.com/community/Sudoers

以下是我认为有用的其他一些链接:

相关内容