Oracle Cloud - 为什么我无需密码即可使用 sudo?

Oracle Cloud - 为什么我无需密码即可使用 sudo?

我在 Oracle Cloud Free Tier VM 上创建了一个名为 的新用户帐户testacc。此帐户是 组的成员sudo,也是testacc组的成员。密码登录已禁用,我使用公钥身份验证登录。

如果账户有密码,那么使用 sudo 时我需要输入密码。如果账户没有使用密码sudo passwd -d testacc,那么我使用 sudo 时不需要输入密码。

运行后sudo visudo可以清楚地看到,NOPASSWD:ALL该组没有该条目sudo。检查后/etc/sudoers.d会显示有该条目NOPASSWD:ALL,但该条目仅适用于该ubuntu组。

我不明白为什么我不必输入密码。这绝对是我想要的功能 - 如果我使用 SSH 登录并且没有设置用户密码,那么我就不需要使用 sudo 密码,但如果我配置了密码,那么我就需要使用密码 - 但我不知道它实际上在哪里配置的。

我读到的所有内容都与 相关联NOPASSWD:ALL,但此虚拟机肯定不适用于此用户。此外,当我使用另一台虚拟机时,取消设置密码会sudo passwd -d导致我无法使用 sudo,因为它要求输入不存在的密码


这究竟是如何工作的,以及我该如何设置我的系统,以便如果用户有密码,他们就需要输入密码sudo,但如果他们没有密码,则不会要求输入密码?

谢谢


sudo -l 的输出

Matching Defaults entries for testacc on oracle:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User testacc may run the following commands on oracle:
    (ALL : ALL) ALL

输出/etc/pam.d/sudo

#%PAM-1.0

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

以 root 身份执行 sudo -V 的输出

Sudo version 1.8.31
Configure options: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --libexecdir=/usr/lib --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --with-selinux --with-linux-audit --enable-tmpfiles.d=yes
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46

Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if user authentication fails
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15.0 minutes
Password prompt timeout: 0.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/lib/sudo/lectured
Path to authentication timestamp dir: /run/sudo/ts
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TZ
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        *=()*
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        BASHOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DPKG_COLORS
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Perform PAM account validation management
Maximum I/O log sequence number: 0
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers

Local IP address and netmask pairs:
        10.0.0.87/255.255.255.0
        fe80::17ff:fe02:9bba/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.8.31

答案1

很简单:

sudo cat /etc/sudoers.d/90-cloud-init-users

您可以看到:

# Created by cloud-init v. (...)

# User rules for ubuntu
ubuntu ALL=(ALL) NOPASSWD:ALL

相关内容