我在文件中有以下条目,sudoers但用户可以访问根目录,因此需要阻止该操作。
Cmnd_Alias SUROOT=/bin/su -,/bin/su - root, /bin/su root, /usr/bin/su -, /usr/bin/su - root, /usr/bin/su root
kj ALL = (ALL) ALL,!SUROOT
但用户可以使用以下命令成为 root 用户
[kj@mytest-server1 ~]$ sudo su
[sudo] password for kj:
[root@mytest-server1 kj]#
我尝试阻止/bin/su,但它阻止用户切换到任何用户。更改sudoerskj 后,服务器如下
[root@mytest-server1 ~]# sudo -l -U kj
User kj may run the following commands on this host:
(ALL) ALL, (ALL) !/bin/su -, !/bin/su - root, !/bin/su root, !/usr/bin/su
-, !/usr/bin/su - root, !/usr/bin/su root, !/bin/su
[kj@mytest-server1 ~]$ sudo su - appeon
[sudo] password for kj:
Sorry, user kj is not allowed to execute '/bin/su - appeon' as root on mytest-server1.
[kj@mytest-server1 ~]$