为用户设置 NOPASSWD 仍提示输入密码

tag-icon tag-icon centos sudo
为用户设置 NOPASSWD 仍提示输入密码

我正在尝试按照教程设置一个 ansible 用户。他们将 ansible 用户的 NOPASSWD 设置为 ALL,这样他们就可以-become在需要时随时获取 root 权限,而无需密码。

我尝试做同样的事情,但长期以来无法得到相同的结果。运行 CentOS 8,visudo 文件中的以下行:

## Same thing without a password
%wheel          ALL=(ALL)       NOPASSWD: ALL
ansible         ALL=(ALL)       NOPASSWD: ALL
cloud_user      ALL=(ALL)       NOPASSWD: ALL

由于 root 登录受到限制,我使用 cloud_user 进行登录,但我仍然需要 root 才能通过 ansible 安装软件。我在互联网上浏览了列表中用户的顺序,但正如您所看到的,cloud_user 是最后一个,并且在文件中再也没有提到过。我想这应该允许我在没有密码的情况下使用root。

问题是在 sudo 命令中仍然提示 cloud_user 输入密码,并且 ansible 提示“缺少 sudo 密码”。

sudo -ll输出:

Sudoers entry:
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

Sudoers entry:
    RunAsUsers: ALL
    Commands:
        ALL

sudo -l -U cloud_user输出:

Matching Defaults entries for cloud_user on [host name]:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
    HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User cloud_user may run the following commands on [host name]:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL
    (ALL) ALL

sudo cat /var/log/secure | grep cloud_user输出:

Aug 27 13:23:11 localhost sshd[6222]: pam_unix(sshd:session): session opened for user cloud_user by (uid=0)
Aug 27 13:23:40 localhost sudo[6270]: cloud_user : TTY=pts/0 ; PWD=/home/cloud_user ; USER=root ; COMMAND=/bin/ls /root
Aug 27 13:23:40 localhost sudo[6270]: pam_unix(sudo:session): session opened for user root by cloud_user(uid=0)
Aug 27 13:24:03 localhost sudo[6291]: cloud_user : TTY=pts/0 ; PWD=/home/cloud_user ; USER=root ; COMMAND=/bin/cat /var/log/secure
Aug 27 13:24:03 localhost sudo[6291]: pam_unix(sudo:session): session opened for user root by cloud_user(uid=0)

答案1

如果多个配置行与请求的命令匹配cloud_user,则最后一行获胜。不/etc/sudoers.d/90-cloud-init-users匹配的行将覆盖包含.cloud_userNOPASSWDNOPASSWD

的内容/etc/sudoers.d包含在主配置中的or指令sudoers处(正确的语法取决于 的版本)。配置行的顺序很重要:您可以依次使用添加 sudoers 行以使其生效#includedir /etc/sudoers.d@includedir /etc/sudoers.dsudovisudo -f /etc/sudoers.d/91-my-customizations那些由cloud-init.

另外,检查/etc/sudo.conf可能的插件或替代配置源。云提供商可能添加了一些自己的定制以确保他们的自动化始终能够完成其工作。

相关内容