我最近打开 sudoers 文件并注意到以下内容:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
admin和sudo群体的特权之间实际上存在有效的区别吗?如果是的话,那是什么?
答案1
该部分引用了 Sudo 的 Runas_Spec 部分,其更多详细信息可以在手册页。
在您的示例中,管理组的任何成员都可以升级为具有任何用户的 sudo 权限,并且 sudo 组的成员可以升级为具有任何用户的 sudo 权限和团体。
下面的示例,我创建了 2 个用户,并在您的问题中为他们提供了不同的权限;
cat /etc/sudoers | grep ^test
test1 ALL=(ALL) NOPASSWD: ALL
test2 ALL=(ALL:ALL) NOPASSWD: ALL
然后测试让它们以 apache 用户和组的身份运行命令,注意在尝试以 apache 组运行时提示输入用户 test1 的密码;
[test1@heisenbug root]$ sudo -u apache ping google.com
PING google.com (74.125.230.233) 56(84) bytes of data.
64 bytes from par08s10-in-f9.1e100.net (74.125.230.233): icmp_seq=1 ttl=63 time=36.2 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 36.245/36.245/36.245/0.000 ms
[test1@heisenbug root]$ sudo -g apache ping google.com
[sudo] password for test1:
[test2@heisenbug root]$ sudo -u apache ping google.com
PING google.com (74.125.230.226) 56(84) bytes of data.
64 bytes from lhr08s06-in-f2.1e100.net (74.125.230.226): icmp_seq=1 ttl=63 time=34.4 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 34.465/34.465/34.465/0.000 ms
[test2@heisenbug root]$ sudo -g apache ping google.com
PING google.com (74.125.230.233) 56(84) bytes of data.
64 bytes from lhr08s06-in-f9.1e100.net (74.125.230.233): icmp_seq=1 ttl=63 time=35.0 ms
64 bytes from lhr08s06-in-f9.1e100.net (74.125.230.233): icmp_seq=2 ttl=63 time=33.5 ms
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 33.575/34.308/35.042/0.756 ms
我只能想象在非常严格的情况下可以应用这种类型的用法。