我试图允许一组用户获得对 dhcpcd 服务实例的一定控制权。换句话说,我希望它们能够运行:
systemctl (start,stop,...) [email protected]
不提示输入密码,但仅在[电子邮件受保护]。我已经遇到过这样做的方法,但是它们需要在自己的行中枚举每个子命令。
%mygroup ALL=NOPASSWD: /usr/bin/systemctl start [email protected], /usr/bin/systemctl stop [email protected], ...
有更优雅的方法吗?
答案1
Sudoers 通配符仅支持通配符 ( man glob, man fnmatch)。然而,start、stop、restart( 等) 命令systemctl无法通配,因为它们不是文件。
从安全角度来看,您需要枚举每个命令是一件好事。如果[email protected]使用命令更新,例如shutdown-machine在系统更新上,您的 sudo 用户将无法使用它(幸运的是)。
sudoers 手册中有关于此的注释:
Wildcards in command line arguments should be used with care.
Command line arguments are matched as a single, concatenated string. This mean a wildcard character such as ‘?’ or
‘*’ will match across word boundaries, which may be unexpected. For example, while a sudoers entry like:
%operator ALL = /bin/cat /var/log/messages*
will allow command like:
$ sudo cat /var/log/messages.1
It will also allow:
$ sudo cat /var/log/messages /etc/shadow
which is probably not what was intended. In most cases it is better to do command line processing outside of the
sudoers file in a scripting language.
另一方面,如果您想节省打字时间,您可以完全按照手册的建议进行操作:使用脚本语言。例如,您可以在其中编写类似的内容/usr/local/sbin/sudoers-dhcpd.sh:
#!/bin/sh
case "$1" in
start)
systemctl start [email protected]
;;
stop)
systemctl stop [email protected]
;;
restart)
systemctl restart [email protected]
;;
*)
echo You are not allowed to do that!
;;
esac
并添加 sudoers 行,如下所示:
%mygroup ALL=NOPASSWD: /usr/local/sbin/sudoers-dhcpd.sh