Centos7 新建一个用户并且赋予权限给他

比如我们新建一个服务器,一般我们都是使用 root 用户首次登陆,但是 root 登陆服务器有很大的安全问题,所以我们要新建一个用户,通过这个用户来对服务器进行操作。

Centos7 新建一个用户并且赋予权限给他

新建一个用户

1
2
3
4
5
6
7
8
[root@dlp ~]# useradd test 
[root@dlp ~]# passwd test
Changing password for user test.
New UNIX password:# set password
Retype new UNIX password:# confirm
passwd: all authentication tokens updated successfully.

[root@dlp ~]# exit

从 root 切换到新建的用户

1
2
3
4
5
6
7
dlp login: test# input user name
password: # password

[test@dlp ~]$ su - # switch to root
Password:# root password

[root@dlp ~]# # just switched to root

设置只能这个新建用户能切换到 root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@dlp ~]# usermod -G wheel test 
[root@dlp ~]# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# uncomment the following line(新增加这句)
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so

将 root 的 email 转发给新建的用户

1
2
3
4
5
6
[root@dlp ~]# vi /etc/aliases
# Person who should get root's mail
# last line: uncomment and change to a user
root: test

[root@dlp ~]# newaliases # reload

将 root 的权限转给新建用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@dlp ~]# visudo
# add at the last line: user 'test' can use all root privilege
test ALL=(ALL) ALL
# how to write ⇒ destination host=(owner) command
# make sure with the user 'test'

[test@dlp ~]$ /usr/bin/cat /etc/shadow
cat: /etc/shadow: Permission denied# denied normally

[test@dlp ~]$ sudo /usr/bin/cat /etc/shadow
[sudo] password for test:# own password
daemon:*:16231:0:99999:7:::
adm:*:16231:0:99999:7:::
lp:*:16231:0:99999:7:::
...
...
# just executed

给新建用户禁止某些执行某些 command 的权限

1
2
3
4
5
6
7
8
9
10
11
[root@dlp ~]# visudo
# near line 49: add aliase for the kind of shutdown commands
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \
/sbin/poweroff, /sbin/reboot, /sbin/init

# add ( commands in aliase 'SHUTDOWN' are not allowed )
test ALL=(ALL) ALL, !SHUTDOWN

# make sure with the user 'test'
[test@dlp ~]$ sudo /sbin/shutdown -r now
Sorry, user test is not allowed to execute '/sbin/shutdown -r now' as root on dlp.srv.world. # denied normally

将 root 一些 command 权限转让给一个群组

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@dlp ~]# visudo
# near line 51: add aliase for the kind of user management comamnds
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \
/usr/bin/passwd
# add at the last line
%usermgr ALL=(ALL) USERMGR

[root@dlp ~]# groupadd usermgr
[root@dlp ~]# usermod -G usermgr test
# make sure with the user 'test'
[test@dlp ~]$ sudo /usr/sbin/useradd testuser
[test@dlp ~]$ # done normally
[test@dlp ~]$ sudo /usr/bin/passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

将 root 的一个 command 权限传给一个用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@dlp ~]# visudo
# add at the last line
test ALL=(ALL) /usr/sbin/visudo
fedora ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
ubuntu ALL=(ALL) /bin/vi

# make sure with the user 'test'
[test@dlp ~]$ sudo /usr/sbin/visudo
# possible to open and edit
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
# make sure with the user 'fedora'
[fedora@dlp ~]$ sudo /usr/sbin/userdel -r testuser
[fedora@dlp ~]$ # done normally
# make sure with the user 'ubuntu'
[ubuntu@dlp ~]$ sudo /bin/vi /boot/grub/grub.conf
# possible to open and edit
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that

禁止使用 root 用户在远程登录

1
2
3
4
5
6
7
8
9
[root@dlp ~]# vi /etc/ssh/sshd_config
# line 38: uncomment and change (prohibit root login remotely)
PermitRootLogin no
[root@dlp ~]# systemctl restart sshd

[root@dlp ~]# firewall-cmd --add-service=ssh --permanent
success
[root@dlp ~]# firewall-cmd --reload
success
文章对你有用?给博主一个支持
0%