10 Abubuwan Haɗin Sudoers don Saitin sudo a cikin Linux

A cikin Linux da sauran tsarin aiki kamar Unix, kawai tushen mai amfani zai iya gudanar da duk umarni kuma ya aiwatar da wasu ayyuka masu mahimmanci akan tsarin kamar shigarwa da sabuntawa, cire fakiti, ƙirƙirar masu amfani da ƙungiyoyi, canza mahimman fayilolin tsarin tsarin tsarin da sauransu.

Koyaya, mai kula da tsarin wanda ke ɗaukar nauyin tushen mai amfani zai iya ba da izinin sauran masu amfani da tsarin na yau da kullun tare da taimakon umarnin sudo da wasu ƙa'idodi don gudanar da wasu umarni tare da aiwatar da wasu mahimman ayyukan tsarin ciki har da waɗanda aka ambata a sama.

A madadin, mai kula da tsarin zai iya raba kalmar sirri ta tushen mai amfani (wanda ba hanyar da aka ba da shawarar ba) ta yadda masu amfani da tsarin na yau da kullun su sami damar shiga asusun mai amfani ta hanyar su umurnin.

sudo yana bawa mai amfani izini damar aiwatar da umarni azaman tushen (ko wani mai amfani), kamar yadda manufofin tsaro suka ayyana:

  1. Yana karantawa kuma suna nazarin /etc/sudoers, suna bincika mai amfani da izini da izininsa,
  2. sannan ya sa mai amfani ya nemi kalmar sirri (yawanci kalmar sirri ta mai amfani, amma tana iya zama kalmar sirrin mai amfani. Ko kuma ana iya tsallake ta da alamar NOPASSWD),
  3. bayan haka, sudo yana ƙirƙirar tsarin yara wanda a ciki yake kiran setuid() don canzawa zuwa mai amfani da manufa
  4. na gaba, yana aiwatar da harsashi ko umarnin da aka bayar a matsayin muhawara a tsarin yaran da ke sama.

A ƙasa akwai saitunan fayil guda goma /etc/sudoers don gyara halayen umarnin sudo ta amfani da shigarwar Defaults.

$ sudo cat /etc/sudoers

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults	logfile="/var/log/sudo.log"
Defaults	lecture="always"
Defaults	badpass_message="Password is wrong, please try again"
Defaults	passwd_tries=5
Defaults	insults
Defaults	log_input,log_output

Defaults                parameter,   parameter_list     #affect all users on any host
[email _List      parameter,   parameter_list     #affects all users on a specific host
Defaults:User_List      parameter,   parameter_list     #affects a specific user
Defaults!Cmnd_List      parameter,   parameter_list     #affects  a specific command 
Defaults>Runas_List     parameter,   parameter_list     #affects commands being run as a specific user

Don iyakar wannan jagorar, za mu koma ƙasa zuwa nau'in Defaults na farko a cikin siffofin da ke ƙasa. Ma'auni na iya zama tutoci, ƙimar lamba, kirtani, ko jeri.

Ya kamata ku lura cewa tutoci a fakaice boolean ne kuma ana iya kashe su ta amfani da ma'aikacin !, kuma jerin suna da ƙarin ma'aikatan aiki guda biyu, += (ƙara zuwa jeri) da >> - (cire daga lissafin).

Defaults     parameter
OR
Defaults     parameter=value
OR
Defaults     parameter -=value   
Defaults     parameter +=value  
OR
Defaults     !parameter

1. Saita Tabbatacciyar HANYA

Wannan ita ce hanyar da ake amfani da ita don kowane umarni da ke gudana tare da sudo, yana da mahimmanci guda biyu:

  1. Ana amfani da shi lokacin da mai gudanar da tsarin bai amince da masu amfani da sudo don samun amintaccen muhallin PATH ba
  2. Don ware \tushen hanya da \hanyar mai amfani, masu amfani ne kawai da aka ayyana ta rukunin exempt_group ba su da tasiri ga wannan saitin.

Don saita shi, ƙara layin:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

2. Kunna sudo akan Zaman Shiga Mai Amfani TTY

Don kunna sudo don kiran su daga ainihin tty amma ba ta hanyoyi kamar rubutun cron ko cgi-bin ba, ƙara layin:

Defaults  requiretty

3. Gudun Sudo Command Amfani da pty

Wasu lokuta, maharan na iya gudanar da mugun shirin (kamar ƙwayoyin cuta ko malware) ta amfani da sudo, wanda zai sake yin aikin bangon waya wanda ya rage akan na'urar ta mai amfani koda lokacin da babban shirin ya gama aiwatarwa.

Don guje wa irin wannan yanayin, zaku iya saita sudo don gudanar da wasu umarni kawai daga psuedo-pty ta amfani da madaidaicin use_pty, ko an kunna shigar I/O ko a'a kamar haka:

Defaults  use_pty

4. Ƙirƙiri Fayil Log na Sudo

Ta hanyar tsoho, sudo rajistan ayyukan ta hanyar syslog(3). Koyaya, don ƙayyade fayil ɗin log na al'ada, yi amfani da sigar logfile kamar haka:

Defaults  logfile="/var/log/sudo.log"

Don shiga sunan mai masauki da shekara mai lamba huɗu a cikin fayil ɗin log ɗin al'ada, yi amfani da sigogin log_host da log_year bi da bi:

Defaults  log_host, log_year, logfile="/var/log/sudo.log"

A ƙasa akwai misalin fayil ɗin log ɗin sudo na al'ada:

5. Shiga Sudo Command Input/Output

Matsalolin log_input da log_output suna ba sudo damar gudanar da umarni a cikin pseudo-tty da shigar da duk shigarwar mai amfani da duk abin da aka aika zuwa allon karɓa.

Tsohuwar I/O log directory shine /var/log/sudo-io, kuma idan akwai lambar jerin zaman, ana adana shi a cikin wannan kundin adireshi. Kuna iya ƙididdige kundin adireshi ta al'ada ta hanyar sigar iolog_dir.

Defaults   log_input, log_output

Akwai wasu jerin hanyoyin tserewa da ake goyan bayan su kamar %{seq} wanda ke faɗaɗa zuwa lambar jeri-36 mai girma ta ɗaya, kamar 000001, inda ake amfani da kowane lambobi biyu don ƙirƙirar sabon kundin adireshi, misali. 00/00/01 kamar yadda a cikin misalin da ke ƙasa:

$ cd /var/log/sudo-io/
$ ls
$ cd  00/00/01
$ ls
$ cat log

Kuna iya duba sauran fayilolin da ke cikin wannan kundin adireshin ta amfani da umarnin cat.

6. Lecture Sudo Users

Don karantar da masu amfani da sudo game da amfani da kalmar wucewa akan tsarin, yi amfani da sigar lacca kamar ƙasa.

Yana da ƙima guda 3 masu yiwuwa:

  1. kullum – ko da yaushe lacca mai amfani.
  2. sau ɗaya - karanta lacca kawai mai amfani a karon farko da suka aiwatar da umarnin sudo (ana amfani da wannan lokacin da ba a ƙayyade ƙimar ba)
  3. Kada – Kar a taɓa yin lacca ga mai amfani.

 
Defaults  lecture="always"

Bugu da ƙari, zaku iya saita fayil ɗin lacca na al'ada tare da sigar lecture_file, rubuta saƙon da ya dace a cikin fayil ɗin:

Defaults  lecture_file="/path/to/file"

7. Nuna Saƙon Al'ada Lokacin da Ka Shiga Sudo Password mara kyau

Lokacin da mai amfani ya shigar da kalmar sirri mara daidai, ana nuna takamaiman saƙo akan layin umarni. Tsoffin saƙon shine \yi haƙuri, sake gwadawa, zaku iya canza saƙon ta amfani da ma'aunin badpass_message kamar haka:

Defaults  badpass_message="Password is wrong, please try again"

8. Ƙara sudo Password Gwajin Iyaka

Ana amfani da sigar passwd_tries don tantance adadin lokutan da mai amfani zai iya ƙoƙarin shigar da kalmar sirri.

Ƙimar tsohowar ita ce 3:

Defaults   passwd_tries=5

Don saita lokacin ƙare kalmar sirri (tsoho shine mintuna 5) ta amfani da sigar passwd_timeout, ƙara layin da ke ƙasa:

Defaults   passwd_timeout=2

9. Bari Sudo ya zage ka lokacin da ka shigar da kalmar sirri mara kyau

Idan mai amfani ya rubuta kalmar sirri mara daidai, sudo zai nuna zagi akan tashar tare da ma'aunin zagi. Wannan zai kashe sigar badpass_message ta atomatik.

Defaults  insults

Kara karantawa: Bari Sudo ya zage ka lokacin da ka shigar da kalmar sirri mara daidai

10. Ƙara Koyi Sudo Kanfigareshan

Bugu da ƙari, zaku iya ƙarin koyan saitin umarni sudo ta karanta: Bambanci Tsakanin su da sudo da Yadda ake saita sudo a cikin Linux.

Shi ke nan! Kuna iya raba wasu ƙayyadaddun tsarin umarni sudo ko dabaru da tukwici tare da masu amfani da Linux a can ta sashin sharhin da ke ƙasa.