主页 / server / 问题 / 1177835
Accepted
Diagon
Asked: 2025-03-28 07:29:23 +0800 CST

sudoers :为一个用户工作,但不为另一个用户工作

  • 772

我在 Ubuntu 22.04 上,并且为用户 拥有以下 sodoers 文件btrbk,位于/etc/sudoers.d/btrbk,运行良好:

Cmnd_Alias BTRFS_FILESYSTEM_USAGE = /usr/bin/btrfs filesystem usage *
Cmnd_Alias BTRFS_SUBVOLUME_SHOW = /usr/bin/btrfs subvolume show *
Cmnd_Alias BTRFS_SUBVOLUME_LIST = /usr/bin/btrfs subvolume list *
Cmnd_Alias BTRFS_SUBVOLUME_SNAP = /usr/bin/btrfs subvolume snapshot *
Cmnd_Alias BTRFS_SUBVOLUME_DELETE = /usr/bin/btrfs subvolume delete *
Cmnd_Alias BTRFS_SEND = /usr/bin/btrfs send *
Cmnd_Alias BTRFS_RECEIVE = /usr/bin/btrfs receive *
Cmnd_Alias READLINK = /usr/bin/readlink *
Cmnd_Alias TEST = /usr/bin/test *

btrbk ALL= NOPASSWD: BTRFS_FILESYSTEM_USAGE, BTRFS_SUBVOLUME_SHOW, BTRFS_SUBVOLUME_LIST, BTRFS_SUBVOLUME_SNAP, BTRFS_SUBVOLUME_DELETE, BTRFS_SEND, BTRFS_RECEIVE, READLINK, TEST

另一方面,我有dev位于 的用户的以下内容/etc/sudoers.d/dev,其中大部分是 的子集btrbk,但全部失败:

Cmnd_Alias BTRFS_FILESYSTEM_SHOW_DEV = /usr/bin/btrfs filesystem show *
Cmnd_Alias BTRFS_FILESYSTEM_USAGE_DEV = /usr/bin/btrfs filesystem usage *
Cmnd_Alias BTRFS_SUBVOLUME_SHOW_DEV = /usr/bin/btrfs subvolume show *
Cmnd_Alias BTRFS_SUBVOLUME_LIST_DEV = /usr/bin/btrfs subvolume list *

Cmnd_Alias TRANSMISSION_RESTART_DEV = /usr/bin/systemctl restart transmission-daemon.service

dev ALL= NOPASSWD: BTRFS_FILESYSTEM_SHOW_DEV, BTRFS_FILESYSTEM_USAGE_DEV, BTRFS_SUBVOLUME_SHOW_DEV, BTRFS_SUBVOLUME_LIST_DEV
dev ALL= NOPASSWD: TRANSMISSION_RESTART_DEV

该文件/etc/soders确实有正确的

@includedir /etc/sudoers.d

并且,sudoers和 的权限为sudoers.d/*440,所有者为rootsudo -lU btrbk与 的输出相比, 的输出dev似乎是正确的:

$ sudo -l -U btrbk
Matching Defaults entries for btrbk on ThinkPad:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User btrbk may run the following commands on ThinkPad:
    (root) NOPASSWD: /usr/bin/btrfs filesystem usage *, /usr/bin/btrfs subvolume show *, /usr/bin/btrfs subvolume list *, /usr/bin/btrfs
        subvolume snapshot *, /usr/bin/btrfs subvolume delete *, /usr/bin/btrfs send *, /usr/bin/btrfs receive *, /usr/bin/readlink *,
        /usr/bin/test *

$ sudo -l -U dev
Matching Defaults entries for dev on ThinkPad:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User dev may run the following commands on ThinkPad:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/btrfs filesystem show *, /usr/bin/btrfs filesystem usage *, /usr/bin/btrfs subvolume show *, /usr/bin/btrfs subvolume
        list *
    (root) NOPASSWD: /usr/bin/systemctl restart transmission-daemon.service

对于用户dev,btrfs 给出权限失败:

$ btrfs filesystem show
ERROR: cannot open /dev/mapper/luks.root: Permission denied
ERROR: cannot open /dev/mapper/ub.luks.root: Permission denied
ERROR: cannot open /dev/mapper/luks.data: Permission denied
ERROR: cannot open /dev/mapper/sd.luks.backup: Permission denied

对于传输也类似,会弹出一个身份验证窗口,当取消时...

$ systemctl restart transmission-daemon.service 
Failed to restart transmission-daemon.service: Access denied
See system logs and 'systemctl status transmission-daemon.service' for details.

$ journalctl -x -b0 | grep transmission | tail -n1
Apr 03 15:38:53 ThinkPad polkitd(authority=local)[2612]: Operator of unix-session:3 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.1042 [systemctl restart transmission-daemon.service] (owned by unix-user:dev)

有人可以就为什么会出现这种情况提出建议吗?

sudo

1 个回答

  1. Best Answer

    sudo必须在另一个要使用提升的/其他用户的权限运行的命令前明确指定该命令。

    /etc/sudoers仅控制谁可以使用sudo、使用哪些命令以及在哪些系统上使用。它不会“神奇地”导致目标命令以某种方式sudo代表用户启动命令。

    • 1

相关问题