主页 / unix / 问题 / 537573
Accepted
slm
Asked: 2019-08-27 18:52:20 +0800 CST

如何使用我的 sudo 权限确认其他用户的 sudo 权限?

  • 772

我目前管理一个 IDM ( FreeIPA ) 集群并拥有完整的 sudo 权限,即我可以通过sudo -Es. 我想验证我在特定服务器上添加到 FreeIPA 的 sudo 规则,以确认主机通过 SSSD 正确获取了该规则。

我怎样才能做到这一点?

注意: sudo 规则如下:

$ ipa sudorule-show prod-abc-dashboard-dba
  Rule name: prod-abc-dashboard-dba
  Enabled: TRUE
  Command category: all
  User Groups: eng-data-svc
sudo sssd

1 个回答

  1. Best Answer

    我发现完成此操作的最简单方法是通过 SSH 连接到服务器,该服务器将获取 sudo 规则并检查组中被授予此类访问权限的用户。您可以使用sudo命令-l和 -U开关:

    $人须藤

    -l, --list  If no command is specified, list the allowed (and 
            forbidden) commands for the invoking user (or the user 
            specified by the -U option) on the current host.  A 
            longer list format is used if this option is specified 
            multiple times and the security policy supports a ver‐
            bose output format.

-U user, --other-user=user 
              Used in conjunction with the -l option to list the 
            privileges for user instead of for the invoking user.  
            The security policy may restrict listing other users' 
            privileges.  The sudoers policy only allows root or a 
            user with the ALL privilege on the current host to use 
            this option.

    您可以像这样一起使用它们:

    $ sudo -lU <user>

    例子

    $ sudo -lU joeuser
Matching Defaults entries for joeuser on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
    QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME
    LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User joeuser may run the following commands on this host:
    (root) ALL
    (ALL : ALL) ALL

    此外,您可以使用多个-l开关(即-ll)来获得另一个用户权限的更详细列表,例如:

    $ sudo -llU joeuser
Matching Defaults entries for joeuser on this host:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
    HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User joeuser may run the following commands on this host:

LDAP Role: lab-data-services-all
    RunAsUsers: root
    Commands:
        ALL

LDAP Role: ad-data_services
    RunAsUsers: root
    Commands:
        ALL

LDAP Role: ALL
    RunAsUsers: ALL
    RunAsGroups: ALL
    Commands:
        ALL

    须藤版本

    $ sudo -V
Sudo version 1.8.6p3
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers I/O plugin version 1.8.6p3
    • 3

相关问题