4.4. ¹ÜÀí¿ØÖÆ

4.4.2.1. ½ûÓøù Shell

Òª·ÀÖ¹Óû§Ö±½ÓµÇ¼Ϊ¸ùÓû§£¬ÏµÍ³¹ÜÀíÔ±¿ÉÒÔÔÚ /etc/passwd ÎļþÖаѸùÕÊºÅµÄ shell ÉèÖÃΪ /sbin/nologin¡£Õâ»á×èÖ¹ÐèÒª shell µÄÃüÁÈç su ºÍ ssh µÈÖ±½Ó½øÈë¸ùÕʺš£

	ÖØÒª
	ÄÇЩ²»ÐèҪʹÓà shell µÄ³ÌÐò£¬Èçµç×ÓÓʼþ¿Í»§»ò sudo ÃüÁÈÔ¾ÉÄܹ»½øÈë¸ùÕʺš£

4.4.2.2. ½ûÓøùµÇ¼

Òª½øÒ»²½ÏÞÖƶԸùÕʺŵÄʹÓÃȨÏÞ£¬¹ÜÀíÔ±¿ÉÒÔͨ¹ý±à¼­ /etc/securetty ÎļþÀ´½ûÓÿØÖÆ̨µÄ¸ùµÇ¼¡£¸ÃÎļþÁоÙÁËËùÓиùÓû§±»ÔÊÐíµÇ¼µÄÉ豸¡£Èç¹û¸ÃÎļþ²»´æÔÚ£¬¸ùÓû§¾ÍÄÜͨ¹ýϵͳÉϵĸ÷ÀàͨÐÅÉ豸£¬²»¹ÜÊÇ¿ØÖÆ̨»¹ÊÇԭʼÍøÂç½Ó¿Ú£¬À´µÇ¼¡£ÕâÖÖÇé¿öºÜΣÏÕ£¬ÒòΪÓû§¿ÉÒÔÒÔ¸ùÓû§Éí·ÝʹÓà Telnet À´µÇ¼£¬ÔÚÍøÂçÖÐÃ÷ÎÄ´«Ë͸ù¿ÚÁî¡£°´ÕÕĬÈÏÉèÖ㬺ìñÆóÒµ Linux µÄ /etc/securetty ÎļþÖ»ÔÊÐí¸ùÓû§ÔںͻúÆ÷ÎïÀíÏàÁ¬µÄ¿ØÖÆ̨ÉϵǼ¡£Òª×èÖ¹¸ùÓû§µÇ¼£¬¼üÈëÒÔÏÂÃüÁîÀ´Çå³ý¸ÃÎļþµÄÄÚÈÝ:

echo > /etc/securetty

	¾¯¸æ
	Ò»¸ö¿Õ°×µÄ /etc/securetty Îļþ²»»á·ÀÖ¹¸ùÓû§Ê¹Óà OpenSSH ¹¤¾ßÌ×¼þÀ´Ô¶³ÌµÇ¼£¬ÒòΪ¿ØÖÆ̨ÔÚÑé֤֮ǰ²»»á±»´ò¿ª¡£

4.4.2.3. ½ûÓøùÓû§µÄ SSH µÇ¼

Òª·ÀÖ¹¸ùÓû§Í¨¹ý SSH ЭÒéµÇ¼£¬±à¼­ SSH ÊØ»¤½ø³ÌµÄÅäÖÃÎļþ£¨/etc/ssh/sshd_config£©¡£°ÑÒÔÏÂÒ»ÐУº

# PermitRootLogin yes

¸Ä³É£º

 
PermitRootLogin no

4.4.2.4. ʹÓà PAM ½ûÓøùȨÏÞ

PAM ͨ¹ý /lib/security/pam_listfile.so Ä£¿éÔھܾøÌض¨Õʺŷ½ÃæÌṩÁ˼«´óµÄÁé»îÐÔ¡£Õâʹ¹ÜÀíÔ±Äܹ»ÔÚ²»×¼ÐíµÇ¼µÄÓû§ÁбíÉÏÓ¦ÓøÃÄ£¿é¡£ÒÔϵÄÀý×ÓÏÔʾÁ˸ÃÄ£¿éÔÚ /etc/pam.d/vsftpd PAM ÅäÖÃÎļþÖÐµÄ vsftpd FTP ·þÎñÆ÷ÉÏÊÇÈçºÎ±»Ê¹Óõģ¨Èç¹ûÖ¸ÁîÔÚÒ»ÐÐÄÚ£¬ÄÇô¾Íû±ØҪʹÓõÚÒ»ÐÐβµÄ \ ×Ö·û£©£º

auth   required   /lib/security/pam_listfile.so   item=user \
sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

Õâ¸æËß PAM ²Î¿¼ /etc/vsftpd.ftpusers Îļþ£¬²¢¾Ü¾øÆäÖÐÁоٵÄÓû§Ê¹Óø÷þÎñ¡£¹ÜÀíÔ±¿ÉÒÔËæÒâ¸Ä±äÕâ¸öÎļþµÄÃû³Æ£¬²¢ÎªÃ¿¸ö·þÎñ±£´æµ¥¶ÀµÄÁÐ±í£¬»òʹÓÃÒ»¸öµ¥Ò»ÁбíÀ´¾Ü¾øµ½¶à¸ö·þÎñµÄʹÓÃȨÏÞ¡£

Èç¹û¹ÜÀíÔ±ÏëÒª¾Ü¾øµ½¶à¸ö·þÎñµÄʹÓÃȨÏÞ£¬ËûÒ²¿ÉÒÔÔÚ PAM ÅäÖ÷þÎñ£¨Èç /etc/pam.d/pop ºÍÓÃÓÚÓʼþ·þÎñµÄ /etc/pam.d/imap¡¢»òÓÃÓÚ SSH ¿Í»§µÄ /etc/pam.d/ssh£©ÖÐÌí¼ÓÏàËƵÄÒ»ÐС£

¹ØÓÚ PAM µÄÏêÇ飬Çë²ÎÔÄ¡¶ºìñÆóÒµ Linux ²Î¿¼Ö¸ÄÏ¡·µÄ¡°¿É²åÈëÑé֤ģ¿é£¨PAM£©¡±ÕâÒ»Õ¡£

4.4.3.1. su ÃüÁî

¼üÈë su ÃüÁîºó£¬Óû§»á±»ÌáʾÊäÈë¸ù¿ÚÁ¾­ÑéÖ¤ºó£¬Ëû¾Í»áµÃµ½Ò»¸ö¸ù shell Ìáʾ¡£

ͨ¹ý su ÃüÁîµÇ¼ºó£¬Óû§¾Í³ÉΪ¸ùÓû§£¬²¢ÇÒ¶ÔϵͳÓоø¶ÔµÄ¹ÜÀíȨ¡£´ËÍ⣬һµ©Óû§³ÉΪ¸ùÓû§£¬Ëû»¹¿ÉÒÔʹÓà su ÃüÁîÀ´±ä³ÉϵͳÉϵÄÁíÒ»¸öÓû§¶ø²»±ØÊäÈë¿ÚÁî¡£

ÒòΪ¸Ã³ÌÐò·Ç³£Ç¿´ó£¬»ú¹¹ÄڵĹÜÀíÔ±¿ÉÄÜÏëÏÞÖÆÄܹ»Ê¹ÓÃÕâ¸öÃüÁîµÄÈËÔ±¡£

×î¼òµ¥µÄ·½·¨ÊÇ°ÑÓû§Ìí¼Óµ½Ò»¸ö½Ð×ö wheel µÄÌØÊâ¹ÜÀí×éȺ¡£ÒªÕâô×ö£¬ÒÔ¸ùÓû§Éí·Ý¼üÈëÒÔÏÂÃüÁ

usermod -G wheel <username>

ÔÚÇ°ÃæµÄÃüÁîÖУ¬°Ñ <username> Ìæ»»³É±»Ìí¼Óµ½ wheel ×éȺÖеÄÓû§Ãû¡£

ʹÓÃÓû§¹ÜÀíÆ÷¿ÉÒÔͬÑù´ïµ½Õâ¸öÄ¿µÄ¡£µã»÷Ãæ°åÉϵġ¸Ö÷²Ëµ¥¡¹=> ¡¸ÏµÍ³ÉèÖá¹ => ¡¸Óû§ºÍ×éȺ¡¹£¬»òÔÚ shell ÌáʾϼüÈë system-config-users ÃüÁѡÔñ¡¸Óû§¡¹»îÒ³±êÇ©£¬´ÓÓû§ÁбíÖÐÑ¡Ôñ¸ÃÓû§£¬È»ºóµã»÷°´Å¥²Ëµ¥Éϵġ¸ÊôÐÔ¡¹£¨»ò´ÓÀ­Ï²˵¥ÖÐÑ¡Ôñ¡¸Îļþ¡¹=> ¡¸ÊôÐÔ¡¹£©¡£

È»ºóÑ¡Ôñ¡¸×éȺ¡¹»îÒ³±êÇ©£¬µã»÷ wheel ×éȺ£¬Èçͼ 4-2Ëùʾ¡£

ÏÂÒ»²½£¬ÔÚÎı¾±à¼­Æ÷Öдò¿ª su£¨/etc/pam.d/su£©µÄ PAM ÅäÖÃÎļþ£¬É¾³ýÒÔÏÂÐеÄ×¢ÊÍ·ûºÅ [#]£º

auth  required /lib/security/$ISA/pam_wheel.so use_uid

Õâô×ö»áÖ»ÔÊÐí¹ÜÀíÐÔ×éȺ wheel ʹÓøóÌÐò¡£

	×¢¼Ç
	¸ùÓû§ÊÇĬÈ쵀 wheel ×éȺ³ÉÔ±¡£

4.4.3.2. sudo ÃüÁî

sudo ÃüÁîÌṩÁËÁíÒ»ÖÖÊÚÓèÓû§¹ÜÀíȨÏ޵ķ½·¨¡£µ±¿ÉÐÅÈεÄÓû§ÔÚ¹ÜÀíÃüÁîÇ°¼ÓÒ»¸ö sudo ÃüÁÕâ¸öÓû§¾Í»á±»ÌáʾÊäÈëËû×Ô¼ºµÄ¿ÚÁî¡£ÑéÖ¤ºó£¬¼Ù¶¨Õâ¸öÃüÁî±»×¼ÐíÖ´ÐУ¬Ëü¾Í»áÒÔ¸ùÓû§Éí·ÝÖ´ÐС£

sudo ÃüÁîµÄ»ù±¾¸ñʽÈçÏ£º

sudo <command>

ÔÚÉÏÃæµÄÀý×ÓÖУ¬<command> Ó¦¸Ã±»Ì滻Ϊͨ³£±£Áô¸ø¸ùÓû§Ê¹ÓõÄÃüÁÈç mount¡£

	ÖØÒª
	sudo ÃüÁîµÄÓû§Ó¦¸ÃÔÚÀ뿪ËûÃǵĻúÆ÷Ç°ÌرðÁôÒâÒ»ÏÂ×Ô¼ºÊÇ·ñÒѾ­Í˳ö£¬ÒòΪÕâЩÓû§¿ÉÒÔÔÚÎå·ÖÖÓÖ®ÄÚÔÙ´ÎʹÓÃÕâ¸öÃüÁî¶ø²»±ØÊäÈë¿ÚÁî¡£¸ÃÉèÖÿÉÒÔͨ¹ýÐÞ¸ÄÅäÖÃÎļþ /etc/sudoers À´¸Ä±ä¡£

sudo ÃüÁîÌṩÁ˸߶ȵÄÁé»îÐÔ¡£ÀýÈ磬ֻÓÐÁоÙÔÚ /etc/sudoers ÅäÖÃÎļþÖеÄÓû§±»ÔÊÐíʹÓà sudo ÃüÁ²¢ÇÒÃüÁîÊÇÔÚÓû§µÄ¶ø²»ÊǸùµÄ shell Öб»Ö´ÐС£ÕâÒâζןù shell ¿ÉÒÔ±»ÍêÈ«½ûÓã¬ÈçµÚ 4.4.2.1 ½ÚËùʾ¡£

sudo ÃüÁÌṩÁËÍêÕûµÄÉóºËÇþµÀ¡£Ã¿´Î³É¹¦µÄÑéÖ¤¶¼±»¼Ç¼ÔÚ /var/log/messages ÎļþÖУ¬ËùʹÓõÄÃüÁîÒÔ¼°Ê¹ÓÃÕßµÄÓû§Ãû±»¼Ç¼ÔÚ/var/log/secure ÎļþÖС£

sudo ÃüÁîµÄÁíÒ»¸öÓÅÔ½ÐÔÊÇ£¬¹ÜÀíÔ±¿ÉÒÔ¸ù¾ÝÐèÒª¸ø²»Í¬µÄÓû§ÒÔ²»Í¬µÄÃüÁîʹÓÃȨÏÞ¡£

Ïë±à¼­ sudo ÅäÖÃÎļþ /etc/sudoers µÄ¹ÜÀíÔ±Ó¦¸ÃʹÓà visudo ÃüÁî¡£

Òª¸øijÈËÒÔÍêÈ«µÄ¹ÜÀíȨÏÞ£¬¼üÈë visudo£¬È»ºóÔÚÓû§ÌØȨ¹æ¶¨²¿·ÖÌí¼ÓºÍÒÔÏÂÏàËƵÄÒ»ÐУº

juan ALL=(ALL) ALL

Õâ¸öÀý×Ó±íÃ÷£¬Óû§ juan ¿ÉÒÔÔÚÈκÎÖ÷»úÉÏʹÓà sudo À´Ö´ÐÐÈκÎÃüÁî¡£

ÒÔϵÄÀý×ÓÏÔʾÁË sudo ÅäÖ÷½ÃæµÄ¿ÉÉìËõÐÔ£º

%users  localhost=/sbin/shutdown -h now

Õâ¸öÀý×Ó±íÃ÷£¬Ö»ÒªÊÇ´Ó¿ØÖÆ̨ʹÓã¬ÈκÎÓû§¶¼¿ÉÒÔʹÓà /sbin/shutdown -h now ÃüÁî¡£

sudoers µÄ˵Ã÷ÊéÒ³ÖÐÓÐÒ»¸ö¸ÃÎļþÑ¡ÏîµÄÏêϸÁÐ±í¡£