该/etc/sudoers文件的权限管理很完善,覆盖了linux中的各种命令,各种shell、编辑器等等,在此留作以后作为参考。
# This file MUST be edited with the 'visudo' command as root. # # Modification History # 09-30-2014 CH10258614 Global Compliance changes with new Include lists # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Defaults specification #Sets up the sudo log file. #>> This isn't required, per documentation 'default' is to log via syslog #>> which is certainly fine. This item was left in, as much as anything, #>> to serve as a reminder that some 'per account ' customization is #>> permitted, and may even be very important based on customer requirements. Defaults logfile=/var/log/sudo.log #>> The 'NA sudoers standard template' below content comes from #>> https://ibm.biz/NAsudoTemplates #>> entry: 201_NArevStandAliases_NA #>> with customizations of: #>> Eliminating change control information (most comments 'may' be removed, #>> but do NOT eliminate the Begin / End comments). #>> Eliminated 'sample' #include lines, which cause syntax errors. #>> Commented out: # Defaults!IBM_SHELLESCAPE_ALL noexec #>> as, for this example, the commercial customer has not approved #>> this entry. Note: IBM Internal customers must accept this entry. #>> # Begin NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 Begin # # Description Standard sudoers template # # Version control # [ deleted version control data for conciseness, for details see pRAM ] #------------------------------------------------------------------------------ # Sudo implementation team instruction: # This special template is NOT to be # included. Instead, this template # has content which must, for functional purposes, be 'spread over' the # entire span of the /etc/sudoers file. For instance, the # Defaults env_file=/etc/sudo.env # line should be 'early' in the file, while the line: # ALL ALL=!SUDOSUDO # needs to be after the last 'additive' sudo entry to ensure all sudo entries # are appropriately protected. # #------------------------------------------------------------------------------ # Defaults #------------------------------------------------------------------------------ # # The following entries are required if you allow users to run # smit / smitty on AIX: # # For sudo 1.7.0 and up, include the following entries in the # /etc/sudo.env file: # SMIT_SHELL=n # SMIT_SEMI_COLON=n # SMIT_QUOTE=n # and define sudo environment file within /etc/sudoers (or included # file) via: # Note: if you are using a sudo level older than 1.7.0 on AIX, # contact 'Sudo Deployment AG/Hartford/IBM,' for guidance. # Defaults env_file=/etc/sudo.env # Includes the sudo environment file # # #----------------------------------------------------------------------------- # # The following entry is only required if you are using a secondary logging # method which cannot capture commands issued in shell outs. # This will help ensure that commands with shell outs are # appropriately controled: # Defaults!IBM_SHELLESCAPE_ALL noexec ### Account notes: This commercial customer has not approved this entry, and ### thus this entry has been commented out. # CAUTION: This affects all entries; ensure your customer is aware this is being # added on first implementation, and appropriate testing is done. # #----------------------------------------------------------------------------- # User Aliases #----------------------------------------------------------------------------- # Add ant 'in line' User_Alias here. # #----------------------------------------------------------------------------- # Host Aliases #----------------------------------------------------------------------------- # Add any 'in line' Host_Alias here. # # #----------------------------------------------------------------------------- # Required Command Aliases #----------------------------------------------------------------------------- # # sudo # Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo # # Fully qualified commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # Add any local paths. # # Forbidden commands: Commands only system admin might be permitted. # Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *, \ /bin/bash2bug, /usr/bin/bash2bug, \ /usr/bin/chuser *root*, /usr/bin/mkuser, \ /usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*, \ /usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*, \ /usr/bin/view *sudo*, /usr/bin/cp *sudo*, /usr/bin/mv *sudo*, \ /usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*, \ /usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*, \ /usr/bin/vi /etc/security/passwd*, \ /bin/view /etc/security/passwd*, /bin/vim /etc/security/passwd*, \ /bin/vi /etc/security/passwd*, \ /bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, \ /usr/sbin/sam, \ /usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command, \ /usr/bin/hostname, /usr/sbin/chdev *hostname*, \ /usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*, \ /bin/chmod * /root/*, /bin/chmod * /*, \ /bin/chown * /etc/*, /bin/chown * /etc/security/*, \ /bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo, \ /bin/chown * /usr/local/sbin/visudo, \ /bin/time *, /usr/bin/time * # If you remove anything you need to provide documentation,rationale and # secondary controls if required; if an alternative -technical- control # is in place, document. # Commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # It is permissible to hard code these to the exact directory structure where # the commands are present on the system if installed in a different location. # # su commands # Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, \ /bin/su, /bin/su root # if you remove anything you need to provide documentation,rationale and # secondary controls if required; if an alternative -technical- control is # in place, document. # Commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # # Shells # Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash, \ /bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash, \ /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 , \ /bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh , \ /bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93, \ /bin/pfcsh, /usr/bin/pfcsh , \ /bin/pfksh, /usr/bin/pfksh, /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh, \ /bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh, \ /bin/rsh, /usr/bin/rsh, /usr/ucb/rsh, \ /bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh , \ /usr/shell, /usr/bin/shell, \ /bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, /usr/opt/freeware/bin/tclsh, \ /bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4, \ /usr/opt/freeware/bin/tclsh8.4, \ /bin/tcsh, /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh , \ /bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish, \ /bin/wish8.4, /usr/bin/wish8.4, /opt/freeware/bin/wish8.4, \ /usr/opt/freeware/bin/wish8.4, \ /bin/wishx, /usr/bin/wishx, \ /bin/zsh, /usr/bin/zsh # Shells not present on the server are not required to be in this list. # Shells on this list that do not exist on the servers have no impact. # Add any local shells. # # Shell Escapes # Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed, \ /usr/bin/bash2bug, /usr/bin/bashbug, \ /usr/bin/find * -exec *, /usr/bin/find * -ok *, \ /bin/find * -exec *, /bin/find * -ok *, \ /usr/bin/find * -execdir *, /usr/bin/find * -okdir *, \ /bin/find * -execdir *, /bin/find * -okdir *, \ /bin/ftp, /usr/bin/ftp, \ /bin/ex, /usr/bin/ex, /usr/bin/less, /usr/bin/more, /bin/pg, /usr/bin/pg, \ /usr/bin/vi, /bin/vi, /bin/ex, /bin/view, /bin/gvim, /bin/gview, /bin/evim, \ /bin/eview, /bin/vimdiff, /bin/vim, /usr/bin/vim, /usr/bin/ex, \ /usr/bin/view, /usr/bin/gvim, \ /usr/bin/gview, /usr/bin/evim, /usr/bin/eview, /usr/bin/vimdiff, \ /bin/more # Commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # Add any local commands. # # # Disallowed editors # Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi, /bin/vim, /bin/rvim, /bin/gvim, \ /bin/evim, /bin/emacs, /bin/ed, /usr/bin/vi, /usr/bin/tvi, /usr/bin/vim, \ /usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs, /usr/bin/ed, \ /bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi # # Commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # Add any local commands. #-------------------------------------------------------------------------------- # # IBM SA command Aliases # Cmnd_Alias IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root, \ /bin/su - root # This Cmnd_Alias can only be used if secondary logging are in place on the server. # # ## END 'top' part of 201_NArevStandAliases_NA #>> The 'NA System Admin' below content comes from #>> https://ibm.biz/NAsudoTemplates #>> entry: 201_SystemAdmin_NA #>> with the only customization being to set to the 'local' group used by the #>> SA team: #>> User_Alias IBM_SA_BAU = %uss #>> ## Begin NA System Admin Ver 1.2.2 Date 2014-07-15 * Master * Refer NA1001415501 Begin # # Description # Software products and versions # Supported OS platforms : All Unix/Linux variants. # This sudo profile is the 'typical' system admin sudo entry # where secondary logging is in use. This entry is only to # be used where secondary logging 'like' the methods # documented on: https://ibm.biz/NAsudo2log # are in use. Implementing team is responsible to ensure # logging methodology works in their environment. If secondary # logging is not in use, then the SA team must request an # 'account-level'override exception. # # Self serve access considerations are 'Not applicable' for this template # # # Use of this IBM approved standard template must follow NA # Sudo deployment requirements. # Local adjustments, excepting the Host_Alias (For any needed # segregation of hosts) and User_Alias (to identify the local # group name in use) for specific customer environments # must be approved by 'Sudo Deployment AG/Hartford/IBM' # # # Version control # V1.0 - highc@us.ibm.com - new template # V1.1 - highc - add IBM_SA_AIXSMIT materials to allow for system # system admins to use smit with appropriate logging. # V1.2 - highc - based on v7.1 of standard aliases https://ibm.biz/GsudoStdAlias # being released,remove 'EXEC: smit' type lines. # Be certain to include the SMIT_SHELL=n materials from # v7.1 of the standard aliases on AIX systems. # V1.2.1 - highc- fix syntax/line continuation error. # V1.2.2 - highc- adjust user alias to better conform to global standard. # # BEGIN the Middleware templates relevant for the server #include /etc/sudoers.d/010_STD_NEG_GLB #include /etc/sudoers.d/010_STD_SA_GLB #include /etc/sudoers.d/102_AWS_GLB #include /etc/sudoers.d/108_ORACLE_GLB #include /etc/sudoers.d/113_TEM_GLB #include /etc/sudoers.d/118_TSM_GLB #include /etc/sudoers.d/120_WAS_GLB #include /etc/sudoers.d/123_AE_GLB #include /etc/sudoers.d/205_ITIMEPAIGANA_LINUX_NA #include /etc/sudoers.d/217_TADDMDISC_NA #include /etc/sudoers.d/228_DGNAE_NA #include /etc/sudoers.d/237_DB2_NA #include /etc/sudoers.d/402_AWS_NA_IGA_AHE_CPE_ADJ #include /etc/sudoers.d/402_AWS_NA_IGA_AHE_EPRICER_ADJ #include /etc/sudoers.d/413_TEM_NA_IGA_AHE_ADJ #include /etc/sudoers.d/420_WAS_NA_IGA_AHE_CPE_ADJ #include /etc/sudoers.d/420_WAS_NA_IGA_AHE_EPRICER_ADJ #include /etc/sudoers.d/460_SAMETIME_NA_IGA_LCL #include /etc/sudoers.d/461_NUS_W_SSLINUX_NA_IGA_LCL #include /etc/sudoers.d/461_ODCSISS_NA_IGA_LCL #include /etc/sudoers.d/462_MKT_NA_IGA_LCL #include /etc/sudoers.d/476_LDAP_DB2_IGA_NA_LCL #include /etc/sudoers.d/481_NESSUS_NA_IGA_LCL #include /etc/sudoers.d/489_AvocentDSView_NA_IGA_AHE_LCL # END the Middleware templates relevant for the server #include /etc/sudoers.d/241_CHANGEMANAE_NA # Start of CUSTOMER SECTION ------------------------------------------------- #### #>> Customer specific items have been removed from sample, but #>> this would be any of your current content which are sudo entries #>> for your customers. #### # End of CUSTOMER SECTION ----------------------------------------------------- ## Start of 'bottom' part of 201_NArevStandAliases_NA #------------------------------------------------------------------------------ # # User_Alias ITIMADM5 = %itimadm ITIMADM5 ALL=NOPASSWD: /bin/cat, /bin/chmod, /bin/cp, /bin/kill, /bin/ls, \ /usr/bin/chage, /bin/ed, /usr/bin/ed, /usr/bin/faillog, /usr/bin/groups, \ /usr/bin/passwd, /usr/bin/tee, /usr/sbin/groupadd, /usr/sbin/groupdel, \ /usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod Host_Alias LINUX101TO199HOSTLIST = `bhusprv024.bhprod.ibm.com` User_Alias LINUXV6GRPS = %#101,%#102,%#103,%#103,%#104,%#105,%#106,%#107,%#108,%#109, \ %#110,%#111,%#112,%#113,%#113,%#114,%#115,%#116,%#117,%#118,%#119, \ %#120,%#121,%#122,%#123,%#123,%#124,%#125,%#126,%#127,%#128,%#129, \ %#130,%#131,%#132,%#133,%#133,%#134,%#135,%#136,%#137,%#138,%#139, \ %#140,%#141,%#142,%#143,%#143,%#144,%#145,%#146,%#147,%#148,%#149, \ %#150,%#151,%#152,%#153,%#153,%#154,%#155,%#156,%#157,%#158,%#159, \ %#160,%#161,%#162,%#163,%#163,%#164,%#165,%#166,%#167,%#168,%#169, \ %#170,%#171,%#172,%#173,%#173,%#174,%#175,%#176,%#177,%#178,%#179, \ %#180,%#181,%#182,%#183,%#183,%#184,%#185,%#186,%#187,%#188,%#189, \ %#190,%#191,%#192,%#193,%#193,%#194,%#195,%#196,%#197,%#198,%#199 LINUXV6GRPS LINUX101TO199HOSTLIST = (nobody) /bin/df # #Temp sudo access ghkong ALL=(ALL) ALL dfcosta0 ALL=(ALL) NOPASSWD:ALL # The following line must be after the last 'additive' line in this file, only # 'negations' and comments should follow this: # ALL ALL=!SUDOSUDO # # End NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 End #