登录规范：

1、登录的时候先登录普通用户，没事不允许登录root

只有执行的任务需要root权限才允许登录root

用su来管理，必须知道root密码。安全隐患

需求：

1、不用知道root密码还能管理服务器

2、最小化管理服务器，想关机就只给halt权限

sudo命令：可以实现最小化的权限（单个命令），执行命令时拥有root用户的权限

SUID 针对的是命令，任何用户执行命令都有root身份。任何用户：模糊

sudo是针对用户，给某个用户以root身份执行某个命令。指定用户：具体

如何编辑配置sudo？

sudo是一个提权的命令（对应权限是通过读取etc/sudoers文件实现的）

配置/etc/sudoers可以使用visudo命令或者直接编辑这个文件

工作中如何登陆？使永普通用户登录后利用sudo提权到root

sudo命令：

可以以最小化的权限（单个命令），执行命令时拥有root用户的权限

SUID 针对命令，任何用户执行命令都有root身份。    任何用户执行某个命令：模糊

SUDO 针对用户，给某个用户以root身份执行某个命令。指定用户执行某个命令：具体。

如何编辑配置sudo？

sudo是一个提权的命令（对应权限通过读取/etc/sudoers（严格语法）文件实现的）

配置/etc/sudoers可以使用visudo命令，或vim /etc/sudoers（不推荐）

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : never

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

[root@oldboyedu ~]# chage -E "2020/10/1" oldboy

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : never

Password inactive : never

Account expires : Oct 01, 2020

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

范例14-17：创建新用户range,要求该用户7天内不能更改密码，

60天以后必须修改密码，过期前10天通知用户，过期后30天后禁止用户登录。

chage -m7 -M60 -W10 -I30 oldboy

联系英文：

Options:

  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY

  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE

  -h, --help                    display this help message and exit

  -I, --inactive INACTIVE       set password inactive after expiration

                                to INACTIVE

  -l, --list                    show account aging information

  -m, --mindays MIN_DAYS        set minimum number of days before password

                                change to MIN_DAYS

  -M, --maxdays MAX_DAYS        set maximim number of days before password

                                change to MAX_DAYS

  -R, --root CHROOT_DIR         directory to chroot into

  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : never

Password inactive : never

Account expires : Oct 01, 2020

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

You have new mail in /var/spool/mail/root

[root@oldboyedu ~]# chage -m7 -M60 -W10 -I30 oldboy

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : Dec 06, 2020

Password inactive : Jan 05, 2021

Account expires : Oct 01, 2020

Minimum number of days between password change : 7

Maximum number of days between password change : 60

Number of days of warning before password expires : 10

passwd -n70 -x600 -w100 -i300 oldboy

[root@oldboyedu ~]# passwd -n70 -x600 -w100 -i300 oldboy

Adjusting aging data for user oldboy.

passwd: Success

You have new mail in /var/spool/mail/root

[root@oldboyedu ~]# chage -l oldboy

Last password change : Oct 07, 2020

Password expires : May 30, 2022

Password inactive : Mar 26, 2023

Account expires : Oct 01, 2020

Minimum number of days between password change : 70

Maximum number of days between password change : 600

Number of days of warning before password expires : 100

-n, --minimum DAYS

              This  will  set  the  minimum password lifetime, in days, if the user's account supports password life‐

              times.  Available to root only.

-x, --maximum DAYS

              This will set the maximum password lifetime, in days, if the user's  account  supports  password  life‐

              times.  Available to root only.

-w, --warning DAYS

              This  will  set  the number of days in advance the user will begin receiving warnings that her password

              will expire, if the user's account supports password lifetimes.  Available to root only.

-i, --inactive DAYS

 [root@oldboyedu ~]# su - oldboy -c pwd

/home/oldboy

[root@oldboyedu ~]# su - oldboy -c whoami

oldboy 

[oldboy@oldboyedu ~]$ ls /root

ls: cannot open directory /root: Permission denied

完成上面的动作。

给oldboy用户，针对ls设置权限。

visudo进入编辑状态，100G

## Allow root to run any commands anywhere

root    ALL=(ALL)        ALL

oldboy  ALL=(ALL)        /usr/bin/ls   #<===增加一行

用户        主机=（角色）       命令

[root@oldboyedu ~]# su - oldboy

Last login: Tue Mar 26 10:44:08 CST 2019 on pts/3

[oldboy@oldboyedu ~]$ ls /root

ls: cannot open directory /root: Permission denied

[oldboy@oldboyedu ~]$ sudo -l

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.

[sudo] password for oldboy: 

Matching Defaults entries for oldboy on oldboyedu:

User oldboy may run the following commands on oldboyedu:

    (ALL) /bin/ls

[oldboy@oldboyedu ~]$ sudo ls /root

a.txt  c.txt  data1  etc       oldboy      oldboy_b     oldboy_soft_link  pass  test.txt   user.log

b.txt  d      d.txt  grep.txt  oldboy_1.txt  oldboyedu.txt  oldboy.txt       test  test.txt.ori

[oldboy@oldboyedu ~]$ ls /root

ls: cannot open directory /root: Permission denied

[oldboy@oldboyedu ~]$