1：限制用户执行指定的命令2：记录用户执行的每一条命令3：验证过密码后5分钟（默认值）内无需再让用户验证密码，更加方便。

     1  ## Sudoers allows particular users to run various commands as     2  ## the root user, without needing the root password.     3  ##     4  ## Examples are provided at the bottom of the file for collections     5  ## of related commands, which can then be delegated out to particular     6  ## users or groups.     7  ##     8  ## This file must be edited with the ‘visudo‘ command.     9    10  ## Host Aliases    11  ## Groups of machines. You may prefer to use hostnames (perhaps using    12  ## wildcards for entire domains) or IP addresses instead.    13  # Host_Alias     FILESERVERS = fs1, fs2    14  # Host_Alias     MAILSERVERS = smtp, smtp2    15    16  ## User Aliases    17  ## These aren‘t often necessary, as you can use regular groups    18  ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname    19  ## rather than USERALIAS    20  # User_Alias ADMINS = jsmith, mikem    21    22    23  ## Command Aliases    24  ## These are groups of related commands...    25    26  ## Networking    27  # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool    28    29  ## Installation and management of software    30  # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum    31    32  ## Services    33  # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable    34    35  ## Updating the locate database    36  # Cmnd_Alias LOCATE = /usr/bin/updatedb    37    38  ## Storage    39  # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount    40    41  ## Delegating permissions    42  # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp    43    44  ## Processes    45  # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall    46    47  ## Drivers    48  # Cmnd_Alias DRIVERS = /sbin/modprobe    49    50  # Defaults specification    51    52  #    53  # Disable "ssh hostname sudo <cmd>", because it will show the password in clear.    54  #         You have to run "ssh -t hostname sudo <cmd>".    55  #    56  Defaults    requiretty    57    58  #    59  # Refuse to run if unable to disable echo on the tty. This setting should also be    60  # changed in order to be able to use sudo without a tty. See requiretty above.    61  #    62  Defaults   !visiblepw    63    64  #    65  # Preserving HOME has security implications since many programs    66  # use it when searching for configuration files. Note that HOME    67  # is already set when the the env_reset option is enabled, so    68  # this option is only effective for configurations where either    69  # env_reset is disabled or HOME is present in the env_keep list.    70  #    71  Defaults    always_set_home    72    73  Defaults    env_reset    74  Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"    75  Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"    76  Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"    77  Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"    78  Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"    79    80  #    81  # Adding HOME to env_keep may enable a user to run unrestricted    82  # commands via sudo.    83  #    84  # Defaults   env_keep += "HOME"    85    86  Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin    87    88  ## Next comes the main part: which users can run what software on    89  ## which machines (the sudoers file can be shared between multiple    90  ## systems).    91  ## Syntax:    92  ##    93  ##      user    MACHINE=COMMANDS    94  ##    95  ## The COMMANDS section may have other options added to it.    96  ##    97  ## Allow root to run any commands anywhere    98  root    ALL=(ALL)       ALL    99  pentest ALL=(ALL)       ALL   100  ## Allows members of the ‘sys‘ group to run networking, software,   101  ## service management apps and more.   102  # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS   103   104  ## Allows people in group wheel to run all commands   105  %wheel  ALL=(ALL)       ALL   106   107  ## Same thing without a password   108  # %wheel        ALL=(ALL)       NOPASSWD: ALL   109   110  ## Allows members of the users group to mount and unmount the   111  ## cdrom as root   112  # %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom   113   114  ## Allows members of the users group to shutdown this system   115  # %users  localhost=/sbin/shutdown -h now   116   117  ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)   118  #includedir /etc/sudoers.d[root@localhost ~]#

[root@localhost ~]# su - pentest上一次登录：五 9月  9 13:29:34 CST 2016pts/1 上[pentest@localhost ~]$ sudo -l[sudo] password for pentest:匹配此主机上 pentest 的默认条目：    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME    HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin用户 pentest 可以在该主机上运行以下命令：    (ALL) ALL

[pentest@localhost ~]$ ls /root/ls: 无法打开目录/root/: 权限不够[pentest@localhost ~]$ sudo ls /root/[sudo] password for pentest:anaconda-ks.cfg       testA  testC  公共  视频  文档  音乐initial-setup-ks.cfg  testB  yum    模板  图片  下载  桌面[pentest@localhost ~]$

pentest用户先以普通权限cat文件/etc/shadow发现权限不够
[pentest@localhost ~]$ cat /etc/shadowcat: /etc/shadow: 权限不够

切换至root用户给予pentest用户cat权限[pentest@localhost ~]$ su - root密码：上一次登录：五 9月  9 14:12:10 CST 2016pts/1 上[root@localhost ~]# visudo[root@localhost ~]# su - pentest上一次登录：五 9月  9 14:12:30 CST 2016pts/1、 上

赋予执行cat权限
[root@localhost ~]# visudo
root    ALL=(ALL)       ALL
pentest ALL=(root)      /bin/cat

继续使用普通cat确认是否可以查看/etc/shadow提示权限不够[pentest@localhost ~]$ cat /etc/shadowcat: /etc/shadow: 权限不够

使用sudo cat查看/etc/shadow发现可以查看了。[pentest@localhost ~]$ sudo cat /etc/shadowroot:$6$Y6LHG5EEAGs3JMUM$jcEE.RZgMF9mO/xiPVA522l1Ek8JZ2Nkl.9nCBuiUWAH/.F84Kj6XyNxbuecW1M4BNGpryB/10Ncp.EGu9VhZ/::0:99999:7:::bin:*:16579:0:99999:7:::daemon:*:16579:0:99999:7:::adm:*:16579:0:99999:7:::lp:*:16579:0:99999:7:::sync:*:16579:0:99999:7:::shutdown:*:16579:0:99999:7:::halt:*:16579:0:99999:7:::mail:*:16579:0:99999:7:::operator:*:16579:0:99999:7:::games:*:16579:0:99999:7:::ftp:*:16579:0:99999:7:::nobody:*:16579:0:99999:7:::avahi-autoipd:!!:17050::::::ods:!!:17050::::::pegasus:!!:17050::::::systemd-bus-proxy:!!:17050::::::systemd-network:!!:17050::::::dbus:!!:17050::::::polkitd:!!:17050::::::sssd:!!:17050::::::colord:!!:17050::::::apache:!!:17050::::::tss:!!:17050::::::unbound:!!:17050::::::usbmuxd:!!:17050::::::abrt:!!:17050::::::amandabackup:!!:17050::::::saslauth:!!:17050::::::libstoragemgmt:!!:17050::::::geoclue:!!:17050::::::memcached:!!:17050::::::rpc:!!:17050:0:99999:7:::postfix:!!:17050::::::setroubleshoot:!!:17050::::::rtkit:!!:17050::::::chrony:!!:17050::::::mysql:!!:17050::::::qemu:!!:17050::::::ntp:!!:17050::::::rpcuser:!!:17050::::::nfsnobody:!!:17050::::::radvd:!!:17050::::::named:!!:17050::::::pcp:!!:17050::::::pulse:!!:17050::::::hsqldb:!!:17050::::::tomcat:!!:17050::::::pkiuser:!!:17050::::::gdm:!!:17050::::::gnome-initial-setup:!!:17050::::::avahi:!!:17050::::::postgres:!!:17050::::::dovecot:!!:17050::::::dovenull:!!:17050::::::sshd:!!:17050::::::oprofile:!!:17050::::::tcpdump:!!:17050::::::pentest:$6$6U3Z2n.sd63M32ZS$tzQJg852/1G3Mw7uv1.Ipbh.lOusvfd47Ih52xxku7okBBb/nu.Vn5V4mB50SSCMfaspqeGSDLcPM7XdgLE2w/::0:99999:7:::[pentest@localhost ~]$