我在Oracle Cloud免费版VM上创建了一个名为testacc的新用户账户。该账户是sudo组和testacc组的成员。禁用了密码登录,我使用公钥认证进行登录。
如果账户有密码,那么在使用sudo时需要输入密码。如果账户没有密码(通过sudo passwd -d testacc命令删除密码),则不需要为sudo输入密码。
运行sudo visudo命令明确显示sudo组中没有NOPASSWD:ALL条目。检查/etc/sudoers.d目录,发现只有ubuntu组有一个包含NOPASSWD:ALL的条目。
我不明白为什么我不需要输入密码。这绝对是我想要的功能-如果我使用SSH登录且没有设置用户密码,则不需要为sudo输入密码;但如果我配置了密码,则需要输入密码-但我不知道这实际上是在哪里配置的。
sudo -l 的输出结果
/etc/pam.d/sudo的输出
如果账户有密码,那么在使用sudo时需要输入密码。如果账户没有密码(通过sudo passwd -d testacc命令删除密码),则不需要为sudo输入密码。
运行sudo visudo命令明确显示sudo组中没有NOPASSWD:ALL条目。检查/etc/sudoers.d目录,发现只有ubuntu组有一个包含NOPASSWD:ALL的条目。
我不明白为什么我不需要输入密码。这绝对是我想要的功能-如果我使用SSH登录且没有设置用户密码,则不需要为sudo输入密码;但如果我配置了密码,则需要输入密码-但我不知道这实际上是在哪里配置的。
我所阅读的所有信息都与NOPASSWD: ALL
相关,但这个虚拟机明确地对该用户不适用。此外,当我使用另一个虚拟机并使用sudo passwd -d
取消密码时,由于它要求输入不存在的密码,我无法使用sudo。
这个究竟是如何工作的,我该如何设置我的系统,以便如果用户有密码,他们需要输入sudo
,但如果没有密码,就不要求输入密码?
谢谢
sudo -l 的输出结果
Matching Defaults entries for testacc on oracle:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User testacc may run the following commands on oracle:
(ALL : ALL) ALL
/etc/pam.d/sudo的输出
#%PAM-1.0
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
以root身份运行sudo -V的输出
Sudo version 1.8.31
Configure options: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-exampledir=/usr/share/doc/sudo/examples --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --libexecdir=/usr/lib --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --with-selinux --with-linux-audit --enable-tmpfiles.d=yes
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if user authentication fails
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 15.0 minutes
Password prompt timeout: 0.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/lib/sudo/lectured
Path to authentication timestamp dir: /run/sudo/ts
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Path to the editor for use by visudo: /usr/bin/editor
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TZ
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
*=()*
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
BASHOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
PS2
PS1
PATH
LS_COLORS
KRB5CCNAME
HOSTNAME
DPKG_COLORS
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Perform PAM account validation management
Maximum I/O log sequence number: 0
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers
Local IP address and netmask pairs:
10.0.0.87/255.255.255.0
fe80::17ff:fe02:9bba/ffff:ffff:ffff:ffff::
Sudoers I/O plugin version 1.8.31
sudo -l
命令在testacc
用户下的输出是什么?以root用户身份运行sudo -V
命令的输出是什么?/etc/pam.d/sudo
文件包含什么内容? - murusudo passwd -d
命令缓存下来了吗(例如使用sudo -k
)? - steeldriver