Linux学习103 Linux高级授权机制sudo应用与实战
一、sudo
1、sudo表示临时切换到另一个用户的身份进行操作。
2、su:switch user
a、用户切换
(1)、su -l user
(2)、su -l user -c 'COMMAND'
3、sudo:
a、能够让获得授权的用户以另外一个用户的身份运行指定的命令
b、授权机制:授权文件 /etc/sudoers
root ALL=(ALL) ALL #管理员能够以任何人的权限执行任何命令。
%wheel ALL=(ALL) ALL
c、编译此文件的专用命令:visudo
d、授权项
(1)、who where=(whom) commands :让who以whom身份运行commands命令
(2)、users hosts=(runas) commands
1)、users:
username
#uid
%groupname
%#gid
user_alias
支持将多个用户定义为一组用户,称之为用户别名,即user_alias
e、hosts:
(1)、ip
(2)、hostname
(3)、NetAddr
(4)、host_alias
f、runas:
...
runas_alias
g、commands:
command
directory
sudoedit:特殊权限,可用于向其它用户授予sudo权限
cmnd_alias
4、定义别名的方式
a、ALIAS_TYPE NAME=item1,item2,item3,...
NAME:别名名称,必须使用全大写字符
b、ALIAS_TYPE:
User_Alias
Host_Alias
Runas_Alias
Cmnd_Alias
c、例如
User_Alias NETADMIN=tom,jerry
Cmnd_Alias NETCMND=ip,ifconfig,route
NETADMIN localhost=(root) NETCMND
5、sudo命令:
a、检票机制:能记录成功认证结果一段时间,默认为5分钟
b、以sudo的方式来运行指定的命令
sudo [options] COMMAND
-l command 列出用户能执行的命令
-k:清除此前缓存用户成功认证结果
6、/etc/sudoers应用示例
Cmnd_Alias USERADMINCMNDS = /usr/sbin/useradd,/usr/sbin/usermod,/usr/bin/passwd [a-z]*,!/usr/bin/passwd root
上述表示可以改任何人的密码,但是不包含root
User_Alias USERADMIN = bob,alice
USERADMIN ALL=(root) USERADMINCMNDS
7、常用标签:
NOPASSWD
PASSWD
8、示例
a、我们先创建fedora用户并且添加相应的密码
[root@node3 /]# useradd fedora [root@node3 /]# echo "123456" |passwd --stdin fedora Changing password for user fedora. passwd: all authentication tokens updated successfully.
b、我们编辑相应的配置文件/etc/sudoers。注意此文件如果编辑的时候格式错误的话是没法退出的,因此我们还可以使用visudo这个命令,他会自动打开/etc/sudoers这个文件,当编辑有格式错误的时候他会提示你。现在我们来编辑配置允许fedora用户以root身份运行/usr/sbin/useradd命令
(1)、配置
[root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL %wheel ALL=(ALL) ALL fedora ALL=(ALL) /usr/sbin/useradd #允许fedora用户以root身份运行/usr/sbin/useradd命令
(2)、我们切换至fedora用户,我们可以发现我们直接使用useradd命令是没有权限的,我们使用sudo却可以
[root@node3 /]# su - fedora [fedora@node3 ~]$ useradd user1 -bash: /usr/sbin/useradd: Permission denied [fedora@node3 ~]$ sudo useradd user1 We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for fedora: [fedora@node3 ~]$ tail -1 /etc/passwd user1:x:5005:5005::/home/user1:/bin/bash
(3)、同理我们还可以给fedora用户添加删除用户的权限。我们可以看到我们第一次的时候需要输入fedora用户的密码,第二次就不用输入了。这是因为第一次的时候当验证通过他会将密码记录下来,有效期限为5分钟,超过5分钟的话就需要重新输入密码。
[root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL %wheel ALL=(ALL) ALL fedora ALL=(ALL) /usr/sbin/useradd,/usr/sbin/userdel [root@node3 /]# su - fedora Last login: Tue Jun 9 13:41:32 CST 2020 on pts/0 [fedora@node3 ~]$ userdel -r user1 -bash: /usr/sbin/userdel: Permission denied [fedora@node3 ~]$ sudo userdel -r user1
(4)、我们可以使用sudo -k命令情况我们记录的密码,即我们普通用户sudo操作的每一次都需要输入密码。
[fedora@node3 ~]$ sudo -k
(5)、我们可以使用sudo -l 查看当前用户可以使用sudo 执行哪些命令
[fedora@node3 ~]$ sudo -l [sudo] password for fedora: Matching Defaults entries for fedora on node3: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User fedora may run the following commands on node3: (ALL) /usr/sbin/useradd, /usr/sbin/userdel
(6)、为什么我们root可以执行所有命令呢?我们其实可以在配置文件中查看对于root的配置
[root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL #root用户可以以所有人的身份执行所有命令 %wheel ALL=(ALL) ALL #%wheel表示这个wheel组里的用户可以以所有人的身份运行所有命令 fedora ALL=(ALL) /usr/sbin/useradd,/usr/sbin/userdel
(7)、现在我们将fedora用户加入到wheel组中,发现其也具有所有命令的执行权限了
[root@node3 /]# usermod -a -G wheel fedora [root@node3 /]# id fedora uid=5004(fedora) gid=5004(fedora) groups=5004(fedora),10(wheel)
后来发现我们要求的是普通用户的基本组属于wheel。因此我们需要临时切换fedora用户组为wheel,然后我们就发现可以了。
[fedora@node3 ~]$ newgrp wheel [fedora@node3 ~]$ id uid=5004(fedora) gid=10(wheel) groups=10(wheel),5004(fedora) [fedora@node3 ~]$ sudo -l [sudo] password for fedora: Matching Defaults entries for fedora on node3: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User fedora may run the following commands on node3: (ALL) ALL (ALL) /usr/sbin/useradd, /usr/sbin/userdel
(8)、我们现在来配置wheel组中的用户可以以所有人的身份运行所有命令,但是不包含/bin/su命令
[root@node3 /]# vim /etc/sudoers [root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL %wheel ALL=(ALL) ALL,!/bin/su fedora ALL=(ALL) /usr/sbin/useradd,/usr/sbin/userdel [root@node3 /]# su - fedora Last login: Tue Jun 9 14:03:15 CST 2020 on pts/0 [fedora@node3 ~]$ sudo su - root [sudo] password for fedora: Sorry, user fedora is not allowed to execute '/bin/su - root' as root on node3.
(9)、我们来配置可以改任何人的密码但是不包含root本身
[root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL %wheel ALL=(ALL) ALL,!/bin/su,!/usr/bin/passwd root fedora ALL=(ALL) /usr/sbin/useradd,/usr/sbin/userdel [root@node3 /]# useradd user2 [root@node3 /]# echo "123456"|passwd --stdin user2 Changing password for user user2. passwd: all authentication tokens updated successfully. [root@node3 /]# su - fedora Last login: Tue Jun 9 14:09:37 CST 2020 on pts/0 [fedora@node3 ~]$ sudo passwd user2 [sudo] password for fedora: Changing password for user user2. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [fedora@node3 ~]$ sudo passwd root Sorry, user fedora is not allowed to execute '/bin/passwd root' as root on node3. [fedora@node3 ~]$
c、我们来定义用户别名
(1)、我们来定义一个用户别名叫USERADMIN,里面包含了两个用户,一个叫fedora一个叫centos,然后定义一个命令别名 NETADMINCMD=ip,ifconfig,route,然后再定义一个命令别名USERADMINCMD=useradd,userdel,passwd,!passwd root。
(2)、然后我们配置fedora用户可以执行网络管理别名,配置我们centos用户即可以执行我们网络管理别名又可以执行用户管理别名
[root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL User_Alias USERADMIN=fedora,centos Cmnd_Alias NETADMINCMD=/usr/sbin/ip Cmnd_Alias USERADMINCMD=/usr/sbin/useradd,/sbin/userdel fedora ALL=(ALL) NETADMINCMD centos ALL=(ALL) NETADMINCMD,USERADMINCMD
(3)、现在我们创建fedora和centos用户,然后先看我们centos能运行哪些命令
[root@node3 /]# su - centos Last login: Tue Jun 9 14:53:25 CST 2020 on pts/0 [centos@node3 ~]$ sudo -l We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for centos: Matching Defaults entries for centos on node3: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User centos may run the following commands on node3: (ALL) /usr/sbin/ip, /usr/sbin/useradd, /sbin/userdel
(4)、然后我们看我们的fedora用户所拥有的权限
[root@node3 /]# su - fedora Last login: Tue Jun 9 14:28:41 CST 2020 on pts/0 [fedora@node3 ~]$ sudo -l [sudo] password for fedora: Matching Defaults entries for fedora on node3: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User fedora may run the following commands on node3: (ALL) /usr/sbin/ip
(5)、我们来使用用户别名USERADMIN,让centos和fedora两个用户都能运行网络管理命令和用户管理命令
[root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL User_Alias USERADMIN=fedora,centos Cmnd_Alias NETADMINCMD=/usr/sbin/ip Cmnd_Alias USERADMINCMD=/usr/sbin/useradd,/sbin/userdel USERADMIN ALL=(ALL) NETADMINCMD,USERADMINCMD
(6)、我们查看我们fedora和centos的sudo权限
[root@node3 /]# su - fedora Last login: Tue Jun 9 14:55:49 CST 2020 on pts/0 [fedora@node3 ~]$ sudo -l [sudo] password for fedora: Matching Defaults entries for fedora on node3: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User fedora may run the following commands on node3: (ALL) /usr/sbin/ip, /usr/sbin/useradd, /sbin/userdel [fedora@node3 ~]$ exit logout [root@node3 /]# su - centos Last login: Tue Jun 9 14:54:51 CST 2020 on pts/0 [centos@node3 ~]$ sudo -l [sudo] password for centos: Matching Defaults entries for centos on node3: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User centos may run the following commands on node3: (ALL) /usr/sbin/ip, /usr/sbin/useradd, /sbin/userdel
d、我们来配置用户在sudo的时候不用输入密码
[root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL User_Alias USERADMIN=fedora,centos Cmnd_Alias NETADMINCMD=/usr/sbin/ip Cmnd_Alias USERADMINCMD=/usr/sbin/useradd,/sbin/userdel USERADMIN ALL=(ALL) NOPASSWD: NETADMINCMD,USERADMINCMD [root@node3 /]# su - centos Last login: Tue Jun 9 15:11:58 CST 2020 on pts/0 [centos@node3 ~]$ sudo -k [centos@node3 ~]$ sudo -l Matching Defaults entries for centos on node3: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User centos may run the following commands on node3: (ALL) NOPASSWD: /usr/sbin/ip, /usr/sbin/useradd, /sbin/userdel
e、我们期望输入ip命令的时候不需要密码但是输入用户管理命令的时候需要密码可以这样配置
[root@node3 /]# cat /etc/sudoers |grep -Ev "^#|^$" Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL User_Alias USERADMIN=fedora,centos Cmnd_Alias NETADMINCMD=/usr/sbin/ip Cmnd_Alias USERADMINCMD=/usr/sbin/useradd,/sbin/userdel USERADMIN ALL=(ALL) NOPASSWD: NETADMINCMD, PASSWD: USERADMINCMD [root@node3 /]# su - centos Last login: Tue Jun 9 15:15:13 CST 2020 on pts/0 [centos@node3 ~]$ sudo -k [centos@node3 ~]$ sudo -l Matching Defaults entries for centos on node3: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User centos may run the following commands on node3: (ALL) NOPASSWD: /usr/sbin/ip, PASSWD: /usr/sbin/useradd, /sbin/userdel