sudoers权限管理
该/etc/sudoers文件的权限管理很完善,覆盖了linux中的各种命令,各种shell、编辑器等等,在此留作以后作为参考。
# This file MUST be edited with the 'visudo' command as root. # # Modification History # 09-30-2014 CH10258614 Global Compliance changes with new Include lists # This file MUST be edited with the 'visudo' command as root. # # See the sudoers man page for the details on how to write a sudoers file. # # Defaults specification #Sets up the sudo log file. #>> This isn't required, per documentation 'default' is to log via syslog #>> which is certainly fine. This item was left in, as much as anything, #>> to serve as a reminder that some 'per account ' customization is #>> permitted, and may even be very important based on customer requirements. Defaults logfile=/var/log/sudo.log #>> The 'NA sudoers standard template' below content comes from #>> https://ibm.biz/NAsudoTemplates #>> entry: 201_NArevStandAliases_NA #>> with customizations of: #>> Eliminating change control information (most comments 'may' be removed, #>> but do NOT eliminate the Begin / End comments). #>> Eliminated 'sample' #include lines, which cause syntax errors. #>> Commented out: # Defaults!IBM_SHELLESCAPE_ALL noexec #>> as, for this example, the commercial customer has not approved #>> this entry. Note: IBM Internal customers must accept this entry. #>> # Begin NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 Begin # # Description Standard sudoers template # # Version control # [ deleted version control data for conciseness, for details see pRAM ] #------------------------------------------------------------------------------ # Sudo implementation team instruction: # This special template is NOT to be # included. Instead, this template # has content which must, for functional purposes, be 'spread over' the # entire span of the /etc/sudoers file. For instance, the # Defaults env_file=/etc/sudo.env # line should be 'early' in the file, while the line: # ALL ALL=!SUDOSUDO # needs to be after the last 'additive' sudo entry to ensure all sudo entries # are appropriately protected. # #------------------------------------------------------------------------------ # Defaults #------------------------------------------------------------------------------ # # The following entries are required if you allow users to run # smit / smitty on AIX: # # For sudo 1.7.0 and up, include the following entries in the # /etc/sudo.env file: # SMIT_SHELL=n # SMIT_SEMI_COLON=n # SMIT_QUOTE=n # and define sudo environment file within /etc/sudoers (or included # file) via: # Note: if you are using a sudo level older than 1.7.0 on AIX, # contact 'Sudo Deployment AG/Hartford/IBM,' for guidance. # Defaults env_file=/etc/sudo.env # Includes the sudo environment file # # #----------------------------------------------------------------------------- # # The following entry is only required if you are using a secondary logging # method which cannot capture commands issued in shell outs. # This will help ensure that commands with shell outs are # appropriately controled: # Defaults!IBM_SHELLESCAPE_ALL noexec ### Account notes: This commercial customer has not approved this entry, and ### thus this entry has been commented out. # CAUTION: This affects all entries; ensure your customer is aware this is being # added on first implementation, and appropriate testing is done. # #----------------------------------------------------------------------------- # User Aliases #----------------------------------------------------------------------------- # Add ant 'in line' User_Alias here. # #----------------------------------------------------------------------------- # Host Aliases #----------------------------------------------------------------------------- # Add any 'in line' Host_Alias here. # # #----------------------------------------------------------------------------- # Required Command Aliases #----------------------------------------------------------------------------- # # sudo # Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo # # Fully qualified commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # Add any local paths. # # Forbidden commands: Commands only system admin might be permitted. # Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *, \ /bin/bash2bug, /usr/bin/bash2bug, \ /usr/bin/chuser *root*, /usr/bin/mkuser, \ /usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*, \ /usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*, \ /usr/bin/view *sudo*, /usr/bin/cp *sudo*, /usr/bin/mv *sudo*, \ /usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*, \ /usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*, \ /usr/bin/vi /etc/security/passwd*, \ /bin/view /etc/security/passwd*, /bin/vim /etc/security/passwd*, \ /bin/vi /etc/security/passwd*, \ /bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, \ /usr/sbin/sam, \ /usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command, \ /usr/bin/hostname, /usr/sbin/chdev *hostname*, \ /usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*, \ /bin/chmod * /root/*, /bin/chmod * /*, \ /bin/chown * /etc/*, /bin/chown * /etc/security/*, \ /bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo, \ /bin/chown * /usr/local/sbin/visudo, \ /bin/time *, /usr/bin/time * # If you remove anything you need to provide documentation,rationale and # secondary controls if required; if an alternative -technical- control # is in place, document. # Commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # It is permissible to hard code these to the exact directory structure where # the commands are present on the system if installed in a different location. # # su commands # Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, \ /bin/su, /bin/su root # if you remove anything you need to provide documentation,rationale and # secondary controls if required; if an alternative -technical- control is # in place, document. # Commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # # Shells # Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash, \ /bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash, \ /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 , \ /bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh , \ /bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93, \ /bin/pfcsh, /usr/bin/pfcsh , \ /bin/pfksh, /usr/bin/pfksh, /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh, \ /bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh, \ /bin/rsh, /usr/bin/rsh, /usr/ucb/rsh, \ /bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh , \ /usr/shell, /usr/bin/shell, \ /bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, /usr/opt/freeware/bin/tclsh, \ /bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4, \ /usr/opt/freeware/bin/tclsh8.4, \ /bin/tcsh, /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh , \ /bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish, \ /bin/wish8.4, /usr/bin/wish8.4, /opt/freeware/bin/wish8.4, \ /usr/opt/freeware/bin/wish8.4, \ /bin/wishx, /usr/bin/wishx, \ /bin/zsh, /usr/bin/zsh # Shells not present on the server are not required to be in this list. # Shells on this list that do not exist on the servers have no impact. # Add any local shells. # # Shell Escapes # Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed, \ /usr/bin/bash2bug, /usr/bin/bashbug, \ /usr/bin/find * -exec *, /usr/bin/find * -ok *, \ /bin/find * -exec *, /bin/find * -ok *, \ /usr/bin/find * -execdir *, /usr/bin/find * -okdir *, \ /bin/find * -execdir *, /bin/find * -okdir *, \ /bin/ftp, /usr/bin/ftp, \ /bin/ex, /usr/bin/ex, /usr/bin/less, /usr/bin/more, /bin/pg, /usr/bin/pg, \ /usr/bin/vi, /bin/vi, /bin/ex, /bin/view, /bin/gvim, /bin/gview, /bin/evim, \ /bin/eview, /bin/vimdiff, /bin/vim, /usr/bin/vim, /usr/bin/ex, \ /usr/bin/view, /usr/bin/gvim, \ /usr/bin/gview, /usr/bin/evim, /usr/bin/eview, /usr/bin/vimdiff, \ /bin/more # Commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # Add any local commands. # # # Disallowed editors # Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi, /bin/vim, /bin/rvim, /bin/gvim, \ /bin/evim, /bin/emacs, /bin/ed, /usr/bin/vi, /usr/bin/tvi, /usr/bin/vim, \ /usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs, /usr/bin/ed, \ /bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi # # Commands not present on the server are not required to be in this list. # Commands on this list that do not exist on the servers have no impact. # Add any local commands. #-------------------------------------------------------------------------------- # # IBM SA command Aliases # Cmnd_Alias IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root, \ /bin/su - root # This Cmnd_Alias can only be used if secondary logging are in place on the server. # # ## END 'top' part of 201_NArevStandAliases_NA #>> The 'NA System Admin' below content comes from #>> https://ibm.biz/NAsudoTemplates #>> entry: 201_SystemAdmin_NA #>> with the only customization being to set to the 'local' group used by the #>> SA team: #>> User_Alias IBM_SA_BAU = %uss #>> ## Begin NA System Admin Ver 1.2.2 Date 2014-07-15 * Master * Refer NA1001415501 Begin # # Description # Software products and versions # Supported OS platforms : All Unix/Linux variants. # This sudo profile is the 'typical' system admin sudo entry # where secondary logging is in use. This entry is only to # be used where secondary logging 'like' the methods # documented on: https://ibm.biz/NAsudo2log # are in use. Implementing team is responsible to ensure # logging methodology works in their environment. If secondary # logging is not in use, then the SA team must request an # 'account-level'override exception. # # Self serve access considerations are 'Not applicable' for this template # # # Use of this IBM approved standard template must follow NA # Sudo deployment requirements. # Local adjustments, excepting the Host_Alias (For any needed # segregation of hosts) and User_Alias (to identify the local # group name in use) for specific customer environments # must be approved by 'Sudo Deployment AG/Hartford/IBM' # # # Version control # V1.0 - highc@us.ibm.com - new template # V1.1 - highc - add IBM_SA_AIXSMIT materials to allow for system # system admins to use smit with appropriate logging. # V1.2 - highc - based on v7.1 of standard aliases https://ibm.biz/GsudoStdAlias # being released,remove 'EXEC: smit' type lines. # Be certain to include the SMIT_SHELL=n materials from # v7.1 of the standard aliases on AIX systems. # V1.2.1 - highc- fix syntax/line continuation error. # V1.2.2 - highc- adjust user alias to better conform to global standard. # # BEGIN the Middleware templates relevant for the server #include /etc/sudoers.d/010_STD_NEG_GLB #include /etc/sudoers.d/010_STD_SA_GLB #include /etc/sudoers.d/102_AWS_GLB #include /etc/sudoers.d/108_ORACLE_GLB #include /etc/sudoers.d/113_TEM_GLB #include /etc/sudoers.d/118_TSM_GLB #include /etc/sudoers.d/120_WAS_GLB #include /etc/sudoers.d/123_AE_GLB #include /etc/sudoers.d/205_ITIMEPAIGANA_LINUX_NA #include /etc/sudoers.d/217_TADDMDISC_NA #include /etc/sudoers.d/228_DGNAE_NA #include /etc/sudoers.d/237_DB2_NA #include /etc/sudoers.d/402_AWS_NA_IGA_AHE_CPE_ADJ #include /etc/sudoers.d/402_AWS_NA_IGA_AHE_EPRICER_ADJ #include /etc/sudoers.d/413_TEM_NA_IGA_AHE_ADJ #include /etc/sudoers.d/420_WAS_NA_IGA_AHE_CPE_ADJ #include /etc/sudoers.d/420_WAS_NA_IGA_AHE_EPRICER_ADJ #include /etc/sudoers.d/460_SAMETIME_NA_IGA_LCL #include /etc/sudoers.d/461_NUS_W_SSLINUX_NA_IGA_LCL #include /etc/sudoers.d/461_ODCSISS_NA_IGA_LCL #include /etc/sudoers.d/462_MKT_NA_IGA_LCL #include /etc/sudoers.d/476_LDAP_DB2_IGA_NA_LCL #include /etc/sudoers.d/481_NESSUS_NA_IGA_LCL #include /etc/sudoers.d/489_AvocentDSView_NA_IGA_AHE_LCL # END the Middleware templates relevant for the server #include /etc/sudoers.d/241_CHANGEMANAE_NA # Start of CUSTOMER SECTION ------------------------------------------------- #### #>> Customer specific items have been removed from sample, but #>> this would be any of your current content which are sudo entries #>> for your customers. #### # End of CUSTOMER SECTION ----------------------------------------------------- ## Start of 'bottom' part of 201_NArevStandAliases_NA #------------------------------------------------------------------------------ # # User_Alias ITIMADM5 = %itimadm ITIMADM5 ALL=NOPASSWD: /bin/cat, /bin/chmod, /bin/cp, /bin/kill, /bin/ls, \ /usr/bin/chage, /bin/ed, /usr/bin/ed, /usr/bin/faillog, /usr/bin/groups, \ /usr/bin/passwd, /usr/bin/tee, /usr/sbin/groupadd, /usr/sbin/groupdel, \ /usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod Host_Alias LINUX101TO199HOSTLIST = `bhusprv024.bhprod.ibm.com` User_Alias LINUXV6GRPS = %#101,%#102,%#103,%#103,%#104,%#105,%#106,%#107,%#108,%#109, \ %#110,%#111,%#112,%#113,%#113,%#114,%#115,%#116,%#117,%#118,%#119, \ %#120,%#121,%#122,%#123,%#123,%#124,%#125,%#126,%#127,%#128,%#129, \ %#130,%#131,%#132,%#133,%#133,%#134,%#135,%#136,%#137,%#138,%#139, \ %#140,%#141,%#142,%#143,%#143,%#144,%#145,%#146,%#147,%#148,%#149, \ %#150,%#151,%#152,%#153,%#153,%#154,%#155,%#156,%#157,%#158,%#159, \ %#160,%#161,%#162,%#163,%#163,%#164,%#165,%#166,%#167,%#168,%#169, \ %#170,%#171,%#172,%#173,%#173,%#174,%#175,%#176,%#177,%#178,%#179, \ %#180,%#181,%#182,%#183,%#183,%#184,%#185,%#186,%#187,%#188,%#189, \ %#190,%#191,%#192,%#193,%#193,%#194,%#195,%#196,%#197,%#198,%#199 LINUXV6GRPS LINUX101TO199HOSTLIST = (nobody) /bin/df # #Temp sudo access ghkong ALL=(ALL) ALL dfcosta0 ALL=(ALL) NOPASSWD:ALL # The following line must be after the last 'additive' line in this file, only # 'negations' and comments should follow this: # ALL ALL=!SUDOSUDO # # End NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 End #
## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Refuse to run if unable to disable echo on the tty. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults match_group_by_gid # Prior to version 1.8.15, groups listed in sudoers that were not # found in the system group database were passed to the group # plugin, if any. Starting with 1.8.15, only groups of the form # %:group are resolved via the group plugin by default. # We enable always_query_group_plugin to restore old behavior. # Disable this option for new behavior. Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d Defaults env_file=/etc/sudo.env # Includes the sudo environment file Defaults !requiretty,authenticate,set_home Defaults tty_tickets,!root_sudo,umask=0077,ignore_dot,timestamp_timeout=5 Defaults syslog=auth Defaults logfile=/var/log/sudo.log Defaults:tdiuser !requiretty Defaults:uatagnt !requiretty alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *, /bin/bash2bug, /usr/bin/bash2bug, /usr/bin/chuser *root*, /usr/bin/mkuser, \ /usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*, /usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*, /usr/bin/view *sudo*, \ /usr/bin/cp *sudo*, /usr/bin/mv *sudo*, /usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*, \ /usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*, /usr/bin/vi /etc/security/passwd*, \ /bin/view /etc/security/passwd*, /bin/vim /etc/security/passwd*, /bin/vi /etc/security/passwd*, \ /bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, \ /usr/sbin/sam, /usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command, /usr/bin/hostname, /usr/sbin/chdev *hostname*, \ /usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*, /bin/chmod * /root/*, /bin/chmod * /*, /bin/chown * /etc/*, \ /bin/chown * /etc/security/*, /bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo, /bin/chown * /usr/local/sbin/visudo, \ /bin/time *, /usr/bin/time * Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, /bin/su, /bin/su root Cmnd_Alias IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root, /bin/su - root Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash, /bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash, \ /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 , /bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh , \ /bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93, /bin/pfcsh, /usr/bin/pfcsh , /bin/pfksh, /usr/bin/pfksh, \ /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh, /bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh, /bin/rsh, /usr/bin/rsh, /usr/ucb/rsh,\ /bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh , /usr/shell, /usr/bin/shell, /bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, \ /usr/opt/freeware/bin/tclsh, /bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4, /usr/opt/freeware/bin/tclsh8.4, /bin/tcsh, \ /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh , /bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish, /bin/wish8.4, \ /usr/bin/wish8.4, /opt/freeware/bin/wish8.4, /usr/opt/freeware/bin/wish8.4, /bin/wishx, /usr/bin/wishx, /bin/zsh, /usr/bin/zsh Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed, /usr/bin/bash2bug, /usr/bin/bashbug, \ /usr/bin/find * -exec *, /usr/bin/find * -ok *, /bin/find * -exec *, /bin/find * -ok *, /usr/bin/find * -execdir *, /usr/bin/find * -okdir *, \ /bin/find * -execdir *, /bin/find * -okdir *, /usr/bin/ftp, /bin/ftp, /usr/bin/ex, /bin/ex, /usr/bin/less, \ /usr/bin/more, /bin/more, /usr/bin/pg, /bin/pg, /usr/bin/vi, /bin/vi, /bin/view, /usr/bin/view, /usr/bin/gview, /bin/gview, /usr/bin/eview, \ /bin/eview, /usr/bin/evim, /bin/evim, /usr/bin/gvim, /bin/gvim, /usr/bin/vimdiff, /bin/vimdiff, /usr/bin/vim, /bin/vim, /usr/sbin/format Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi, /bin/vim, /bin/rvim, /bin/gvim, /bin/evim, /bin/emacs, /bin/ed, /usr/bin/vi, /usr/bin/tvi, \ /usr/bin/vim, /usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs, /usr/bin/ed, /bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi Defaults: !IBM_SHELLESCAPE_ALL noexec Cmnd_Alias IBM_CAT_NEG = !/bin/cat /* *,!/bin/cat * /* *,!/bin/cat *..*, !/bin/cat *./* Cmnd_Alias IBM_CHGRP_NEG = !/bin/chgrp * /* *,!/bin/chgrp *..*,!/bin/chgrp *./* Cmnd_Alias IBM_CHMOD_NEG = !/bin/chmod * /* *, !/bin/chmod *..*,!/bin/chmod *./* Cmnd_Alias IBM_CHOWN_NEG = !/bin/chown * /* *,!/bin/chown *..*, !/bin/chown *./* Cmnd_Alias IBM_COMPRESS_NEG = !/usr/bin/compress /* *,!/usr/bin/compress * /* *,!/usr/bin/compress *..*, !/usr/bin/compress *./* Cmnd_Alias IBM_CP_NEG = !/bin/cp /* /* *, !/bin/cp * /* /* *, !/bin/cp *..*, !/bin/cp *./* Cmnd_Alias IBM_DIFF_NEG = !/usr/bin/diff /* /* *,!/usr/bin/diff * /* /* *, !/usr/bin/diff *..*, !/usr/bin/diff *./* Cmnd_Alias IBM_FIND_NEG = !/usr/bin/find * -exec *, !/usr/bin/find * -ok *, !/usr/bin/find *..*, !/usr/bin/find * -execdir *, !/usr/bin/find * -okdir * Cmnd_Alias IBM_GUNZIP_NEG = !/usr/bin/gunzip /* *,!/usr/bin/gunzip -* /* *,!/usr/bin/gunzip *..*, !/usr/bin/gunzip *./* Cmnd_Alias IBM_GZIP_NEG = !/usr/bin/gzip /* *,!/usr/bin/gzip -* /* *,!/usr/bin/gzip *..*, !/usr/bin/gzip *./* Cmnd_Alias IBM_HEAD_NEG = !/usr/bin/head /* *,!/usr/bin/head * /* *,!/usr/bin/head *..*, !/usr/bin/head *./* # Authorization of head is discouraged. Instead, authorize the # the team to 'cat', team can then run 'sudo cat /tmp/specified file | head {any flags they need}' # While discouraged, negation is effective when head is authorized Cmnd_Alias IBM_LN_NEG = !/bin/ln /* /* *, !/bin/ln -* /* /* *, !/bin/ln *..*, !/bin/ln *./* Cmnd_Alias IBM_LS_NEG = !/bin/ls /* *, !/bin/ls -* /* *, !/bin/ls *..*, !/bin/ls *./* Cmnd_Alias IBM_MKDIR_NEG = !/bin/mkdir /* *,!/bin/mkdir * /* *, !/bin/mkdir *..*, !/bin/mkdir *./* Cmnd_Alias IBM_MOUNT_NEG = !/bin/mount /* *,!/bin/mount * /* *,!/bin/mount *..*, !/bin/mount *./* , !/usr/sbin/mount /* *, \ !/usr/sbin/mount * /* *,!/usr/sbin/mount *..*, !/usr/sbin/mount *./* # Caution: we have only coded a negation for the 'single directory/device' version of the mount command; # if you need to 'permit' the 'two directory/device' version of the command, it will have to be # with a different negation, and if this negation is used, must be specified AFTER use of this # this negation or the use of IBM_NEG_ALL as this negation will block the two * version. Cmnd_Alias IBM_MV_NEG = !/bin/mv /* /* *,!/bin/mv * /* /* *, !/bin/mv *..*, !/bin/mv *./* Cmnd_Alias IBM_RM_NEG = !/bin/rm /* *,!/bin/rm * /* *, !/bin/rm *..*, !/bin/rm *./* Cmnd_Alias IBM_RMDIR_NEG = !/bin/rmdir /* *,!/bin/rmdir * /* *,!/bin/rmdir *..*,!/bin/rmdir *./* Cmnd_Alias IBM_TAIL_NEG = !/usr/bin/tail /* *,!/usr/bin/tail -* /* *,!/usr/bin/tail *..*, !/usr/bin/tail *./* # authorization of tail 'except for' tail -f is discouraged. Instead, authorize the # the team to 'cat', team can then run 'sudo cat /tmp/specified file | tail {any flags they need}' # While discouraged, negation is effective for when tail is authorized to be issued with no flags. Cmnd_Alias IBM_TAR_NEG = !/bin/tar /* /* *,!/bin/tar * /* /* *, !/bin/tar *..*, !/bin/tar *./* Cmnd_Alias IBM_TOUCH_NEG = !/bin/touch /* *, !/bin/touch * /* *, !/bin/touch *..*, !/bin/touch *./* # will block some complex parms such as "-r" #Note: PO will need to create custom negation if flags such as -r must be 'allowed for'. Cmnd_Alias IBM_UMOUNT_NEG = !/bin/umount /* *,!/bin/umount * /* *,!/bin/umount *..*, !/bin/umount *./*, !/usr/sbin/umount /* *, \ !/usr/sbin/umount * /* *,!/usr/sbin/umount *..*, !/usr/sbin/umount *./* Cmnd_Alias IBM_UNCOMPRESS_NEG = !/usr/bin/uncompress /* *,!/usr/bin/uncompress * /* *,!/usr/bin/uncompress *..*, !/usr/bin/uncompress *./* Cmnd_Alias IBM_ZCAT_NEG = !/bin/zcat /* *, !/bin/zcat *..*, !/bin/zcat *./* Cmnd_Alias IBM_ALL_NEG = IBM_CAT_NEG, IBM_CHGRP_NEG, IBM_CHMOD_NEG, IBM_CHOWN_NEG, IBM_COMPRESS_NEG, IBM_CP_NEG, IBM_DIFF_NEG, IBM_FIND_NEG, \ IBM_GUNZIP_NEG, IBM_GZIP_NEG, IBM_HEAD_NEG, IBM_LS_NEG, IBM_LN_NEG, IBM_MKDIR_NEG, IBM_MOUNT_NEG, IBM_MV_NEG, IBM_RM_NEG, IBM_RMDIR_NEG, \ IBM_TAIL_NEG, IBM_TAR_NEG, IBM_TOUCH_NEG, IBM_UMOUNT_NEG, IBM_UNCOMPRESS_NEG,IBM_ZCAT_NEG User_Alias IBM_SA_BAU = %wheel Host_Alias IBM_SA_HOSTS = ALL # Use ALL or indicate IBM_SA_BAU IBM_SA_HOSTS = ALL User_Alias IBM_LIN_UAT_TOOL_BAU = %uatgroup Host_Alias IBM_LIN_UAT_HOSTS = ALL Cmnd_Alias IBM_LIN_UAT_BAU_CMDS = /bin/cat /etc/local/etc/sudoers, /bin/cat /etc/local/sudoers, /bin/cat /etc/shadow, \ /bin/cat /etc/ssh/sshd_config, /bin/cat /etc/sudoers, /bin/cat /syslocal/config/common/sudo/etc/sudoers, \ /bin/cat /var/log/messages, /bin/cat /var/log/sudo.log, /bin/cat /var/log/secure, /usr/bin/cat /etc/local/etc/sudoers, /usr/bin/cat /etc/local/sudoers, \ /usr/bin/cat /etc/shadow, /usr/bin/cat /etc/ssh/sshd_config, /usr/bin/cat /etc/sudoers, /usr/bin/cat /syslocal/config/common/sudo/etc/sudoers, \ /usr/bin/cat /var/log/messages, /usr/bin/cat /var/log/sudo.log, /usr/bin/cat /var/log/secure, /usr/bin/who, \ /bin/who, /usr/bin/chage, /usr/bin/chmod [0-7][0-7][0145] /home/*, /bin/chmod [0-7][0-7][0145] /home/*, !/bin/chmod [1-7][0-7][0-7][0-7] /home/*, \ !/usr/bin/chmod [1-7][0-7][0-7][0-7] /home/*, /usr/bin/faillog, /usr/bin/gpasswd, /usr/bin/ls, \ /bin/ls, /usr/bin/passwd, /usr/sbin/chpasswd, /usr/sbin/faillog, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod, /sbin/groupmod, \ /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/rm -rf /home/*, \ /bin/rm -rf /home/*, /usr/bin/rm -r /home/*, /bin/rm -r /home/*, /usr/bin/rm /home/*, \ /bin/rm /home/*, /usr/local/bin/uatscripts/uatoracle.sh, /usr/local/bin/uatscripts/uatdb2.sh, \ /usr/local/bin/uatscripts/uatsap.sh, /usr/local/bin/uatscripts/uathyperion.sh, /usr/bin/find, /bin/find IBM_LIN_UAT_TOOL_BAU IBM_LIN_UAT_HOSTS = (root) NOPASSWD: IBM_LIN_UAT_BAU_CMDS,IBM_CHMOD_NEG, IBM_FIND_NEG,IBM_RM_NEG Defaults:%uatgroup !requiretty %aseanuid ALL = NOPASSWD:\ /usr/sbin/useradd *, /usr/sbin/userdel *, /usr/sbin/usermod *, \ /usr/bin/chage *, /usr/bin/passwd *, /usr/bin/gpasswd *, /sbin/pam_tally2 *, \ /usr/bin/faillog * %hc ALL = NOPASSWD:\ /bin/cat *, /bin/zcat *, /usr/bin/tail *, /usr/bin/head *, /bin/grep *, \ /usr/bin/last *, /usr/bin/who *, /bin/ls *, /usr/bin/find *,/usr/bin/ssh-keygen *, /bin/tar *,\ /bin/more *, /usr/bin/less * , NOEXEC:IBM_SHELLESCAPE_ALL %lnxadm ALL=ALL,!IBM_NONE_SA,!IBM_SHELLS_ALL,/usr/bin/su -, NOEXEC: IBM_SHELLESCAPE_ALL ALL ALL=!SUDOSUDO
refer:https://support.nagios.com/forum/viewtopic.php?f=6&t=43772&start=10