sudo adduser newuser [sudo] password for trshpuppy: Adding user `newuser' ... Adding new group `newuser' (1001) ... Adding new user `newuser' (1001) with group `newuser' ... Creating home directory `/home/newuser' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for newuser Enter the new value, or press ENTER for the default Full Name []: new user Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y
1 2 3 4 5 6
# the 'su' command lets us switch to the new user: su newuser Password: newuser@trshheap:~$ # <-- new user shell context cat /etc/passwd | grep "newuser" newuser:x:1001:1001:new user,,,:/home/newuser:/bin/bash
mkpasswd --help Usage mkpasswd [OPTIONS]... [SALT]] Crypts the PASSWORD using crupt(3).
-m, --method=TYPE select method TYPE -5 like --method=md5crypt -S, --salt=SALT use the specified SALT -R, --rounds=NUMBER use the specified NUMBER of rounds -P, --password-fd=NUM read the password from the file descriptor NUM instead of /dev/tty -s, --stdin like --password-fd=0 -h, --help -V, --version output version information and exit If PASSWORD is missing then it is asked interactively. if no SALT specified, a random one is generated. If TYPE is 'help', available methods are printed.
要查看用户所在的组,您可以切换到该用户并使用 groups 命令,该命令将列出他们所在的所有组。要将用户添加到组中,请使用:
1
sudo usermod -a -G sudo exampleUser
-a 表示 append ,并将将此组追加到用户的当前组列表中,而不是覆盖其当前组列表。 G 代表 groups 并指定要将它们添加到的组。
/etc/组
/etc/group 文件列出了计算机上的所有组以及其中的用户。文件中的每一行都有 4 个字段:
1 2 3 4 5 6 7
sudo:x:27:trshpuppy,newuser [--][-][-][----------------] | | | |+ ---------> Group List: usersin the group (separated w/ ',') | | |+--------------------> Group ID: ea user has a group ID (listed in | | /etc/passwd) | |+-----------------------> Password: Not generally used, 'x' placeholder |+--------------------------> Group Name: name of the group
The /etc/sudoers file contains information on the sudoers group including which users are part of it and who can use sudo to escalate their privileges.
sudocat sudoers # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
当调查一个盒子/系统时,最好知道 sudo 权限是什么。您可以使用 sudo -l 来做到这一点:
1 2 3 4 5 6
sudo -l Matching Defaults entries for trshpuppy on trshheap: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User trshpuppy may run the following commands on trshheap: (ALL : ALL) ALL
在此示例中,sudo 命令和 sudoers 组中的用户具有 ALL 权限。
sudo -l 的男子条目:
1 2 3 4
-l, --list: If no command is specified, list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host. A longer list format is used if this option is specified multiple times and the security policy supports a verbose output format.
If a command is specified and is permitted by the security policy, the fully-qualified path to the command is displayed along with any command line arguments. If a command is specified but not allowed by the policy, sudo will exit with a status value of 1.
