参考

需求

登录用户有3类权限，访客权限，部署权限，管理权限.

访客权限为最小权限，仅能对登录用户目录进行读写，对其他用户目录只读，系统目录无读写.

部署权限对app部署用户目录具有读写权限（程序不依赖系统服务，如java -jar 程序）.

管理权限对系统目录具读写权限（程序依赖系统服务，nginx, mysql, tomcat）.

不同主机对不同用户权限不同。

运维组具有管理权限，业务组管理的主机具有部署权限或者管理权限，访客权限一般不开，除非有特殊要求，如需要查看部署结果.

user	group	sudo app?	sudo root?	sudo su?
admin	adm	y	y	y
web	app	y	y	n
db		n	y	n
test		n	n	n

生成服务器匙

ssh-keygen -t rsa -f /tmp/admin # /tmp/admin & /tmp/admin.pubssh-keygen -t rsa -f /tmp/test# /tmp/test & /tmp/test.pubssh-keygen -t rsa -f /tmp/web# /tmp/web & /tmp/web.pubssh-keygen -t rsa -f /tmp/db# /tmp/db & /tmp/db.pub

目标服务器

# /etc/ssh/sshd_configPort 60022ListenAddress 192.168.100.100 # 绑定主机内网地址PermitRootLogin no # without-passwordAuthorizedKeysFile /etc/ssh/authorized_keys/%uPasswordAuthentication noGSSAPIAuthentication noGSSAPIKeyExchange noGSSAPIStoreCredentialsOnRekey noGSSAPICleanupCredentials noGSSAPIStrictAcceptorCheck noChallengeResponseAuthentication noUsePAM yes UseDNS no

mkdir /etc/ssh/authorized_keys # 建立key目录/etc/init.d/sshd restart # 重启ssh服务 useradd -u 500 -d /opt/app app # 建立部署用户app, 用户id 500, 用户目录/opt/appchmod 755 /opt/app # 改变用户权限为755useradd -u 501 admin # 建立登录用户admin, 用户id 501cp /tmp/admin.pub /etc/ssh/authorized_keys/admin # 拷贝用户公匙到key目录，文件名为用户名chmod 644 /etc/ssh/authorized_keys/admin # 改变key权限为644ssh -i /tmp/admin admin@192.168.100.100 # 测试key登录

非wheel组成员禁用su

/etc/pam.d/su#auth       required    pam_wheel.so use_uidauth       required    pam_wheel.so use_uid

usermod -G adm adminusermod -G web app

sudo配置

/etc/sudoers.d/security# User alias specificationUser_Alias      ADMIN = adminUser_Alias      SERVICE = dbUser_Alias      APP = web# Cmnd alias specificationCmnd_Alias      SU = /bin/su# Cmnd alias specificationCmnd_Alias  SU  = /bin/su# User specificationADMIN      ALL=(ALL) NOPASSWD: ALL, !SUAPP        ALL=(ALL) NOPASSWD: !SU, /bin/chgrp, /bin/chmod, /bin/chown, (app) NOPASSWD: ALLSERVICE    ALL=(ALL) NOPASSWD: !SU, /bin/chgrp, /bin/chmod, /bin/chown, (app) NOPASSWD: ALL# nginx%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/nginx start%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/nginx stop%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/nginx restart%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/nginx reload%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/nginx status# php-fpm%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm start%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm stop%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm restart%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm reload%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/php-fpm status# apache%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/httpd start%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/httpd stop%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/httpd restart%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/httpd reload%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/httpd status# mysql%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/mysqld start%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/mysqld stop%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/mysqld restart%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/mysqld reload%SERVICE    ALL =(ALL) NOPASSWD: /etc/init.d/mysqld status

# websudo -u app vim /opt/app/1.txtsudo su -