qjfy
1
- 密码锁定
- shell = /usr/sbin/nologin
- 移出 sudo 组
- 删除 sudoers 里的提权规则
- 踢掉已登录会话
cat > /root/lock-cloud-users.sh <<'EOF'
#!/usr/bin/env bash
set -e
USERS="ubuntu lighthouse"
TS="$(date +%F-%H%M%S)"
echo "[1/6] 备份 sudoers 配置..."
cp -a /etc/sudoers "/root/sudoers.bak.$TS"
mkdir -p "/root/sudoers.d.bak.$TS"
cp -a /etc/sudoers.d/* "/root/sudoers.d.bak.$TS/" 2>/dev/null || true
echo "[2/6] 锁定用户密码并禁止 shell 登录..."
for u in $USERS; do
if id "$u" >/dev/null 2>&1; then
passwd -l "$u" 2>/dev/null || true
usermod -s /usr/sbin/nologin "$u" 2>/dev/null || true
pkill -KILL -u "$u" 2>/dev/null || true
fi
done
echo "[3/6] 从 sudo 组移除..."
for u in $USERS; do
if id "$u" >/dev/null 2>&1; then
gpasswd -d "$u" sudo 2>/dev/null || true
fi
done
echo "[4/6] 删除 sudoers 中 ubuntu/lighthouse 的提权规则..."
for u in $USERS; do
sed -i "/^[[:space:]]*$u[[:space:]].*ALL=.*$/d" /etc/sudoers
find /etc/sudoers.d -type f -exec sed -i "/^[[:space:]]*$u[[:space:]].*ALL=.*$/d" {} \; 2>/dev/null || true
done
echo "[5/6] 校验 sudoers 语法..."
if ! visudo -cf /etc/sudoers; then
echo "sudoers 语法错误,正在恢复备份..."
cp -a "/root/sudoers.bak.$TS" /etc/sudoers
cp -a "/root/sudoers.d.bak.$TS/"* /etc/sudoers.d/ 2>/dev/null || true
exit 1
fi
echo "[6/6] 当前状态:"
echo
echo "可交互登录用户:"
awk -F: '$7 !~ /(nologin|false)$/ {print $1, $3, $6, $7}' /etc/passwd
echo
echo "sudo 组:"
getent group sudo
echo
echo "ubuntu/lighthouse sudoers 残留:"
grep -R "ubuntu\|lighthouse" /etc/sudoers /etc/sudoers.d/ 2>/dev/null || true
echo
echo "用户状态:"
for u in $USERS; do
if id "$u" >/dev/null 2>&1; then
passwd -S "$u" 2>/dev/null || true
getent passwd "$u"
groups "$u" || true
echo
fi
done
echo "完成。"
EOF
chmod +x /root/lock-cloud-users.sh
bash /root/lock-cloud-users.sh