Shulou(Shulou.com)06/01 Report--

Editor to share with you what are easy to be ignored Linux security rights configuration issues, I hope you will gain something after reading this article, let's discuss it together!

1. Too wide permissions

The permission requirements of some services will be in a range, not too small or too big. If the file is not given enough permissions, it certainly cannot be used; however, if the file is given too many permissions, it will not work properly either.

For example:

Problem: the test account cannot log in to a ssh server using key, but the test2 account under the same machine can log in.

View file permissions:

Test@client:~$ls-l~/.ssh/-rw-1testtest 16752010-03-2515:15id_rsa

Looking at the public and private key permissions in the client-side and server-side .ssh directory, you can see that there is no problem.

The private key must have 600 permissions, while the public key must be at least 644 or more, which is consistent, but still cannot be logged in.

Test@server:~$ls-la~ | grep-w.ssh drwxr-xr-x2testtest4.0K12-2316:59.ssh

Check the server-side .ssh directory permissions, is 755, is also no problem, the ssh server requires that when logging in using key, the permissions of the .ssh directory must be unwritable by other users.

At first, I really don't know why test2 accounts can log in using key, while test accounts can't log in using key, ssh_config and sshd_config.

There was no problem after checking it many times. * * found something suspicious when comparing the differences between the two accounts on the server side.

$ls-l/home/ drwxrwxrwx 3testtest4096 2009-12-31 17:31test drwxr-xr-x 6 test2 test2 4096 2010-03-23 15:59test2

The home directory permissions of the two accounts are different. The test account is 777. The Test2 account is 755. Could it be caused by the difference here? After changing the test directory to 755 on the server side, solve the problem.

Explanation of the reason:

The key login of the ssh server requires strict permissions. For the client: the private key must have 600 permissions or more strict permissions (400). Once the private key is readable by other users, the private key will not work (such as 640), indicating that the system believes that there is no private key.

For the server side: must be public key other users can not write, once other users can write (such as 660), can not use key login, shown as: Permission denied (publickey).

At the same time, the .ssh directory is not writable by other users, and once it is writable by other users (such as 770), it cannot be logged in using key, which is shown as: Permission denied (publickey).

Not only the .ssh directory, but also the permissions of higher-level directories will also have an impact.

The writeability of the user directory in home indicates that other users also have the right to overwrite the. SSH subdirectory (delete or recommand), which causes ssh to judge that .ssh is writable by other users and refuse to log in using key.

2. Selinux started quietly

If you configure a service, but no matter how you define the configuration file, some ports cannot be opened, or the file cannot be accessed, then you should be careful that selinux is messing around.

For example:

Problem: the directory on the configuration apache is accessible, but it always prompts you that you don't have permission.

Configuration on apache:

Alias/hello.html/web/hello.html Order deny,allow Allow from all

No matter how to check, there is no problem, file permissions are also right, at this time you can consider checking the permissions of selinux.

# ls-Z/web/-rw-r--r--.root root unconfined_u:object_r:admin_home_t:s0hello.html

The original / web directory cannot be accessed by apache built-in users.

Explanation of the reason:

By default, selinux limits the directories that apache can access, and by default you can only read and write files under / var/www/. It's no wonder that we just configure apache and file permissions without any effect.

To read files in the / web/ directory, you must modify the configuration of selinux.

In fact, selinux has default restrictions not only for file permissions, but also for ports and message interfaces that can be used by services.

After reading this article, I believe you have a certain understanding of "what are the Linux security rights configuration issues that are easy to be ignored?" if you want to know more about it, welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.