Shulou(Shulou.com)06/02 Report--

Introduce Security 3A

Resource allocation: authentication, authorization, audit

User and group user user

Group group

Category of the group

Primary group: a user must belong to a group as the primary group auxiliary group / additional group / subsidiary group: optional, can be multiple, additional group, subsidiary group security context

Profile / etc/passwd for users and groups: users and their attribute information (name, UID, Main group ID, etc.) / etc/group: group and its attribute information / etc/shadow: user password and its related attributes / etc/gshadow: group password and its related attributes passwd file format login name: login name (wang)  passwd: password (x)  UID: user identity number (1000)  GID: login default group number (1000)  GECOS: user's full name or comment  home directory : user home directory (/ home/wang)  shell: users log in using shell (/ bin/bash) shadow file format by default  user password: generally encrypt  from January 1, 1970 to the time when the password was last changed. The  password can be changed in a few days (0 means it can be changed at any time) the  password must be changed in a few days (99999 means never expire) A few days before the  password expires (the default is one week) the system reminds the user that the account will be locked after the  password expires a few days after the expiration of the  from January 1, 1970 How many days after the account account expires group name:  group password:  group administrator list: list of group administrators, change group password and member  list of users with current group as additional group: multiple users are separated by commas group file format group name: group name  group password: usually does not need to be set The password is recorded in / etc/gshadow  GID: the ID of the group-the list of users with the current group as the additional group (the delimiter is a comma)

Example: users and groups view configuration files

Finger

View information about the user

Example: view the relevant information of the user wang

Getent

Only look at the relevant information of the specified user

Example: look at the relevant information of root,wang

File manipulation vipw and vigr  pwck and grpck user and Group Management commands user Management commands  useradd  usermod  userdel  Group account maintenance commands  groupadd  groupmod  groupdel useradd

User creation

Common option

Create new user-related files and commands / etc/default/useradd  / etc/skel/*  / etc/login.defs  newusers passwd format files batch create user chpasswd batch modify user password

Modify user password in batch

Usermod

User attribute modification

Usermod [OPTION] login-u UID: new UID-g GID: new main group-G GROUP1 [, GROUP2,... [, GROUPN]: new additional group, the original additional group will be overwritten If you keep the original, use the-an option-s SHELL: new default SHELL-c 'COMMENT': new comment information-d HOME: the new home directory will not be created automatically To create a new home directory and move the original home data, use the-m option-l login_name: new name-L: lock to specify the user, add the user in the / etc/shadow password field!-U: unlock specify the user, / etc/shadow password bar! Remove-e YYYY-MM-DD: specify the expiration date of the user account-f INACTIVE: set the period of inactivity

Append additional group

Delete additional group

Userdel

Delete user

Id

View user-related ID information

-u: display UID-g: display GID-G: display the ID-n: display name of the group to which the user belongs. Use su with ugG

Switch users or execute commands as other users

Set password

Passwd: change the password of a specified user

Common option

-d: delete the specified user password

-l: lock the specified user

-u: unlock the specified user

-e: force the user to log in and change the password next time

-f: force operation

-n mindays: specify the minimum usage period

-x maxdays: maximum useful life

-w warndays: how many days in advance to start the warning

-I inactivedays: period of inactivity

-- stdin: receives a user's password from standard input

Example: echo "PASSWORD" | passwd-- stdin USERNAME

Group

Groupadd: create group

Groupdel: deleting a group

Groupmod: group property modification

Gpasswd: group password

Newgrp: temporarily switch the primary group. If the user does not belong to this group, the group password is required.

Change and view group members

Groups: view the list of groups to which the user belongs. Members modify the chown of the owner and group of the file.

Modify the owner of the document

Chgrp

Modify the subordinate group of the file

File permissions File Properties

Three kinds of authority

Chown

Modify the owner

Chmod

Modify file permissions (rwx | X)

File:

R you can use the file view class tool to get its contents

W can modify its content

X you can ask the kernel to start this file as a process 

Table of contents:

R you can use ls to view a list of files in this directory

W can create files in this directory or delete files in this directory

X can use ls-l to view file metadata in this directory (with r), and you can enter this directory with cd

X only gives directory x permission, not file x permission.

Chmod

-R: recursively modify permission 

MODE: modify all permissions of a class of users

U = g = o = ug= a = upright department g =

Modify certain bit or bit permissions for a class of users

U + u-g + g-o + o-a + a-+-

Chmod [OPTION]... -- reference=RFILE FILE...

Refer to the permissions of the RFILE file, and modify FILE to be the same as RFILE

Example of permission setting

Chgrp sales testfile 

Chown root:admins testfile 

Chmod upright wx file gmerry RX 

Chmod-R g+rwX / testdir 

Chmod 600 file 

Chown mage testfile

Remove the read and write permissions of the owner of the wang account, the write permissions of the group to which you belong, and other write permissions

Add read and write permissions to the wang account owner

Chmod-X

Add permissions only for folders

Default permissions for new files and directories umask

Can be used to retain permissions in creating files

The corresponding permission bit is masked. 666 | 777 umask=000. The new file is not allowed to execute for security reasons.

Simple method

Default permissions:

Directory = 777-umask

File = 666-umask, observation results are odd + 1

Write umask to the file to save:

Practice

Create a file with a temporary permission of 000, and temporarily change the permission of umask

Umask-S is displayed in mode

Example:

Umask-p: the output can be called

Example: write directly to .bashrc file

Special permissions on the Linux file system

SUID permissions on executable files

SGID permissions on executable files

Sticky bit

Permission bit mapping

Set file-specific properties

Example:

ACL access Control list

To achieve flexible rights management, you can set permissions to more users in addition to the owners, groups and others of the file.

Order in which ACL permissions take effect:

Owner, custom user in ACL, ACL custom group, belonging group, other

Note:

Setfacl

Is used to set ACL (access control list) on the command line

Example: set ACL permissions to Wang account

Getfacl

View file permissions

Mask

Set the highest permissions for a user or group except the owner and other

After adding ACL permissions, group permissions are mask permissions instead of group group permissions.

Mask permission limit is high, and other users' permissions cannot exceed mask permissions.

Example:

Setfacl-x:

Example: remove the permissions of the wang account

Setfacl-b

Clear all ACL permissions on the file

Example: clear all ACL permissions on the a.log file

Set

Option will delete all the original ACL entries and replace them with new ones. It is important to note that the setting of UGO must be included, instead of just adding ACL like-m.

Example:

Backup and reply ACL permissions

Setfacl-b

Restore file permissions

Example: restore all file and folder permissions under / data directory

Cp-p

Copy reserved file ACL permissions

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.