Shulou(Shulou.com)06/01 Report--

This article is about how Centos7 implements account security and rights enhancement. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

one。 Toggle user command su

Su user name changes users. It's just a new process, which has nothing to do with the previous process, and the previous process has not disappeared.

Su-the user name switches the normal user with the initial environment of the ordinary user. If you switch, the environment variable will be reset to the environment variable of the ordinary user.

Root chip users do not need a password, while general users need a root password to cut root. This switching method is generally not used and is not standard.

II. Pam_wheel certification

If any ordinary user gets the root password, he can switch to the root user, which is very dangerous.

If we want individual users to have the right to switch root while other users do not have access to root, we need to start pam_wheel authentication.

(1)。 Check whether the program supports pam module

Ls / etc/pam.d | grup su

(2)。 Enable pam_wheel authentication module

Vim / etc/pam.d/su

(3)。 Remove the comments and enable the feature

(4)。 View security group wheel

(5)。 Create a new account zhangsan

(5)。 Add users to the security group

Gpasswd-a zhangsan wheel

III. Sudo raises the right

Do not let you know the password of root, but also allow you to do what root can do, as long as it is authorized in the sudo configuration file / etc/sudoers. The security level of / etc/sudoers configuration file is very high, and root has read-only permissions. If you want to modify the configuration file of sudo, you can only use the command visudo. If you change its permissions with chmod, then the whole sudo cannot be used.

Conclusion: the premise for sudo to apply for rights is that the general household must be authorized in visudo before it can apply for rights. If the root authorization is successful, you will have to input your own password every time you apply for the right.

Sudo-l to see what permissions the current user has. The first ALL is all ip addresses, the second ALL is all hostnames, usually we don't have to write, and the third ALL is all commands. If we grant all permissions to yu, generally speaking, ordinary users can also use the permissions that can be used by root. We can also set it to log in only on a certain ip or network segment, or set which commands it can only use and which command formats / sbin/*,! / sbin/reboot,! / sbin/. Allow all of it / sbin/ to work, then separate it with a comma, reverse the exclamation point and follow the command that disallows him to use it. First allow, then deny, this is the authorization rule. At work, authorization should be minimized.

Command visudo or vim / etc/sudoers

Record format: user hostname list = command sequence

(1)。 Create a new user lisi to determine lisi permissions

(2)。 Modify the configuration file

Visudo

(3)。 Modify permissions

Format: lisi localhost=/usr/sbin/useradd

(4)。 Verify that lisi users can use the useradd command

Sudo useradd wangwu

four。 Restrict terminal login

1. Restrict root to login only on secure terminals

Modify the security configuration file vim / etc/securetty

two。 Restrict the login of ordinary users

The login of ordinary users can be restricted by establishing / etc/nologin file.

Delete the file or restart to remove the restriction

Thank you for reading! This is the end of the article on "how to achieve account security and empowerment in Centos7". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.