Shulou(Shulou.com)06/02 Report--

one。 User switching and rights raising

Most Linux servers do not recommend that users log in directly as root. On the one hand, it can greatly reduce the damage caused by misoperation, on the other hand, it can also reduce the risk of privileged passwords being disclosed in insecure networks. For these reasons, it is necessary to provide an identity switching or privilege escalation mechanism for ordinary users to perform administrative tasks when necessary.

The Linux system provides us with two commands: su and sudo, in which the su command is mainly used to switch users, and the sudo command is used to enhance the execution authority, which is described below.

By default, any user is allowed to use the su command, thus having the opportunity to repeatedly try the login passwords of other users, such as root, which poses a security risk. To strengthen the control over the use of su commands, you can use pam_wheel

Authentication module allows only a few users to switch using the su command. The implementation process is as follows: add the users authorized to use the su command to the wheel group, and modify the / etc/pam.d/su authentication configuration to enable pam_wheel authentication.

2.PAM Security Certification

PAM (Pluggable Authentication Modules), a pluggable authentication module in Linux system, is an efficient, flexible and convenient authentication method at the user level, and it is also a commonly used authentication method in current Linux servers.

PAM provides a central computer system for the certification of all services, which is suitable for login, remote login (telnet,rlogin,fsh,ftp), su and other applications. System administrators make different authentication policies for different applications through PAM configuration files.

Our PAM authentication profile has our SU command

Vim / etc/pam.d/su Security Certification su configuration

Add lisi users to the wheel group

III. Sudo raises the right

You can easily switch to another user through the su command, but only if you know the target user's

Login password. For example, to switch from a jerry user to a root user, you must know the password of the root user. For students

For every Linux server in a production environment that knows a privileged password, its security risk increases by one point.

Is there a compromise that allows ordinary users to have some administrative rights without the need to use root

What about the password of the account? The answer is yes. Using the sudo command, you can increase the execution permissions. But it needs to be managed.

The manager authorizes in advance to specify which users are allowed to perform which lives as superusers (or other ordinary users).

Ling.

Cmnd_Alias instruction alias

User_Alias user alias

Host_Alias host alias

Vim / etc/sudoers

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.