Shulou(Shulou.com)06/02 Report--

I. introduction of 3A security system

   modern computer operating system is basically designed as a multi-user and multi-task operating system to realize resource sharing at various levels. in order to prevent the abuse or misappropriation of resources, each system will have a complete set of security control mechanism, that is, what we usually call the 3A security system, which originates from the security audit process in the real life of our human society. Other security system frameworks are as follows:

Authentication (Authentication): verify the identity of the user, verify the legitimacy of the user, that is: who you are! Authorization: authorizes authenticated users and authorizes which resources they can use, that is, what permissions can you have! Billing audit (Accouting | Audition): records the usage of resources by users, which will be used as the basis for billing or security audit. That is: how much did you use? What did you do?

In a word: I know who you are, I give you the right to use, please abide by the rules, I can audit your behavior!

I. users and groups of the Linux system

In the end, it is the natural person who gets the right to use the resource in   , but how can the operating system identify the specific natural person and allow them to follow the regulations? this is the problem solved by the system's access control to users and groups. The operating system can identify natural persons through a variety of technologies, such as chip authorization (access card, encryption dog), biometric identification (fingerprint, iris, facial recognition, etc.). Traditional user accounts, etc. This section will introduce how to solve the problem of user authentication, the first link of 3A security system, Authentication.

   operating system is related to the specific natural person depends on the user, in order to facilitate batch authorization, so there is the concept of user group, basically all operating systems are such a design concept, whether the user or user group is just a physical medium of empowerment, the system administrator assigns a user account to each natural person and grants the account permission to the natural person. Similarly, some common rights of multiple natural persons in a department or organizational unit can be accomplished by using the user group of the system.

Linux authentication process: the user submits the user name and password to the system, and the Linux system determines whether the logged-in user is legal by comparing the consistency between the locally stored user information and the user submission information. If it is a legitimate user, the Token and security entity identity are returned to the user. Windows authentication process: when a user submits a user name and password to the system, the local LSA of Windows will also compare the consistency and return Token, but it contains the information of the group to which the user belongs and the summary information of the user's permissions in the system or domain. The user will complete the comparison process when accessing resources, which is why it is necessary to log out and log back in after each authorization in the Windows system. Is to reacquire a new access token in the system or domain.

1. Users and groups in linux system

   Linux system uses ID to identify user types, which are divided into administrative users and ordinary users. Linux system recognizes that UID,Windows system depends on SID. The details are as follows:

User UID identifies the user

Administrative user: administrator root uid:0 windows built-in administrator account SID ends with 500. ordinary user: uid:1-60000 automatic allocation system user: 1-499 (CentOS6), 1-999 (CentOS7, 8) is used for daemon to obtain resources for permission allocation. Login users: 500 + (CentOS6), 1000 + (CentOS, 7) login users for interactive login, associated with natural persons, authorized entity objects. Authentication method: Linux system: id username [root@Centos8 ~] $id root uid=0 (root) gid=0 (root) groups=0 (root) [root@Centos8 ~] $id houzhihui uid=1000 (houzhihui) gid=1000 (houzhihui) groups=1000 (houzhihui) [root@Centos8 ~] $Windows system: whoami C:\ Users\ Administrator > whoami / user user Information-user name SID = desktop-aajmtra\ administrator Smur1-5-21-2701678464-1708204996-1248473524-500C:\ Users\ Administrator > C:\ Users\ microcisco > whoami / user user Information-user name SID = desktop-aajmtra\ microcisco Smur1-5-21-2701678464-1708204996-1248473524-1001C:\ Users\ microcisco >

User group GID identifies the user group

Administrator group: root, 0 ordinary group: GID system group: 1-499 (CentOS6), 1-999 (CENTOS7) ordinary group: 500 + (CentOS6), 1000 + (CENTOS7)

The scope of use of UID and GID in    is clearly defined in the file / etc/login.defs. If there is a customization requirement, you can modify the file to complete it, as shown in the following figure:

Basic group and auxiliary group

   is different from the Windows operating system, by default, each user created in the Linux system automatically creates a corresponding user group as the basic group for that user, and the group name is the same as the user name, GID and UID. Corresponding to the basic group is the auxiliary group, the differences between the two are as follows:

User's basic group: created with the user account, this group has only one member of the user, and the group name is the same as the user name, GID and UID, also known as the main group or private group. User's auxiliary group: used for volume licensing auxiliary group is only a relative concept, its membership is not limited to one user member is also called a public group. The auxiliary group helps users to obtain additional permissions easily. For example, if a resource needs to be shared with the members of the whole department, it is only necessary to establish a public group, assign rights to the established public group on the resource, and then add the user accounts of the members of the department to the public group to achieve batch authorization. Therefore, the auxiliary concept of the auxiliary group is relative to the user, and a user can belong to zero or more auxiliary groups. II. Users and groups of Windows system

Consider the past you shall know the future

   on the network resource management security system, Microsoft's Windows system also has for many years proud of the security management system active directory (Active Directory), it can be said that the enterprise desktop operating system, terminal management function is quite perfect, as a user and group feature article without Microsoft's active directory always feel missing something This section introduces the use of users and groups in Microsoft's active Directory as a knowledge extension.

The original intention of    Microsoft active Directory is to establish a dynamic index of the scattered resources in the network, and to be centrally authorized and managed by professional information maintenance personnel. It is a logical concept that the activity directory regards the domain as the network security boundary. All network resources, users and terminals in the security domain are all objects of the domain and are centrally controlled by the rights management system of the active directory. User accounts and user groups are the same as Linux systems. If the biggest difference is: Windows groups support nesting, while Linux groups do not support nesting, so the authorization management functions of Windows are richer, but it is precisely because of the nesting of support groups that it is easy to cause cross-authorization and lead to confusion in rights management. Therefore, Microsoft strongly gave customers the best authorization practice principle: AGUDLP as early as the era of Windows server 2000.

A means that user accounts Account accounts are divided into local accounts and domain user accounts. Of course, groups are also divided into local user groups and domain user groups. Local user accounts and groups are stored and managed by the SAM library of the local address of the computer system. The domain user account can be used only after the computer joins the domain, and the domain user account and the domain user group have a domain controller (DC) for storage management. after calculating to join the domain, the domain administrator can join the domain user account to the local user group to grant the right to use the local computer resources. G means global group Global global group: mainly used to organize user accounts, scope: any domain in the domain tree, the members of the global group can be user accounts and global groups in the same domain, and can access resources in any domain. Note: the global group can be nested. The global group U represents the universal group Universal: the entire forest and trust domain in the scope forest act as the organizational container for the authorized object of cross-domain resource access in the forest, and the general group and any member of the group will be written to a database called global cataloging (Global Caltalog,GC). The general group can access resources in any domain. Common groups can contain user accounts, global groups, and universal groups in all domains. The general group can be understood as a psychic in a horror movie who takes the appellant to another world (the joke is vivid, but be careful! When the domain functional level is in Windows2000 mixed mode, you cannot create a security group with common groups, and you must upgrade the functional level of the domain to enable universal groups. ) DL represents domain local group Domain Local domain local group: scope local region, can only access any resources within this domain. If members of this group want to access resources in other domains, the local group must join the global group authorized by the other domain administrator to achieve cross-domain resource access. The members of the local domain group can be local domain groups of the same domain, and can also be accounts, global groups and general groups in any domain. The only resource they can access is the resource P of the domain where the local domain group is located. Permissions users have access to resources. Both Windows and Linux have three basic permissions: execution permissions are matched with read and write permissions respectively, and very fancy functions can be presented to users according to different file types. But no matter how fancy the operation presented to the user is, it is a combination of these three permissions: read permission: permission identification is r Readable read file content affects atime action on file: read file content acts on directory: you can use ls, Dir view the list of files in this directory write permissions: permissions identified as w Writable modify file contents affect mtime action on files: can modify and delete file contents act on directories: files can be created in this directory You can also delete file execution permissions in this directory: permissions are identified as x eXcutable execution permissions, which are used as the cornerstone combination permissions for read and write permissions. Acting on files: files are submitted to the kernel by the specified security context process and further processing operations are performed by the process acting on the directory: you can use ls and dir to view the file metadata in this directory (with r), and you can cd into this directory. Special execution permissions: permission identification X only gives directory x permissions, not files x permissions

Intra-domain and inter-domain authorization: AGDLP

First, add the user (Acounts-A) to the global group G; then add G to the domain local group DL; and finally authorize the DL (Permissions-P)

The advantage of this is that after the administrators accessing the two domains add each other's global group to the domain local group, the members of the global group can access resources across domains, and the later member adjustment is only controlled by the administrator of their respective domain. without having to bother the administrator of each other's domain!

Intra-forest inter-tree cross-domain access authorization: AGUDLP

First add the user (Acounts-A) to the global group G; then add G to the domain local group DL; and finally authorize the DL (Permissions-P)

The advantage of this is that after adding the global group to the general group, the members of the global group will have a cross-domain access permit to establish a domain trust relationship in the entire forest, and the later management of the members of the group will only be controlled by the local administrator!

IV. Summary

Whether in Linux or Windows systems, the role of users is to associate with natural persons, user groups are containers for organizing and managing users to facilitate batch authorization management, and both are authorized entity objects for resource access authorization, which solves the problem of the first An authentication (Authentication) authentication in 3A security system.

All right, that's all for this section, spoiler, and the next section will introduce the management of users and groups!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.