Linux operational admin1.4 (Permissions and attribution, LADP certification)

admin1.4

Permissions and Attribution:

Basic permissions:

Categories of basic permissions:

Access mode (permissions):

---read: Allow viewing of content--read

(R permissions: Ability to view this directory content LS)

---write: Allow content to be modified--write

(W Permissions: Ability to perform actions such as Rm/mv/cp/mkdir/touch to change directory contents)

---executable: Allow to run and switch--execute

(x permissions: Ability to switch to this directory on CD)

Permissions apply to the object:

--Owner: The user who owns this file or directory----users

--owning group: Group that owns this file or directory----

--Other users: Users other than the owner, the owning group----other

To view permissions:

#ls-ld file or directory

Example: Drwxr-xr-x. 4 root root 7 2014/user/src

Permission bit hard connection number belongs to main group size last modified time File/directory name

Set basic permissions:

Use the chmod command:
Format:--chmod-r Attribution relationship +-= permission category document ...

Cases:

#mkdir-M U+rwx,go-rwx/dir1

#ls-ld/dir1

#chmod U-w,go+rx/dir1

#ls-ld/dir1

Set Document Attribution:

using the chown command :

--chown-r Main Document ...

--chown-r: A group of documents ...

--chown-r: A group of documents ...

Cases:

#chown-R: Admin/dir1

#ls-ld/dir1

#chown-R Lalala:root/dir1

#ls Ld/dir1

--------------------------------------------------------------------------------------------------

ACL access control Policy

The role of the ACL policy:

Limitations of document Attribution:

--anyone belongs to three roles: owner, Group, others

--Unable to achieve finer control

ACL Access policy:

--can be targeted to individual users, individual groups, set up independent permissions;

--Most mounted EXT3/4,XFS file systems are supported by default;

Set ACL access control policy:

Use the GETFACL,SETFACL command;

---getfacl documentation ...

---setfacl-r-m u: User name: Permission category Document ....

---setfacl-r-m G: User name: Permissions category Document ...

---setfacl-r-b documentation ...

Cases:

#setfacl-R-M U:student:rwx/dir1 #添加策略

#getfacl/dir1 Viewing documents

#setfacl-R-b/dir1 emptying the document

--------------------------------------------------------------------------------------------------

Additional permissions:

Set UID:

Attached to the X-position of the owner:

The identity of the---owner will change to S;

---applies to executables, allowing the file user to have the identity and partial permissions of the filegroup.

Set GID:

Attached to the X-position of the genus Group:

The permission identifier of the---group becomes s;

The---is applicable to the executable file, and the function is similar to the set UID;

---Applies to the directory, set GID can be the new document under the directory automatically set the same group as the parent directory;

Sticky Bit:

Attached to another person's X-position;

---the other person's permission identifier will change to T;

---A directory for open W permissions, which prevents users from abusing W Write permissions (Prohibit manipulating others ' documents)

Set additional permissions;

#chmod U+s, G+s/dir1

#chmod o+t Directory ...

-----------------------------------------------------------------------------------------------------

Using LDAP authentication

LDAP Directory service:

What is LDAP:

Lightweight Directory Access Protocol:

The server centrally stores and provides information to the client, which is stored in a manner similar to DNS tiering;

The information provided includes: User name, password, correspondence, hostname mapping ....

Typical LDAP mode of operation:

--Provides a set of user accounts that can be logged in for a group of clients

--Network users: User name, password information stored on the LDAP server;

--These clients are joined to the same LDAP domain;

How to join an LDAP domain:

Required conditions for joining LDAP:
1. The service side provides:

--ldap server address, base DN name;

--Certificate of encryption (if required);

2. Client Preparation:

--Modify the authentication method of user login, enable LDAP;

--Correctly configure LDAP server parameters;

--Package: SSSD,AUTHCONFIG-GTK

Installation steps:

Step One:Installation support software SSSD, graphics configuration authconfig-gtk
[Email protected] ~]# yum-y install SSSD AUTHCONFIG-GTK
Step Two:Configuring LDAP Client Parameters
1) using the AUTHCONFIG-GTK Certification Configuration tool
After you open the configuration program (1), you can see the Identity & Authentication window.
Click the drop-down box to the right of User account Database to select LDAP, and click the drop-down box to the right of authentication Method to select LDAP Password. Then fill in the text box after "LDAP Search DN" with the specified base DN string "dc=example,dc=com" and fill in the specified LDAP server address "classroom.example.com" in the text box after "LDAP server"
Check the box before "use TLS to encrypt connections" and the "Download CA Certificate" button below will become available and the warning message will automatically disappear.
Click the Download CA Certificate button to fill in the TLS encryption with the CA certificate (http://classroom.example.com/pub/ EXAMPLE-CA.CRT), then click OK to go back to the configuration screen, click on the "Apply" button at the bottom right (4), patiently wait a moment to complete the setup, the configuration program automatically shuts down.
2) Ensure that the SSSD service is running
As long as the previous step is configured correctly, check the SSSD service to see that it is running automatically
[Email protected] ~]# systemctl status SSSD
Make sure the SSSD service is powered on.
[Email protected] ~]# Systemctl enable SSSD
Step Three:LDAP Client Authentication
1) The LDAP network user can be detected on the client
Check the ID value of the LDAPUSER0:
[[email protected] ~]# ID LDAPUSER0
2) can SU switch to LDAP network user
Switch to User Ldapuser0 and return:
[Email protected] ~]# Su-ldapuser0
3) You can log on to the client computer using an LDAP network user
With user Ldapuser0, password password try SSH login to Server0:
[[email protected] ~]# ssh [email protected]

This article is from the Linux OPS blog, so be sure to keep this source http://13401400.blog.51cto.com/13391400/1977599

Linux operational admin1.4 (Permissions and attribution, LADP certification)