0518 Fifth session

Safety 3A

Authentication: Certification

Authorzation: Authorization

Accouting| Audition: Audit

User

Administrative users: uid:0, not necessarily the UID of root,root non-0 o'clock is not a management user, mainly to see UIs

Normal User: Uid 1-65535

System User: 1-499 (CENTOS6) 1-999 (CENTOS7)

System user refers to those nologin users, to the daemon to get resources to assign permissions

Login User: 500-(CENTOS6) 1000-(CENTOS7)

User logged in with account password, interactive login

Group

Administrators group: gid:0

Normal Group:

System Group: 1-499 (CENTOS6) 1-999 (CENTOS7)

Normal group: 500-1000-

Security context:

Simply put, the permissions of a process depend on the permissions of the user who opened the process

Categories of Linux Groups

User's primary group: has and can have only one group

Private group: In short, the group is called the user's private group only if the group has the same name as the group.

Additional groups for users: You can have multiple, or no groups

Four important configuration files for the primary group

Master:/etc/passwd

/etc/shadow

Group:/etc/group

/etc/gshadow

passwd: Documents that record some relevant information about a user's account

Format:

User name: X:uid:gid: Description Content: Home directory: Default bash

X:6 previous system is some encrypted password, after 6 encryption password placed in shadow, here changed to X instead

GID in GID:PASSWD is the GID that displays the user's primary group

Shadow: Record the user encrypted password file

Format:

User name: Encryption type: Random character: encrypted password body: The last time to change Password: password minimum age: Password maximum age: Warning Period: Inactivity period: User account expiration: Reserved field

Random characters: In order to prevent users with the same password in the positive text segment of the encrypted password display the same, encryption will include some random characters in the password

Last: Shows the number of days from the first Linux first time to the last password change

Warning Period: X days before password expires warning you password and x days will expire

Inactivity Period: The password will not be used immediately after expiration, there will be a deadline for you to change the password, when the deadline expires, the password expires

User Expiration Period: The lifetime of a user who will not be able to log on after expiration

When the user does not have the password, the user name:!! : ~,!! Representative can not login, is the system default, but will!! After the deletion can directly do not need password login, in turn, when we do not want a user to log in, you can again shadow the string of user name behind (user name!). :) plus one! Just do it.

Group and Gshadow are basically the same

The end of group is the users in the groups, the front one is the group administrator user, add Group Administrator, group administrator can add remove group members to make some changes to the group

Password Complexity strategy: This is also the employment of teaching?

4 Small commands

VIPW and VIGR

Changing the commands of passwd and group, it doesn't seem to make sense.

Pwck and GRPCK

Check the passwd and group two files for any errors, and the likelihood of using them is not very good.

Just remember.

User Management commands

Useradd: Add a user's command

-U: Create uid for user

-G: Set up GID with head of household

Note: If you do not specify a primary group, the user's private group will be created automatically

-G: Create gid for user-attached group

-D: Make a user's home directory

Note: When a directory exists for a home directory, it is not added by default and can be copied manually from/etc/skel.

-C: Add description Content

-r: Create a System user

-S: Create a user's default shell

-M: Do not create a user's home directory

Note: When the user does not have a home directory, they can still log in, but no longer in the home directory after login, in/directory

-N: Do not create a private group of users, set the user's primary group to the default group in useradd-d

-D: Changes to some default settings

Note: The configuration file is stored under:/etc/default/useradd

Note: Some of the default configuration, if you want to modify, you can go to/etc/login.defs to change

Userdel: Delete user, default is not delete user's home directory

-R: Along with the user's home directory mail and so on deleted together

Note: When we delete a user, do not add-R user's home directory and so on some create users automatically to create the directory is not deleted, on the other hand, plus-R only delete those created when the user created the directory, user-created directory files are not deleted, but these directories and files of the main, The group becomes the UID and GID of the original user, and when these IDs are assigned to a user again, the main and group of the files become the user.

Tip: Some directories of the user can be deleted by themselves

Home directory://

E-mail:/var/spool/mail

Usermod: Modifying a user's properties

-U: Modify UID of user

-G: Modify the user's primary group

-G: Modify the user's additional group

Note: This modification refers to overwrite changes, that is, the original additional group will be canceled into a new additional group, want to add additional groups plus-a

-AG: Adding additional groups to the user

-C: Modify the user's description

-D: Modify the user's home directory

Note: The contents of the home directory are not moved and want to move with the contents of the home directory, plus-M

-MD: Copy the contents of the home directory, move to the new specified home directory

-S: Modify the user's shell

-l,u: Lock Unlock User

Group Management naming

Groupadd: Creating a new Group

-G: Specify GID

-R: Creating a System Group

Groupdel: Deleting a group

Groupmod: Modifying groups

-G: Modify group GID

-N: Modify Group name

Batch Create group Users

NewUsers: Create a text, write the user in the text according to the passwd format, and then

NewUsers file

CHPASSWD: Bulk Modify user passwords

In-file format

User: Password

ID: View User ID

-U: View uid of user

-G: View GID for the user's primary group

-G: View the ID of all additional groups for the user

-N: Not shown as ID, displayed as name

SU: Switch User's command

-: Intermediate plus-refers to login user Switching, non-login user Switching

But don't look at it yourself. The working directory and home directory of the two switching users will be clear.

-C

Su-name-c command

Run command commands as name user

passwd: Change password, without any parameters to change your password, you can add a username to change someone else's password

-E: Modify the last Change password date, change to 0 the next time you log in you must change your password

-n,x: Maximum minimum age for password changes

-W: Modify warning duration

-I: Revision fee activity period

--stdin:

passwd--stdin name can be redirected or piped to change the password

GAPSSWD: No parameters to modify the group password, the specific role of the group password can be newgrp to see

-A: Adding users within a group

-D: Delete a user in a group

Gpasswd-a name Gname

Groupmems-a-G: Similar to GPASSWD plus parameters

-A: Adding users

-D: Delete user

-L: List group users

-P: Emptying group users

CHAGE-L lists the various time periods for password users

CHSH: Changing the user's shell

CHFN: Change Finger

Groups Gname: View Group members for a team

NEWGRP: Linshu switch to a group and switch to the primary group. You need to enter a group password when you don't belong to that group's add-on group (GPASSWD use)

Plus-option with Su

Set the system to allow only administrators to log on

Create a/etc/nologin file with touch in/etc First, delete this file when you cancel

Rights Management

Krwxrwxrwx

K refers to file type:-,d,c,b,l,s,p

R:read

X:excute

W:write

U:user

G:group

O:other

A:all

For a file,

R: Represents the contents of a file that can be read

W: Delegate can add changes to the contents of the file, etc.

X: Indicates that the file is executable

Note: Because for the file, once executed, will not affect the file itself but the entire system, this is very dangerous operation, so the default will not give the file X permission that the file default can get the maximum permissions for

-rw-rw-rw-

For catalogs,

R: The directory can be viewed through LS to see the contents of the directory, but not with LL

W: Represents the ability to add and delete files within a directory

X: Represents the specific properties of a file that can be CD to this directory and can be viewed in the directory by LL

Note: For directories, it is generally important to give R and X permissions to the

-RWX rwx rwx

421

U g o

Permission-related commands: chmod chown chgrp umask

chmod: Modifying permissions for a file or directory

-R: Recursive

--reference=file1 file2: Set permissions for File2 according to File1

Usage: chmod u=, g=, o=/a= file

Set specific permissions

chmod u+, g+, o+/A + file

Add a permission

chmod 777 File

Set specific permissions

Note: U,g,o can be written together as Ugo,ug,og, etc., separated by commas

chmod when using the-R in order to avoid the file plus x Execute permission, you can use X, this means that only give directory x permissions, not to the file

CHGRP: Setting up Groups

-R: Recursive

Usage: chgrp gname file

Chown: Set Master, Group

-R: Recursive

Usage: chown name:gname file

Note: Chown can either be reorganized or changed to the master, only the reorganization, Gname front: Must remember to write, otherwise it will be recognized as the main, but in the only change the main, the back: must remember not to write, otherwise it will be recognized as the main, the group is the same name

At the same time, Chmod-r +x dir X does not have any special affectation on the directory, directly to the X permission, but for the file, if the permissions of the file, any location has an X permission

Then, X will give Ogu three locations to give X permission, if the file an X permission is not, then X will not give any X permission

Umask: I don't know how to describe it.

Umask displays the value of the current umask without arguments

Umask # # # # #: Change umask value

Note: The umask value of this change is only modified relative to the current Shell,umask value and can be redirected directly to/ETC/BASHRC, which affects the individual user directly

redirect. BASHRC in the home directory.

Special Permissions for Linux

SUID: Valid only for the executable binary, invalid directory, the role is to allow users to run the program for a short time to get the permissions of the owner of the file

The typical is/usr/bin/passwd this program, the user in the running passwd time can affect the usual can't see/etc/passwd

Usage: chmod u+s/s file S: When source files have x permission

S: Use when source file does not have X permission

Note: This permission is actually a very dangerous permission, all, we are in a program with this permission, and then go on some mobile devices such as a U disk, and then to mount the USB stick to another machine or system

and need to manually mount, you need to remember to enable NOSUID, automatic mount is the default, manual mount need to open their own

SGID: Can be used on the file, but also to the directory, the effect of using the file is similar to Suid, is to let the user running this program has the permissions of the group of this program, when using the directory, for this directory has W permissions of the user in this directory created by the directory, the group will become the directory, commonly used for collaboration

Usage: chmod g+s/s file/dir Ibid.

Note: Sgid has features like recursive rows, and subdirectories created under the Sgid directory also have Sgid permissions

Sticky: This permission only for the directory, no meaning to the file, the role is to allow users to create files in the directory, only the user himself and the administrator can delete

Usage: chmod o+t/t dir Ibid.

Note: You just can't delete a file, but the content data of the file can still be affected and can be redirected to affect the data

For special permissions, you can also use numbers to set

Suid=4 sgid=2 Sticky=1

chmod X777 File/dir

chmod X666 ...

PS: This command is a command to view the current user process

-aux: Even other users ' commands are displayed.

Hidden properties of the file

CHATTR: Command to add hidden properties to a file directory

-I: Files cannot be modified, including deletions, additions, etc.

-A: The file can only be added to content, cannot modify the deleted content

-R: Recursive, for directory use

-V: Show details

Lsattr: Commands to view file shadow properties

-R: Recursive

-A: Shadow files also show up

-D: View only hidden properties of a directory

This article from "Blog Work First Edition" blog, declined reprint!

0518 Fifth session