Safety 3A
Authentication: Certification
Authorzation: Authorization
Accouting| Audition: Audit
User
Administrative users: uid:0, not necessarily the UID of root,root non-0 o'clock is not a management user, mainly to see UIs
Normal User: Uid 1-65535
System User: 1-499 (CENTOS6) 1-999 (CENTOS7)
System user refers to those nologin users, to the daemon to get resources to assign permissions
Login User: 500-(CENTOS6) 1000-(CENTOS7)
User logged in with account password, interactive login
Group
Administrators group: gid:0
Normal Group:
System Group: 1-499 (CENTOS6) 1-999 (CENTOS7)
Normal group: 500-1000-
Security context:
Simply put, the permissions of a process depend on the permissions of the user who opened the process
Categories of Linux Groups
User's primary group: has and can have only one group
Private group: In short, the group is called the user's private group only if the group has the same name as the group.
Additional groups for users: You can have multiple, or no groups
Four important configuration files for the primary group
Master:/etc/passwd
/etc/shadow
Group:/etc/group
/etc/gshadow
passwd: Documents that record some relevant information about a user's account
Format:
User name: X:uid:gid: Description Content: Home directory: Default bash
X:6 previous system is some encrypted password, after 6 encryption password placed in shadow, here changed to X instead
GID in GID:PASSWD is the GID that displays the user's primary group
Shadow: Record the user encrypted password file
Format:
User name: Encryption type: Random character: encrypted password body: The last time to change Password: password minimum age: Password maximum age: Warning Period: Inactivity period: User account expiration: Reserved field
Random characters: In order to prevent users with the same password in the positive text segment of the encrypted password display the same, encryption will include some random characters in the password
Last: Shows the number of days from the first Linux first time to the last password change
Warning Period: X days before password expires warning you password and x days will expire
Inactivity Period: The password will not be used immediately after expiration, there will be a deadline for you to change the password, when the deadline expires, the password expires
User Expiration Period: The lifetime of a user who will not be able to log on after expiration
When the user does not have the password, the user name:!! : ~,!! Representative can not login, is the system default, but will!! After the deletion can directly do not need password login, in turn, when we do not want a user to log in, you can again shadow the string of user name behind (user name!). :) plus one! Just do it.
Group and Gshadow are basically the same
The end of group is the users in the groups, the front one is the group administrator user, add Group Administrator, group administrator can add remove group members to make some changes to the group
Password Complexity strategy: This is also the employment of teaching?
4 Small commands
VIPW and VIGR
Changing the commands of passwd and group, it doesn't seem to make sense.
Pwck and GRPCK
Check the passwd and group two files for any errors, and the likelihood of using them is not very good.
Just remember.
User Management commands
Useradd: Add a user's command
-U: Create uid for user
-G: Set up GID with head of household
Note: If you do not specify a primary group, the user's private group will be created automatically
-G: Create gid for user-attached group
-D: Make a user's home directory
Note: When a directory exists for a home directory, it is not added by default and can be copied manually from/etc/skel.
-C: Add description Content
-r: Create a System user
-S: Create a user's default shell
-M: Do not create a user's home directory
Note: When the user does not have a home directory, they can still log in, but no longer in the home directory after login, in/directory
-N: Do not create a private group of users, set the user's primary group to the default group in useradd-d
-D: Changes to some default settings
Note: The configuration file is stored under:/etc/default/useradd
Note: Some of the default configuration, if you want to modify, you can go to/etc/login.defs to change
Userdel: Delete user, default is not delete user's home directory
-R: Along with the user's home directory mail and so on deleted together
Note: When we delete a user, do not add-R user's home directory and so on some create users automatically to create the directory is not deleted, on the other hand, plus-R only delete those created when the user created the directory, user-created directory files are not deleted, but these directories and files of the main, The group becomes the UID and GID of the original user, and when these IDs are assigned to a user again, the main and group of the files become the user.
Tip: Some directories of the user can be deleted by themselves
Home directory://
E-mail:/var/spool/mail
Usermod: Modifying a user's properties
-U: Modify UID of user
-G: Modify the user's primary group
-G: Modify the user's additional group
Note: This modification refers to overwrite changes, that is, the original additional group will be canceled into a new additional group, want to add additional groups plus-a
-AG: Adding additional groups to the user
-C: Modify the user's description
-D: Modify the user's home directory
Note: The contents of the home directory are not moved and want to move with the contents of the home directory, plus-M
-MD: Copy the contents of the home directory, move to the new specified home directory
-S: Modify the user's shell
-l,u: Lock Unlock User
Group Management naming
Groupadd: Creating a new Group
-G: Specify GID
-R: Creating a System Group
Groupdel: Deleting a group
Groupmod: Modifying groups
-G: Modify group GID
-N: Modify Group name
Batch Create group Users
NewUsers: Create a text, write the user in the text according to the passwd format, and then
NewUsers file
CHPASSWD: Bulk Modify user passwords
In-file format
User: Password
ID: View User ID
-U: View uid of user
-G: View GID for the user's primary group
-G: View the ID of all additional groups for the user
-N: Not shown as ID, displayed as name
SU: Switch User's command
-: Intermediate plus-refers to login user Switching, non-login user Switching
But don't look at it yourself. The working directory and home directory of the two switching users will be clear.
-C
Su-name-c command
Run command commands as name user
passwd: Change password, without any parameters to change your password, you can add a username to change someone else's password
-E: Modify the last Change password date, change to 0 the next time you log in you must change your password
-n,x: Maximum minimum age for password changes
-W: Modify warning duration
-I: Revision fee activity period
--stdin:
passwd--stdin name can be redirected or piped to change the password
GAPSSWD: No parameters to modify the group password, the specific role of the group password can be newgrp to see
-A: Adding users within a group
-D: Delete a user in a group
Gpasswd-a name Gname
Groupmems-a-G: Similar to GPASSWD plus parameters
-A: Adding users
-D: Delete user
-L: List group users
-P: Emptying group users
CHAGE-L lists the various time periods for password users
CHSH: Changing the user's shell
CHFN: Change Finger
Groups Gname: View Group members for a team
NEWGRP: Linshu switch to a group and switch to the primary group. You need to enter a group password when you don't belong to that group's add-on group (GPASSWD use)
Plus-option with Su
Set the system to allow only administrators to log on
Create a/etc/nologin file with touch in/etc First, delete this file when you cancel
Rights Management
Krwxrwxrwx
K refers to file type:-,d,c,b,l,s,p
R:read
X:excute
W:write
U:user
G:group
O:other
A:all
For a file,
R: Represents the contents of a file that can be read
W: Delegate can add changes to the contents of the file, etc.
X: Indicates that the file is executable
Note: Because for the file, once executed, will not affect the file itself but the entire system, this is very dangerous operation, so the default will not give the file X permission that the file default can get the maximum permissions for
-rw-rw-rw-
For catalogs,
R: The directory can be viewed through LS to see the contents of the directory, but not with LL
W: Represents the ability to add and delete files within a directory
X: Represents the specific properties of a file that can be CD to this directory and can be viewed in the directory by LL
Note: For directories, it is generally important to give R and X permissions to the
-RWX rwx rwx
421
U g o
Permission-related commands: chmod chown chgrp umask
chmod: Modifying permissions for a file or directory
-R: Recursive
--reference=file1 file2: Set permissions for File2 according to File1
Usage: chmod u=, g=, o=/a= file
Set specific permissions
chmod u+, g+, o+/A + file
Add a permission
chmod 777 File
Set specific permissions
Note: U,g,o can be written together as Ugo,ug,og, etc., separated by commas
chmod when using the-R in order to avoid the file plus x Execute permission, you can use X, this means that only give directory x permissions, not to the file
CHGRP: Setting up Groups
-R: Recursive
Usage: chgrp gname file
Chown: Set Master, Group
-R: Recursive
Usage: chown name:gname file
Note: Chown can either be reorganized or changed to the master, only the reorganization, Gname front: Must remember to write, otherwise it will be recognized as the main, but in the only change the main, the back: must remember not to write, otherwise it will be recognized as the main, the group is the same name
At the same time, Chmod-r +x dir X does not have any special affectation on the directory, directly to the X permission, but for the file, if the permissions of the file, any location has an X permission
Then, X will give Ogu three locations to give X permission, if the file an X permission is not, then X will not give any X permission
Umask: I don't know how to describe it.
Umask displays the value of the current umask without arguments
Umask # # # # #: Change umask value
Note: The umask value of this change is only modified relative to the current Shell,umask value and can be redirected directly to/ETC/BASHRC, which affects the individual user directly
redirect. BASHRC in the home directory.
Special Permissions for Linux
SUID: Valid only for the executable binary, invalid directory, the role is to allow users to run the program for a short time to get the permissions of the owner of the file
The typical is/usr/bin/passwd this program, the user in the running passwd time can affect the usual can't see/etc/passwd
Usage: chmod u+s/s file S: When source files have x permission
S: Use when source file does not have X permission
Note: This permission is actually a very dangerous permission, all, we are in a program with this permission, and then go on some mobile devices such as a U disk, and then to mount the USB stick to another machine or system
and need to manually mount, you need to remember to enable NOSUID, automatic mount is the default, manual mount need to open their own
SGID: Can be used on the file, but also to the directory, the effect of using the file is similar to Suid, is to let the user running this program has the permissions of the group of this program, when using the directory, for this directory has W permissions of the user in this directory created by the directory, the group will become the directory, commonly used for collaboration
Usage: chmod g+s/s file/dir Ibid.
Note: Sgid has features like recursive rows, and subdirectories created under the Sgid directory also have Sgid permissions
Sticky: This permission only for the directory, no meaning to the file, the role is to allow users to create files in the directory, only the user himself and the administrator can delete
Usage: chmod o+t/t dir Ibid.
Note: You just can't delete a file, but the content data of the file can still be affected and can be redirected to affect the data
For special permissions, you can also use numbers to set
Suid=4 sgid=2 Sticky=1
chmod X777 File/dir
chmod X666 ...
PS: This command is a command to view the current user process
-aux: Even other users ' commands are displayed.
Hidden properties of the file
CHATTR: Command to add hidden properties to a file directory
-I: Files cannot be modified, including deletions, additions, etc.
-A: The file can only be added to content, cannot modify the deleted content
-R: Recursive, for directory use
-V: Show details
Lsattr: Commands to view file shadow properties
-R: Recursive
-A: Shadow files also show up
-D: View only hidden properties of a directory
This article from "Blog Work First Edition" blog, declined reprint!
0518 Fifth session