Advanced System Management-user management

User Management Seems messy. Here we will write some modifications to the files involved in user management.

1. control users' logon locations

The file/etc/secruity/access. conf can control the user's logon location. To use access. conf, add the following lines to the file/etc/PAM. d/login:

account required /lib/security/pam-access.so

Format of the access. conf file:

permission : users : origins

Where:

Permission: It can be "+" or "-", indicating that the request is allowed or rejected.

User: User Name and user group name. If it is all, it indicates all users.

Origins: logon location. Local indicates local, all indicates all locations, and Console indicates console. In addition, origins can also be a network.

In the next two domains, adding the distinct T means ". For example, except for the following:

－:ALL EXCEPT wheel shutdown sync:console

The root account's logon location is not controlled in the access. conf file, but is controlled by the/etc/securetty file. If you want to allow the root user to log on from pts/0, add a row in this file. The content is 0, and so on. Or modify/etc/PAM. d/login

auth required /lib/security/pam_securetty.so

You can also allow the root user to log on remotely.

2. assign privileges to common users

Sometimes we don't want a user to have Super User Permissions, but want the user to execute commands that Super Users can execute. We can specify that a common user in the/etc/sudoers file can use sudo to execute some commands that only super users can execute.

The Configuration Rules for/etc/sudoers are as follows:

Host_alias: used to create a host alias [Optional]. hosts in the list must be separated by commas (,). If you want to set multiple aliases, you can use colons to separate them. The reserved keyword "all" indicates all hosts. For example:

Host_Alias bluesun=grind,glass

Here we use the alias bluesun to collectively refer to grind and glass machines. Grind and glass are the names of the machines respectively.

User_alias: used to create a user alias [Optional]. The user names in the list must be separated by commas. The format is the same as the host alias. The reserved keyword "all" indicates all commands.

Cmnd_alias: used to create a command alias [Optional]. commands in the list must be separated by commas. If you want to define a command that is invalid, add it before this command! .

USER command usage list: the USER command syntax is as follows:

Username host= [Run User’s Name ] CommandList

Username specifies a real user name or defined alias. Host specifies a real host name or defined host alias. Commandlist can be a comma-separated command list or a defined alias. Generally, all commands executed by sudo are executed as root. However, some special programs, such as those that require high security, cannot be executed as the root user. You can specify the user name pointed to by "run user's name. For example:

grind glass=/sbin/route

This statement indicates that grind can run the command to view the route table on the glass host.

3. initialize the environment:/etc/skel

When creating a new user, if the user directory is not specified, the system will create a login directory for the user. The login directory uses/etc/skel as the template, all files are the same as files in/etc/skel. The system administrator can create files in/etc/skel, which can provide users with a good default environment. For example, you can create a/etc/skel/. profile file to define the setting of some attributes after the user logs on. However, if the/etc/skel folder is modified, the user created before the change will be different from some files created after the change, as long as possible, try to put the global configuration into a global file, such as/etc/profile, to unify some settings of the system users. The existence of/etc/skel has many meanings. For example, you can only put index.html in/etc/skelon a server with a dedicated virtual host, so that each newly added user does not have the default values for system installation. bashrc and other files can ensure that the pages of users who have not placed the home page are unified.

4. File directory permissions

In Linux, each file and directory has a owner, and three permissions are defined for the user, the user group, and all other accounts. When the user grind creates a new file test, we can use LS-l filename to view the attributes of this file as follows:

-rw-rw-r--1 grindlinuxlab0 May 10 19:36 test

The first part indicates the File Permission attribute, the third part indicates the file owner, and the fourth part indicates the file owner group.

The File Permission attribute contains a total of ten characters, "-RW-r --". The first character is the file property differentiation flag. If it is D, it indicates that this is a directory, if yes, it indicates a connection file.-indicates a common file, B indicates a block device file, and C indicates a character file device. The second to fourth digits indicate the read (r: Read), write (W: Write), and execute (X: Execute) attributes of the file owner, respectively, the fifth to seventh digits are the read, write, and execute permissions of the group to which the file belongs. The eighth to tenth digits are the read, write, and execute permissions of other users. If the corresponding digit is a letter, the corresponding permission is granted. Otherwise, "-" indicates that the permission is not obtained. You have the write permission and the permission to modify and delete files. If you have the write permission on a directory, you can create, delete, or modify any files or subdirectories in the directory, or even delete files or subdirectories that do not belong to you. You must have both read and execution permissions to use a program such as ls to list directory content. If you have read-only permission on a directory, you must have the execution permission at the same time to use the CD command to enter the directory. Only users with the execution permission on the directory can use the CD command, to access a file under this directory with the read permission, you must know the file name before you can access it. The files listed above are read and write by the owner, and can be read and written by this group. Other users are readable and cannot be executed by all users (including themselves.

We use U, G, and O to refer to the owner (user), group, and other accounts (other), so that we can easily set the permissions of files and directories. Of course, we can also use a to represent all these three items. For example, if you want to set permissions for the test file to allow all users to read and execute the file owner to allow write permission, you can use the following command:

chmod a+rx,u+w test

We know that in the LS-L output, the File Permission is represented as "-RW-r --", and the previous one is only related to whether the directory is used, the other nine digits can be divided into three segments, namely, "RW-", "RW-", and "r --". "-" indicates that "0" is invalid ", if the other characters indicate "1", the permissions for this file are "110", "110", and "100 ", convert the binary string to the corresponding 8-digit number, which is 6, 6, and 4. That is to say, the permission of the file is 664 (three Octal numbers ). We can also set file authorization using three Octal numbers like this. For example, the preceding two examples can also be written as follows:

chmod 755test

Of course, when you create a file, the default permission attribute can be defined by yourself. You can execute umask to implement the default permission. For example, if umask 022 is executed, the corresponding permissions are blocked. 2 is the write permission bit. In this way, the default permission attribute of a file is that no one except the file owner can rewrite the file, ensures file security.