Basic security Linux system security commands

Although Linux and WindowsNT2000 are the same multi-user systems, there are many important differences between them. For many administrators who are used to Windows

Although Linux is a multi-user system like Windows NT/2000, there are many important differences between them. For many administrators who are used to Windows, there are many new challenges to ensure the security and reliability of the Linux operating system. This article focuses on Linux system security commands.

Passwd

1. Role

The passwd command is used to change the logon password of an account. The permission is granted to all users.

2. Format

Passwd [option] account name

3. main parameters

-L: the name of the named account is locked and can only be used by users with super user permissions.

-U: unlock the account lock status. only users with super user permissions can use it.

-X, -- maximum = DAYS: maximum password usage time (DAYS). only users with super user permissions can use it.

-N, -- minimum = DAYS: minimum password usage time (DAYS). only users with super user permissions can use the password.

-D: delete the user's password. only users with super user permissions can use it.

-S: check the password authentication type of a specified user. only users with super user permissions can use the password.

4. application instance

1. $ Passwd
2. Changing password for user cao.
3. Changing password for cao
4. (Current) UNIX password:
5. New UNIX password:
6. Retype new UNIX password:
7. Passwd: all authentication tokens updated successfully.

As you can see above, the passwd command requires entering the old password and then entering the new password twice.

Su

1. Role

Su is used to change the identity of another user. except for a super user, you need to enter the user's password.

2. Format

Su [option]... [-] [USER [ARG]...]

3. main parameters

-F, -- fast: does not need to read the startup file (such as csh. cshrc). it is only used for csh or tcsh shells.

-L, -- login: After this parameter is added, it is like re-logging into the USER. most environment variables (such as HOME, SHELL, and USER) are based on this USER) and the working directory will change. If no USER is specified, the default value is root.

-M,-p, -- preserve-environment: the environment variable is not changed when su is executed.

-C command: the USER who changed the account to USER, and then executes the command to change it back to the original USER.

USER: USER account to be changed. ARG is used to input New Shell parameters.

4. application instance

Change the account to a super user, and restore the user after executing the df command.

Su-c df root

Umask

1. Role

Umask sets the default blocking value for creating files in user files and directories. if you place this command in the profile file, you can control the access permission for subsequent files created by the user. It tells the system not to grant access permission to anyone when creating a file. The permission is granted to all users.

2. Format

Umask [-p] [-S] [mode]

3. parameters

-S: determines the current umask settings.

-P: modify umask settings.

[Mode]: modify the value.

4. description

The umask value of traditional Unix is 022, which prevents other users in the same group and users in other groups from modifying the user's files. Since each user has a private group, this "group protection mode" is not needed. Strict permission settings constitute the foundation of Linux security, and making mistakes in permissions is fatal. Note that the umask command is used to set the read and write permissions of the files created by the process. The safest value is 0077, that is, to disable the read and write permissions of all processes other than the process where the files are created, -rw -------. In ~ /. In bash_profile, the umask 0077 command can be added to ensure that the umask permission of the process can be correctly set after each Shell startup.

5. application instance

Umask-Su = rwx, g = rx, o = rxumask-p 177 umask-Su = rw, g =, o =

The preceding five-line command first shows the current status, and then changes the umask value to 177. only the file owner has the permission to read and write the file, and other users cannot access the file, this is obviously a very safe setting.