Commands to resolve Linux system security

Although Linux is a multi-user system like the Windows nt/2000 system, there are a number of important differences between them. For many administrators accustomed to Windows systems, there are many new challenges to ensuring that Linux operating systems are secure and reliable. This article will focus on the Linux system security commands.

passwd

1. Role

The passwd command is used to modify the login password for the account, which is used by all users.

2. Format

passwd [option] account name

3. Main parameters

-L: Locks the name of the account that is already named, only available to users who have superuser privileges.

-U: Unlock account lockout status, only users who have Superuser privileges can use it.

-X,--maximum=days: Maximum password usage time (days), only used by users with superuser privileges.

-N,--minimum=days: Minimum password usage time (days), only used by users with superuser privileges.

-D: Deletes the user's password, which is available only to users who have superuser privileges.

-S: Check the type of password authentication for the specified user, only users who have Superuser privileges can use it.

4. Application examples

$ passwd

Changing password for user Cao.

changing password for Cao

(current) UNIX Password:

New UNIX Password:

Retype new UNIX Password:

Passwd:all authentication tokens updated successfully.

As you can see from the above, use the passwd command to enter the old password, and then enter the new password two times.

Su

1. Role

The role of SU is to change the identity of other users, except for Superuser, who needs to type the user's password.

2. Format

su [Options] ... [-] [USER [ARG] ...]

3. Main parameters

-F,--fast: Do not need to read startup files (such as CSH.CSHRC, etc.), only for csh or tcsh two shell.

-L,--login: After adding this parameter, it is as if it were a login to the consumer, most environment variables (such as home, Shell, and USER) are based on that user (user), and the working directory changes. If user is not specified, the default is root.

-M,-P,--preserve-environment: Do not change the environment variables when performing su.

-C command: Change the account as user, and execute the Command (command) and then change back to the original user.

User: The user account you want to change, ARG passes in the new shell parameter.

4. Application examples

Change the account to Superuser and restore the user after the DF command is executed. Su-c DF Root

Umask

1. Role

Umask set the user files and directories of the file to create a default screen value, if you put this command into the profile file, you can control the user's subsequent file access permissions. It tells the system who does not give permission to the file when it is created. Use permissions are all users.

2. Format

Umask [-P] [-S] [mode]

3. Parameter

-S: Determines the current umask setting.

-P: Modify umask settings.

[mode]: modifies the value.

4. Notes

The traditional Unix umask value is 022, which prevents users who belong to the group and other groups from modifying the user's files. Since each user owns and belongs to a private group of its own, this "group protection mode" is not needed. Strict permission settings form the basis of Linux security, and it is fatal to make mistakes in permissions. Note that the Umask command is used to set read-write access to the files created by the process, with the safest value of 0077, which is to turn off read and write access to all processes other than the process that created the file, expressed as-RW-------。 In ~/.bash_profile, adding one line of command Umask 0077 guarantees that the process's umask permissions can be set correctly each time the shell is started.

5. Application examples

Umask-s

U=rwx,g=rx,o=rx

UMASK-P 177

Umask-s

u=rw,g=,o=

The 5-line command, which first displays the current state, then changes the Umask value to 177, only to the effect that the file owner has permission to read and write files, and other users cannot access the file. This is clearly a very secure setting.

Chgrp

1. Role

CHGRP represents modifying the group to which one or more files or directories belong. Use permissions are superuser.

2. Format

chgrp [Options] ... Group File ...

Or

chgrp [Options] ...--reference= reference file ...

Set the group of each < file > to < group >.

3. Parameter

-C,--changes: like--verbose, but displays results only if there are changes.

--dereference: Affects the object indicated by the symbolic link, not the symbolic link itself.

-H,--no-dereference: Affects the symbolic link itself, not the destination indicated by the symbolic link (this option is available when the system supports changing the owner of the symbolic link).

-F,--silent,--quiet: Remove most of the error messages.

--reference= Reference File: Use < reference file > 's owning group, not the specified < group >.

-R,--recursive: recursively handles all files and subdirectories.

-V,--verbose: Processing Any file will display information.

4. Application Instructions

This command changes the user group to which the specified file belongs. Where group can be the user group ID or the group name of the user group in the/etc/group file. The file name is separated by a space to change the list of files in the group, supporting wildcard characters. If the user is not the owner or superuser of the file, the group of the file cannot be changed.

5. Application examples

Change the group of all files under/opt/local/book/and its subdirectories to book, as follows:

$ chgrp-r Book/opt/local/book

chmod

1. Role

The chmod command is important to change the access rights of a file or directory, and users can use it to control access to files or directories, which are superuser.

2. Format

There are two uses of the chmod command. One is the character setting method that contains the letter and operator expressions (relative permission setting), and the other is the numeric setting method (absolute permission setting) that contains numbers.

(1) Character setting method

chmod [who] [+ |-| =] [mode] File name

Manipulating objects who can be any of the following letters or their combinations

U: Represents the user, that is, the owner of the file or directory.

G: Represents the same group of users, that is, all users who have the same group ID as the owner of the file.

O: Represents another user.

A: Represents all users, which is the system default value.

Action symbol

+: Add a permission.

-: Cancels a permission.

=: give the given permission and cancel all other permissions, if any.

The permission to set mode can be any combination of the following letters

R: Readable.

W: Writable.

X: Executable.

X: Append the x attribute only if the target file is executable for some users or if the destination file is a directory.

S: The owner or group ID of the process is placed as the file owner of the file when the file is executed. Mode "U+s" sets the user ID bit of the file, and "G+s" sets the group ID bit.

T: Saves the text of the program to the switching device.

U: Has the same permissions as the owner of the file.

G: Have the same permissions as users who are in the same group as the file owner.

O: Have the same permissions as other users.

File name: A space-separated list of files to change permissions to support wildcard characters.

Multiple permission methods can be given in one command line, separated by commas.

(2) Digital setting method

The general form of the digital setting method is: chmod [mode] filename

The number attribute should be in the form of 3 0 to 7 octal, in the Order of (U) (g) (o) file name, a space-separated list of files to change permissions, and wildcard characters are supported.

The rights represented by a number are as follows: 0001 for the owner's execution permission, 0002 for the owner's write permission, 0004 for the owner's Read permission, 0010 for the group's execute permission, 0020 for the group's write permission, 0040 for the group's Read permission, 0100 for the other person's execution permission; 200 Write permission for other people; 0400 Read permission for others; 1000 for the paste position; 2000 indicates that if the file is an executable, the group ID is a position, otherwise the location of the file is locked, and 4000 indicates that if the file is an executable, the user ID is a position.

3. Examples

If a system administrator writes a form (TEM) for all users to fill out, then the user must be authorized to have read and write access to the file, you can use the command: #chmod 666 tem

In the code above, how is this 666 figure calculated? 0002 for the owner's write permission, 0004 for the owner's Read permission, 0020 for the group's write permission, 0040 for the group's Read permission, 0200 for the other person's write permission, 0400 for other people's Read permission, these 6 numbers add is 666 ( Note that the above numbers are octal number), the TEM file permissions are-rw-rw-rw-, that is, the user has read and write access to this file.

Use the following command when setting with character permissions:

#chmod a =wx tem