UNIX Operating system security command set (password article)

1. Password security

The/etc/passwd file in the UNIX system contains all the information that the system needs to know about each user (the encrypted password may also be stored in the/etc/shadow file).

/ETC/PASSWD contains the user's login name, encrypted password, user number, user group number, user comment, user home directory, and user

The shell program used. Where the user number (UID) and the user group number (GID) are used to uniquely identify the user and the same group of users and user access rights for the UNIX system.

The encrypted password stored in the/etc/passwd is used for the password entered when the user logs in, and is allowed to log in if it is satisfied.

The user is logged in. Users can modify their passwords using the passwd command and cannot directly modify the password part in the/etc/passwd.

A good password should be at least 6 characters in length, do not access personal information (such as birthday, name, reverse spelling of the login name, the room can be seen

Things), ordinary English words are also bad (because of the use of Dictionary attack method), the password is best to have some non-letters (such as numbers, punctuation, control characters, etc.), but also better to remember some, can not be written on paper or computer files, a good way to choose a password is to two unrelated words with a number or control characters connected, and truncated to 8 characters. Of course, if you can remember 8 bits of garbled nature better.

You should not use the same password on different machines, especially if you use the same password at different levels of users, which can cause a total crash. Users should change the password regularly, at least 6 months to change, the system administrator can force users to make regular password changes. To prevent Yanmingshoukuai from stealing passwords, you should confirm that no one is around when you enter a password.

2. Right to File permission

The file attribute determines the access to the file, that is, who can access or execute the file. Use Ls-l to list detailed file information, such as:

-RWXRWXRWX 1 Pat cs440 21:12 zombin includes file permissions, file connections, file owner name, file-related group name, file length, last access date, and filename. Where the file license is divided into four parts:

: Represents a file type.

First rwx: Represents the access rights of a file owner.

Second rwx: Represents the access rights of files to the same group of users.

Third rwx: Represents access rights for other users.

If a license is restricted, the corresponding letter is changed to-. In the execution permission location of the permission permission, it may be another letter, S,s,t,t.s and S can appear in the owner and in the same group of User license mode locations, in connection with special licenses, which will be discussed later, T and T can appear in other users ' license mode locations, related to "paste bit" and not security. Lowercase letters (x , s,t) indicates that the execution permit is permitted, a minus sign or a letter (-,s or T) indicates that the execution permission is not allowed. Change the license by using the chmod command with the new license and the file name as a parameter. The new licensing method is given in 3-digit 8-number, and R is 2 for 4,w, X is 1 if rwxr-xr--is 754. chmod There are other ways of parameters can be directly to a set of parameters to modify, here no longer said, see the UNIX System online manual. File permissions can be used to prevent accidental rewriting or deletion of an important file (even the owner himself)! Changes to the owner and group name of the file can be chown and chgrp, but the original owner and team members cannot be modified.

3. Directory License

In a UNIX system, a directory is also a file, with Ls-l listed, the directory file attributes preceded by a D, directory license is similar to

File permission, with LS column directory to have Read permission, add and delete files in the directory to have write permission, access to the directory or the directory as a path component to

There is an execution license, so to use either file, you must have the file and the appropriate license for all directory components found on the path to the file. Only when

When you open a file, the permissions for the file start to work, and RM,MV as long as you have directory search and write permission, without file permission, this

Point should be noted.

4.umask command

Umask set the user files and directories to create a default masking value, and if you put this command into the. profile file, you can control the user

The access License for the file is continued. The Umask command works just the opposite of the chmod command, which tells the system what access permissions are not granted when creating a file.