Linux Cloud Automation operations Lesson IV
First,vim
1.vim cursor Movement
1) in command mode
: Number # # #移动到指定的行
G # # #文件最后一行
GG # # #文件第一行
2) in insert mode
I # # #光标所在位置插入
I # # #光标所在行行首
A # # #光标所在字符的下一个位置
A # # #光标所在行行尾
O # # #光标所在行下一行
O # # #光标所在行上一行
S # # #删除光标所在字符插入
S # # #删除光标所在行插入
Exit mode of 2.vim
: Q # # #当用vim打开文件但没有对字符作任何操作时可直接退出
: q! # # #当用vim打开文件并对字符作操作, quit all operations
: Wq # # #保存退出
: wq! # # #强行保存退出, effective for Superuser and file owner
3.vim Manual
Vimtutor # # #vim的手册
: Q # # #退出vimtutor
Second,gedit
CTRL + N # #在gedit中打开一个新的tab
Ctrl+s # # #保存文件
Ctrl+o # # #打开文件
Ctrl+x # # #剪切字符
Ctrl + V # #粘贴字符
CTRL + C # #复制字符
Yelp Help:gedit # # #gedit的图形手册
Third, user understanding
Limit, share
The user is the identity of the system consumer
the user is stored as several strings + several system configuration files in the system
User information involves the system configuration file:
/ETC/PASSWD # # #用户信息
User: Password:uid:gid: Description: Home directory: User-used Shell
/etc/shadow # # #用户认证信息
User: Password: Last password modified this time: Minimum validity: Maximum validity: Warning Period: Inactive period: Account expiration date
/etc/group # # #组信息
Group name: Group Password: Group ID: Additional Group member
/etc/gshadow # # #组认证信息
/home/username # # #用户家目录
/etc/skel/.* # # #用户骨架文件
Iv. User Management
1. User Establishment
Useradd parameter User name
-U # # #指定用户uid
-G # # #指定用户初始组信息, this group must already exist
-G # # #指定附加组, this group must exist
-C # # #用户说明
-D # # #用户家目录
-S # # #用户所使用的shell,/etc/shells records the name of the user who can use the shell
Eg:[[email protected] desktop]# useradd Westos # # #建立新用户, parameters are default
[[email protected] desktop]# useradd-u 6666 Westos # # #建立新用户, specifying a user uid of 6666
[[email protected] desktop]# groupadd-g 9999 Westo # # #建立组, specify group GID to 9999
[[email protected] desktop]# useradd-g 9999 Westos # # #建立新用户, specify group GID to 9999
[[email protected] desktop]# useradd-g Westos # # #建立新用户, specifying an additional group ID of 21
[[email protected] desktop]# useradd-c "Westos user" Westos # # #建立新用户, specify user description as Westos users
[[email protected] desktop]# useradd-d/home/linux Westos # # #建立新用户, specify user home directory for/home/linux/
[[email protected] desktop]# useradd-s/bin/sh Westos # # #建立新用户, specify the shell used by the user
Ps:[[email protected] desktop]# userdel-r Westos # # #删除用户westos, when a new user exists, delete the user first, and then create a new
2. User Delete
Userdel-r User name ###-r means delete user information and user's system configuration
Eg:[[email protected] desktop]# userdel-r Westos # # #删除westos用户信息及其westos的系统配置
3. Establishment of groups
GROUPADD-G Group Name # # #建立组
Groupdel Group Name # # #删除组
PS: Do the monitoring command of the above experiment:
[Email protected] desktop]# watch-n 1 ' tail-n 3/etc/passwd/etc/group;echo ====;ls-l/home;echo ===;ls-l/mnt '
Eg:[[email protected] desktop]# groupadd Linux # # #建立组linux, parameters are default
[[email protected] desktop]# groupadd-g 8888 Westos # # #建立名称为westos, group with ID 8888
[Email protected] desktop]# Groupdel Westos # # #删除组westos
4. User ID Information view
ID parameter user
-U # # #用户uid
-G # # #用户初始组id
-G # # #用户所有所在组id
-N # # #显示名称而不是id数字
-A # # #显示所有信息
Eg:[[email protected] desktop]# id-a Westos # # #查看westos的所有信息
[Email protected] desktop]# id-u Westos # # #查看westos的用户uid
[Email protected] desktop]# id-g Westos # # #查看westos的用户初始组gid
[Email protected] desktop]# id-g Westos # # #查看westos所有所在组id
[Email protected] desktop]# Id-un Westos # # #查看westos的用户名称
[Email protected] desktop]# id-gn Westos # # #查看westos的初始组名称
[Email protected] desktop]# id-gn Westos # # #查看westos的所有所在组的名称
5. Changes to user information
Usermod parameter User
-L # # #更改用户名称
-U # # #更改uid
-G # # #更改gid
-G # # #更改附加组
-ag # # #添加附加组
-C # # #更改说明
-D # # #更改家目录指定及家目录名称
-S # # #更改shell
-L # # #冻结帐号
-U # # #解锁
Eg:[[email protected] desktop]# usermod-l linux Westos # # #将用户名称westos改为linux
[Email protected] desktop]# usermod-u 1111 Linux # # #将用户uid改为1111
[[email protected] desktop]# usermod-g # # #更改用户组id, group ID to already exist
[[email protected] desktop]# usermod-g wheel Linux # # #更改用户的附加组为wheel, wheel to already exist
[[email protected] desktop]# Usermod-ag Linux # # #在原有附加组的基础上, add an additional group with ID 21
[[email protected] desktop]# usermod-c "Linux user" Linux # # #更改linux用户的说明
[Email protected] desktop]# usermod-d/home/linux Linux # # #更改linux用户家目录指定
[[email protected] desktop]# usermod-md/home/linux Linux # # #更改linux用户家目录指定及家目录名称
[Email protected] desktop]# usermod-s/bin/shell # # #更改shell
V. Decentralization of the user
1. In the system, Superuser can delegate actions that ordinary users cannot perform to ordinary users.
Delegated Authority Profile:/etc/sudoers
2. Ways of delegating authority
*) Super User execution Visudo enter edit/etc/sudoers mode
*) Format:
Get Permissions user host name = (acquired user identity) command
Test desktop0.example.com= (Root)/usr/sbin/useradd
Test user can execute/usr/sbin/useradd as Superuser in desktop0.example.com
Eg:[[email protected] desktop]# visudo--> Enter/etc/sudoers edit mode-->kiosk foundation42.ilt.example.com= (root)/usr/ Sbin/useradd--> Save exit
3. Implementation of the delegation of authority command
sudo command # # #如果第一次执行sudo需要输入当前用户密码
PS: In/etc/sudoers if set as follows: Kiosk foundation42.ilt.example.com= (Root) nopasswd:/usr/sbin/useradd, Indicates that the user does not need their own password when invoking the sudo command
Eg:[[email protected] desktop]$ sudo/usr/sbin/useradd Linux # # #执行下放权限命令
Six, the user authentication information control
Chage parameter User
-D # # #用户密码组后一次修改的时间, if set to 0, users must change their password after logging into the system
-M # # #最短有效期
-M # # #最长有效期
-W # # #警告期
-I. # #用户非活跃天数
-E # #帐号到期日格式-E "Yyyy-mm-dd"
Eg:[[email protected] desktop]# watch-n 1 tail-n 5/etc/shadow # # #实时监控密码信息变化
[Email protected] desktop]# chage-d 0 Student # # #用户登陆系统后必须修改自己的密码
[[email protected] desktop]# chage-m 1 Student # # #最短有效期为1天, at least 1 days before you can change your password
[[email protected] desktop]# chage-m Student # # # #最长有效期为30天, must be changed within 30 days of the password
[[email protected] desktop]# chage-w 2 Student # # #警告期2天, password expires in the first 2 days, the system issued a warning to remind the password change
[[email protected] desktop]# chage-i 1 Student # # #用户非活跃天数1天, 30 days after more than 1 days, if the password has not been changed, the system directly freezes the account
[Email protected] desktop]# chage-e "2017-04-21" Student # # #设定账户到期格式
Vii. Viewing of file attributes
ls-l filename
-|rw-r--r--. | 1| Root| Root| 46 | OCT 1 05:03 |filename
— ————————— — ———— ———— —— ———————————— ————————
1 2 3 4 5 6 7 8
1. "-": File type
-# # #普通文件
D # # #目录
C # # #字符设备
S # # #套接字
P # # #管道
B # # #快设备
L # # #连接
Eg:[[email protected] desktop]$ ls-l/etc/passwd
-rw-r--r--. 1 root root 2270 Mar 00:45/etc/passwd # # #普通文件
[Email protected] desktop]$ ls-ld/etc/
Drwxr-xr-x. 134 root root 8192 Mar 09:04/etc/# # #目录
2. "rw-r--r--": File read and Write permissions
rw-|r--|r--
U g o
U: Permissions for Everyone
G: Permissions for all groups
O: Other people's rights
3. "1":
File: The number of times a file's contents have been recorded by the system
To directory: The number of bytes of the file attribute in the directory
Eg:[[email protected] desktop]$ ls-l/etc/passwd
-rw-r--r--. 1 root root 2270 Mar 00:45/etc/passwd # # #文件内容被系统记录1次, 1 times can be deleted
[Email protected] desktop]$ ls-ld/etc/
Drwxr-xr-x. 134 root root 8192 Mar 09:04/etc/The number of bytes in the file attribute in the ###/etc directory
4. "Root": File owner
Eg:[[email protected] desktop]$ ls-l file
-rw-rw-r--1 Kiosk Kiosk 0 Mar 10:12 File # # # #文件所有人是用户kiosk
5. "Root": all groups of files
Eg:[[email protected] desktop]$ ls-l file
-rw-rw-r--1 Kiosk Kiosk 0 Mar 10:12 File # # # #文件所有组是组kiosk
6. "46": Size of File contents
Eg:[[email protected] desktop]$ ls-l file
-rw-rw-r--1 Kiosk Kiosk 0 Mar 10:12 File # # # #文件是空文件 with a content size of 0
7. "Oct 1 05:03": The last time the file was modified
Eg:[[email protected] desktop]$ ls-l file
-rw-rw-r--1 Kiosk Kiosk 0 Mar 10:12 File # # # #文件最后一次修改时间是03-23 10:12
8. "FileName": File name
Eg:[[email protected] desktop]$ ls-l file
-rw-rw-r--1 Kiosk Kiosk 0 Mar 10:12 File # # # #文件名称为file
Viii. management of all groups of document owners
Chown username File|dir # # #更改文件的所有人
Chown username:groupname File|dir # # #更改所有人所有组
Chown-r username Dir # # #更改目录本身及里面所有内容的所有人
Chgrp-r GroupName dir # # #更改目录本身及里面所有内容的所有组
Eg:[[email protected] desktop]# watch-n 1 ls-lr/mnt # # #实时监控/mnt information changes in files and directories
[Email protected] desktop]# chown student/mnt/file # # #将file文件的所有人更改为student
[[email protected] desktop]# chown Student.wheel/mnt/dir # # #将dir目录的所有人更改为student, all groups changed to wheel
[Email protected] desktop]# chown Student:wheel/mnt/dir # # #和上条命令效果相同
[Email protected] desktop]# chown-r Student/mnt/dir # # #更改dir目录本身及里面所有内容的所有人为student
[Email protected] desktop]# chgrp-r Wheel/mnt/dir # # #更改dir目录本身及里面所有内容的所有组为wheel
Ix. General permissions of the file
rw-|r--|r--
U g o
U: File owner can read and write to file
G: File group members are readable for files
O: Other people can read the file
U first match, G priority, O match when U,g mismatch
1.r
To files: You can view the characters in a file
For directories: You can view the information for a file in a directory
0.5
To file: You can change the characters in the file
For directories: You can add delete files to the directory
3.x
To files: program actions that can run records within a file
To the directory: You can enter the directory
4. Modify the file permissions by character mode
chmod [-R] <u|g|o><+|-|=><r|w|x> File|dir
chmod u-x file1 # # #file1拥有者去掉x权限
chmod g+w file1 # # #file1拥有组添加w权限
chmod u-x,g+w file1 # # #file1拥有者去掉x权, file1 have group add W permission
chmod ugo-r file2 # # #file2的用户组其他人去掉r权限
chmod ug+x,o-r File3 # # #file3用户和组添加x权限, other people remove R permissions
Eg:[[email protected] desktop]# watch-n 1 ls-lr/mnt # # #实时监控/mnt information changes in files and directories
[[email protected] desktop]# chmod u-x/mnt/dir # # #dir拥有着student去掉x权限, switch to student user, unable to enter directory
[[email protected] desktop]# chmod g+w/mnt/dir # # #dir拥有组wheel添加w权限, other users within the wheel group have the right to add deleted files within the Dir directory
[Email protected] desktop]# chmod u-x,g+w/mnt/dir # # #和上两条命令效果相同
[[email protected] desktop]# chmod ugo-r/mnt/dir # # #给dir目录的拥有者, user groups and others remove R permissions, unable to view the information of files in the directory
[[email protected] desktop]# chmod ug+x,o-r/mnt/dir # # #dir目录的拥有者和用户组添加x权限, the owner and user group can access the directory, others remove the R permission, unable to view the file information in the directory
5. Digitally modify the file permissions
in Linux: r=4,w=2,x=1
File permission number representation
rw-|r--|r--
U g o
U=rw-=4+2+0=6
G=r--=4+0+0=4
O=r--=4+0+0=4
so file permissions are represented as 644
7=rwx,6=rw-,5=r-x,4=r--, 3=-wx,2=-w-,1=--x,0=---
Eg:[[email protected] desktop]# chmod 640/mnt/file # # #file文件的拥有者对其可读可写, all groups are readable and no one else can do anything about it
Ten, the system default permissions settings
From the point of view of system existence, the greater the open power, the higher the system existence meaning
From a system security standpoint, the less open power, the higher the system security
So the system set new file or directory will remove some permissions
Setting mode
Umask # # #查看系统保留权限默认为022
Umask 077 # # #修改该系统保留权限为077, this setting is temporary, only valid in the current shell
Permanent setting Mode:
VIM/ETC/BASHRC # # #shell, go to edit
If [$UID-gt 199] && ["' id-gn '" = "' Id-un '"]; Then
Umask 002 # # #普通用户umask
Else
Umask 077 # # #超级用户umask, modified to 077
Fi
Vim/etc/profile # # #系统, go to edit
If [$UID-gt 199] && ["' id-gn '" = "' Id-un '"]; Then
Umask 002 # # #普通用户umask
Else
Umask 077 # # #超级用户umask, modified to 077
Fi
two files above Umask set values must be consistent
Source/etc/bashrc
Source/etc/profile
Make the setting effective immediately
PS: Before modifying umask, the new file default parameter is 644, the owner is readable and writable, and all groups and others are readable only. After modifying the parameters, it becomes 600, only the owner is readable and writable, and all groups and others do not have any permissions.
XI. Special Permissions
1.suid # # #冒险位
For binary executables only,
Files documented within the process generated by the program owner for the file owner
Not related to the identity of the process initiator
Setting mode:
chmod u+s File
Suid=4
chmod 4xxx File
2.sgid # # #强制位
To file: Only for binary executables,
Anyone running a binary file
All groups of processes that are generated by programs are all groups of files
Independent of the identity of the program initiator group
for directories: When the directory has sgid permissions, all the groups of all files created in the directory
are automatically attributed to all groups in the directory, regardless of the group that the file creator resides in
Setting mode:
chmod g+s File|dir
sgid=2
chmod 2xxx File|dir
3.sticky # # #粘制位
T permissions:
only for Directories , when a directory has T permissions, then the files in the directory can only be deleted by everyone
Setting mode:
chmod o+t Direcotry
T=1
chmod 1777 Direcotry
unit4-Job
1. Create a new user group Shengchan,caiwu,jishu
[Email protected] desktop]# Groupadd Shengchan
[Email protected] desktop]# Groupadd Caiwu
[Email protected] desktop]# Groupadd Jishu
2. New user requirements are as follows:
*) Tom is an additional user of the Shengchan group
*) Harry is an additional user of the Caiwu group
*) Leo is an additional user of the Jishu group
*) Create a new Admin user, this user does not belong to the above mentioned three departments
[Email protected] desktop]# useradd-g Shengchan Tom
[Email protected] desktop]# useradd-g Caiwu Harry
[Email protected] desktop]# useradd-g Jishu Leo
[[email protected] desktop]# Useradd admin
3. The new directory requires the following:
*) The/pub directory is a common store directory for all user-readable writable executables, but users can only delete files belonging to their own
*)/sc directory for the production department, can only be written to the production department personnel, and production department personnel created by the documents are automatically attributed to the Shengchan group
*)/CW directory for the Finance department, can only be written to the Finance department personnel, and the financial department personnel created by the documents are automatically attributed to the Caiwu group
*) Admin user can use Touch tool to create files in/sc directory and/CW directory, but cannot delete files
[Email protected] desktop]# mkdir/pub
[Email protected] desktop]# chmod 777/pub
[Email protected] desktop]# chmod o+t/pub
PS: The above two commands can be combined as a [[email protected] desktop]# chmod 1777/pub
[Email protected] desktop]# MKDIR/SC
[Email protected] desktop]# chgrp SHENGCHAN/SC
[Email protected] desktop]# chmod 770/sc
[Email protected] desktop]# chmod g+s/sc
PS: The above two commands can be combined as a [[email protected] desktop]# chmod 2770/sc
[Email protected] desktop]# MKDIR/CW
[Email protected] desktop]# chgrp CAIWU/CW
[Email protected] desktop]# chmod 770/CW
[Email protected] desktop]# chmod G+S/CW
PS: The above two commands can be combined as a [[email protected] desktop]# chmod 2770/CW
[[email protected] desktop]# visudo--> into edit state, add-
Admin localhost= (Root) nopasswd:/bin/touch
[Email protected] desktop]# su-admin
[Email protected] ~]$ Sudo/bin/touch/sc/file
4. Set normal user new file permission to "r--r-----"
[[email protected] desktop]# vim/etc/profile--> into edit state--
If [$UID-gt 199] && ["' id-gn '" = "' Id-un '"]; Then
Umask 002 # # #修改为226
All else
Umask 022
+ fi
[[email protected] desktop]# vim/etc/bashrc--> into edit state--
If [$UID-gt 199] && ["' id-gn '" = "' Id-un '"]; Then
Umask 002 # # #修改为226
Else
Umask 022
The fi
[Email protected] desktop]# Source/etc/profile
[Email protected] desktop]# SOURCE/ECT/BASHRC
5. Set Admin user can freely create new user via sudo
[[email protected] desktop]# visudo--> into edit state, add-
Admin localhost= (Root) nopasswd:/usr/sbin/useradd
[Email protected] desktop]# su-admin
[Email protected] ~]$ Sudo/usr/sbin/useradd xyh
Linux Cloud Automation Operations Lesson IV