Linux file permissions

Security for Linux

1./ETC/PASSWD file

/etc/passwd file
field contains the following information:
Login user Name
User password
UID of user account (in digital form)
Group ID (GID) of the user account (in digital form)
Text description of user account (called Memo field)
Location of the user's home directory
User's default Shell
2./etc/shadow file

The Etc/shadow file holds a record for each user account on the system. The record is like this:
rich:$1$. Ffck0ns$f1ugiyhq25wrb/hykcn020:11627:0:99999:7:::
There are 9 fields in each record in the/etc/shadow file:
? Login name corresponding to the login name field in the/etc/passwd file
? Password after encryption
? Password for the number of days since the password was last modified (calculated starting January 1, 1970)
? How many days to change your password
? How many days must you change your password
? How many days in advance to remind users to change their passwords before they expire

? How many days after the password expires disable the user account
? The date on which the user account is disabled (expressed as the number of days from January 1, 1970 to the day)
? Reserved fields for future use

3. Add a new user

#/usr/sbin/useradd-d
group=100
Home=/home
Inactive=-1
Expire=
Shell=/bin/bash
Skel=/etc/skel
Create_mail_spool=yes
#

The default values listed in this example are as follows:
? New users will be added to the common group with GID 100;
? The home directory of the new user will be located in/home/loginname;
? The new user account password will not be disabled after it expires;
? The new user account has not been set to expire date;
? The new user account will bash the shell as the default shell;
? The system will copy the contents of the/etc/skel directory to the user's home directory;
? The system creates a file in the mail directory for the user account to receive mail

Useradd command-line arguments

Parameter description
-C Comment
Add a note to a new user
-D Home_dir
Specify a name for the main directory (if you do not want to use the login name as the main directory)
-E Expire_date
Specify the date on which an account expires by using the YYYY-MM-DD format
-F Inactive_days
Specify the number of days after which the account password expires this account is disabled; 0 indicates that the password is disabled immediately after expiration and 1 indicates
Disable this feature
-G Initial_group
Specify the GID or group name of the user logon group
-G Group ...
Specify one or more additional groups to which the user belongs except for the logon group
-K
Must be used with-m to copy the contents of the/etc/skel directory to the user's home directory
-M
Create a user's home directory
-M
Do not create a user's home directory (this option is used when the default setting requires creation)
-N
Create a new group with the same name as the user login

-R
Create a System account
-P passwd
Specify a default password for a user account
-S Shell
Specify the default logon shell
-U UID
Specify a unique UID for the account

Useradd changing the parameters of a default value

-B Default_home
Change the default location for creating user home directories
-E Expiration_date
Change the expiration date of the default new account
-F Inactive
Change the number of days a default new user expires from a password to an account that is disabled
-G Group
Change the default group name or GID
-S Shell
Change the default login shell

4. Delete a user

Userdel

5. Modify the user

Usermod
Modify the fields of the user account, and you can also specify the owning relationship for the primary group and the attached group
passwd
Modify a password for an existing user
chpasswd
Read the login password pair from the file and update the password
Chage
Change the expiration date of a password
Chfn
Modify note Information for a user account
Chsh
Modify the default login shell for a user account

5.1usermod

-C Modify the Memo field,-e modifies the expiration date,-G modifies the default logon group. In addition, there are other
Some options that might be handy.
? -L modifies the login name of the user account.
? -L LOCKS the account so that users cannot log on.
? -P Modify the password for the account.
? -U unlocks so that the user can log on.
The-l option is particularly useful. It can lock the account so that the user cannot log in without deleting the account and user's data.
To get the account back to normal, just use the-u option.

5.2. passwd and CHPASSWD

An easy way to change a user's password is to use the passwd command.
# passwd Test
Changing password for user test.
New UNIX Password:
Retype new UNIX Password:
Passwd:all authentication tokens updated successfully.
#

The-e option forces the user to change the password the next time they log on. You can set a simple password for the user before forcing it to change to a more complex password that they can remember at the next logon.

If you need to change the password for a large number of users in your system, the CHPASSWD command can do more. The chpasswd command automatically reads a list of login and password pairs (separated by colons) from the standard input, encrypts the password, and then sets up the user account. You can also redirect a file containing userid:passwd pairs to the command using the redirect command.
# CHPASSWD < Users.txt

5.3. Chsh, CHFN and Chage

Chsh, CHFN, and chage tools are specifically designed to modify specific account information. The CHSH command is used to quickly modify the default user login shell. You must use the full path name of the shell as a parameter, not just the shell name.
# chsh-s/BIN/CSH Test
changing shell for test.
Shell changed.

The CHFN command provides a standard way to store information in a Memo field in a/etc/passwd file.

The Chage command is used to help manage the lifetime of user accounts. You need to set multiple parameters for each value

Parameter description

-D,--lastday Last date set the most recent password setting time to "Last Date"
-E,--expiredate expiration date set account expiration to "Expiration date"
-H,--help displays this help information and launches
-I,--inactive inacitve expired inactive days after the password is set to a failed state
-L,--list display account age information
-M,--mindays the minimum number of days to change the minimum number of days between passwords is set to "minimum days".
-M,--maxdays maximum number of days will change two times the maximum number of days between passwords is set to "Maximum days"
-R,--root Chroot_dir CHROOT to the directory
-W,--warndays warning days set expiration warning days to "warning days"

using Linux groups

Create a new group Groupadd

When you create a new group, no users are assigned to the group by default. The Groupadd command does not provide the add user to the group
option, but you can use the Usermod command to compensate for this.
#/usr/sbin/usermod-g Shared Rich

Modify Group

As you can see in the/etc/group file, there are not many group information that need to be modified. The Groupmod command can modify an existing group of
GID (plus-G option) or group name (plus-n option).
#/usr/sbin/groupmod-n Sharing GKFX
# Tail/etc/group
HALDAEMON:X:68:

Understanding File Permissions

1 using File permission characters

$ ls–l
Total 68
-rw-rw-r--1 Rich rich 2010-09-13 07:49 file1.gz

Drwxrwxr-x 2 rich 4096 2010-09-03 15:12 test1

The first field of the output is the encoding that describes the file and directory permissions. The first character of this field represents the type of the object:
? -Representative documents
? D Stands for Directory
? L representative Link
? C stands for the character type device
? b Represents a block device
? n Represents a network device
Then there are 3 groups of three-character encodings. Each group defines 3 types of access rights:
? R means that the object is readable
? W indicates that the object is writable

? X means that the object is executable
If there is no permission, a single broken line appears at that permission bit. These 3 groups of permissions correspond to the 3 security levels of the object:
? Owner of the object
? The genus group of the object
? Other users of the system

2 Default File Permissions

To subtract the Umask value from the discretionary limit of the object. For the file, the full permission value is 666 (all users have read and write permissions), and for the directory, it is 777 (all users have read, write, execute permissions).

Because the default permissions for a directory are 777, the directory permissions generated after umask are different from the generated file permissions. The umask value of 026 is subtracted from 777, leaving 751 as the directory permission setting.

Change security settings

1 Changing permissions

The chmod command is used to change the security settings for files and directories. The format of the command is as follows:
chmod Options Mode File

Unlike the 3 set of three-character permission characters that are commonly used, the chmod command takes another approach. The following is the format for specifying permissions in symbol mode.
[Ugoa ...] [[+-=][rwxxstugo ...]
The first set of characters defines the object that the permission acts on:
? U on behalf of user
? G Representative Group
? O on behalf of other
? A represents all of the above

The following symbol indicates whether you want to increase the permissions (+) on the existing permissions, or remove the permissions (-) on the basis of the existing permissions, or set the permissions to the following values (=)

Finally, the third symbol represents the permissions that are set on the setting. You will find that this value is more than the usual rwx. The additional settings have the following items.

? X: Give execute permission if the object is a directory or if it already has execute permissions.
? S: Reset UID or GID at runtime.
? T: Keep the file or directory.
? U: Set permissions to be the same as the owner.
? G: Set permissions to belong to group.
? O: Set permissions to be the same as other users.

The-r option allows permission changes to be recursively scoped to files and subdirectories.

2 changing affiliation

The format of the Chown command is as follows.
Chown Options Owner[.group] File

The Chown command takes a number of different option parameters. The-r option with wildcards allows you to recursively change the owning relationship of subdirectories and files. The-H option can change the owning relationship of all the symbolic link files of the file

Share files

To create a shared directory so that the new files in the directory can inherit the directory's genus, simply sgid the directory
Position bit.
$ mkdir TestDir
$ ls-l
Drwxrwxr-x 2 rich 4096 Sep 23:12 testdir/
$ chgrp Shared TestDir
$ chmod g+s TestDir
$ ls-l
Drwxrwsr-x 2 rich gkfx 4096 Sep 23:12 testdir/
$ umask 002
$ CD TestDir
$ Touch Testfile
$ ls-l
Total 0
-rw-rw-r--1 Rich shared 0 Sep 23:13 testfile
$
First, use the mkdir command to create the directory you want to share. The default genus of the directory is then changed to package by the CHGRP command
A group that contains all the users who need to share the file (you must be a member of that group). Finally, the sgid location bit of the directory to ensure
The new file in the directory is shared with shared as the default genus.

Linux file permissions