Linux Operations Learning-sixth day-linux users, groups, and Rights management

Chapter Content

Security model for Linux

Users and Groups

User and Group Management commands

File permissions

Default Permissions

Special permissions

ACL access control

One: 3A certification

Authentication: Certification

Authorization: Authorization

Audition Audit

Authentication (authentication): Verify the user's identity (account number and password) and a range of services such as the available network

Authorization (Authorization): According to the results of the certification open Network and other services to users, the user's access to resources to centralized control.

Audition (Audit): The user all the operation log centralized records management and analysis, not only can monitor the user behavior, and can be through the centralized audit data mining, in order to facilitate the subsequent security incident responsibility identification.

The image is said that the user through the user name and password authentication, authentication to obtain token token (identity), the token is already authorized "identity card", have the token can access or operating system, but the activity content is authorized when the permission restrictions, rules what you can do , and audit is a kind of supervision and control measures, it keeps the log and other related systems, user activities, can control whether the user has abnormal operation and other unreasonable places.

And the Linux system in this process, the use of:

User name (UserID is UID)

Password (passwd)

Primary Group (GID)

Additional groups (secondary groups) (other)

File and Directory Permissions

ACL access Control List

Through the above, the user's system activities are initially managed

Ii. Users and Groups

1 user and User ID (UID)

Every user in a Linux system has his or her own username, but Linux does not recognize the username that we typed when we logged in, but the UID of the user name, and the UID is the real ID number, just like our ID card. The last to verify the identity of the identity card number is the reason. So the relationship between the user name and the user ID (UID) is as follows

User name: Class This name facilitates user memory operation login

User id: Class The real basis for identifying the identity of this ID number system

For example, we have a normal new user User1 in the system, specify the UID number is 1111, and then

Users (Uesrname and UID) in Linux are divided into

Administrative user (admin root uid=0)

Normal User (uid=1-65535)

System users (such as Nologin) CentOS6.8 default uid=1-499;centos7.2 default uid=1-999

Role: In order to enable a background process or service class process to run as a non-administrator, usually the system or application needs to create a number of ordinary users, such users do not have to log on to the system, just to let other processes run as its identity, so that only access to ordinary permissions, users can also be common system users themselves.

Login Interactive User (account of our daily login work) CentOS6.8 default uid=500-60000;centos7.2 default

uid=1000-60000

Role: The interactive account we use for our daily work is also the account that we normally recommend (root permission is too big, the operation is risky), have normal permission, can operate the maintenance system normally.

OK, let's take a look at the example to see how the UID affects the user name (account)

Example (1)

We normally create a normal login user user1, and specify uid=1111

Useradd-u 1111 User1

Then view the User1 user information in the/etc/passwd

Getent passwd user1

View information about the User1 home directory that exists in the user home directory list in the normal user home directory

Ll/home

Then delete the User1 account, but keep the home directory

Userdel user1

View the changes in the User1 home directory where the user home directory list in the normal user home directory is present

Ll/home

Add user user2, but specify its uid=1111, same as the original User1

Useradd-u 1111 User2

View/etc/passwd to see changes in user information and changes in the home directory

Getent Passwdll/home

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M01/85/6A/wKiom1eiy0uxgsEIAASezKM1kPc783.jpg "title=" 1.jpg " alt= "Wkiom1eiy0uxgseiaasezkm1kpc783.jpg"/>650) this.width=650; src= http://s3.51cto.com/wyfs02/M00/85/69/ Wkiol1eiylhtyohkaadall1rvi8711.jpg "title=" 2.jpg "alt=" Wkiol1eiylhtyohkaadall1rvi8711.jpg "/>

Example 2

For this example, do a backup snapshot

We use the Nano or VIM text Editing tool to edit the root uid=2222 in/etc/passwd and User2 uid=0

First we have to activate the user2 password, otherwise we can not login

passwd User2

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/85/6A/wKiom1ei0XqC3EqzAACdH3YmQKU614.jpg "title=" 3.jpg " alt= "Wkiom1ei0xqc3eqzaacdh3ymqku614.jpg"/> Then edit the configuration/etc/passwd information, change the root uid to 2222 to change the User2 uid to 0

vim/etc/passwd

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/85/6A/wKiom1ei0tPQA46IAABMNDUVgEo723.jpg "style=" float: Left; "title=" 4.jpg "alt=" Wkiom1ei0tpqa46iaabmnduvgeo723.jpg "/>

￥650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M02/85/69/wKioL1ei0tXANJvmAABxO6P55CQ284.jpg "title=" 5.jpg "alt=" Wkiol1ei0txanjvmaabxo6p55cq284.jpg "/>

We mentioned earlier that the administrator's command prompt is the default #, and the average user is $

Then we re-login to the system, the system will re-read the/etc/passwd file

Exit

Re-Login

650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/85/6A/wKioL1ei1d-QpaWiAAFx44H5x8s343.jpg "title=" 6.jpg " alt= "wkiol1ei1d-qpawiaafx44h5x8s343.jpg"/> Login user2 will find the command prompt to # and the default Administrator's command prompt is # and switch user root does not require a password

But the root user originally only the administrator can view the/etc/shadow file should not be able to access the view, and the command prompt symbol becomes the default ordinary user $; switching back to User2 account requires a password! And be able to view/etc/shadow files.

As a result, we can see that the recognition mechanism in the system is based on the user ID or UID, not the user name we use.

Therefore, the UID in Linux can determine the user's identity, and affect their own relationship and permissions.

Note: The above restitution, the root and User2 uid back to the original value can be

User uid can be duplicated (created and modified with commands), but generally not recommended

/ETC/PASSWD is one of the global profiles in which the database file records information about the user account and can be used

Mans 5 passwd

Understand the meaning of the relevant parameters

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M00/85/6B/wKiom1ei3MCDNSq3AABi_p1q6TA655.jpg "title=" 7.jpg " alt= "Wkiom1ei3mcdnsq3aabi_p1q6ta655.jpg"/>

2. Password

Account password is the key to user login authentication, we are here to get a preliminary understanding of the Linux user password, storage location in the system, and password composition and encryption algorithm

In the previous version of the Linux password stored in the database file/etc/passwd in the second parameter location, but later stored in the/etc/shadow, from the current mechanism, because the system is required to operate, passwd is all users can view, While the shadow file can only be viewed by the root administrator, it is for security reasons to transfer the storage location, if you want to return to the original storage mode, the method is as follows:

Pwunconv #关闭影子密码, the password is re-stored to/etc/passwd, not/etc/shadow pwconv #打开影子密码

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/85/6B/wKioL1ei4mDD14JHAAFyf8ILdkY934.jpg "style=" float: none; "title=" 8.jpg "alt=" Wkiol1ei4mdd14jhaafyf8ildky934.jpg "/>

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/85/6B/wKiom1ei4mGhqZgPAACquGZAzBs389.jpg "style=" float: none; "title=" 9.jpg "alt=" Wkiom1ei4mghqzgpaacqugzazbs389.jpg "/>

We can see that when the shadow password is closed, the password has been stored in the/etc/passwd, and we will find that the/etc/shadowwen file is not!!! Re-open back to the system default shadow password mode,/etc/shadow file again, the password is not stored in the/etc/passwd, but also stored in the/etc/shadow

The composition of the password: the normal password composition in the system consists of three parts

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M01/85/6B/wKiom1ei5DyCOUpLAAC-r1YEqZs102.jpg "title=" 10.jpg "alt=" Wkiom1ei5dycouplaac-r1yeqzs102.jpg "/>

The first $ after is the encryption algorithm, the corresponding relationship between the number and encryption algorithm is as follows:

1:MD5 128-bit

2:SHA1 160-bit

3:sha224 224-bit

4:SHA256 256-bit

5:sha384 384-bit

6:SHA512 512-bit

So we can see that User2 's encryption algorithm is sha512.

and early password algorithm with MD5 and SHA1, the number of bits did not show so long, at that time although there are more complex password, but considering the encryption and decryption verification, are to consume the system resources, and no one can crack this encryption algorithm, so in order to make system system resource utilization higher, Instead of using more complex algorithms, however, in 2005 by our mathematician Xiao female doctor! Woman doctor! Woman doctor! successful decryption also results in a change in password encryption algorithms for all important areas thereafter.

Celestial Mighty domineering, female Doctor invincible!!!!  

Encryption mechanism:

Encryption: Clear-and redaction

Decryption: ciphertext-to-plaintext

One-way encryption: the same as the legal long output, get ciphertext irreversible introduction of raw data

hash algorithm, the original text is different, the ciphertext will be different

Avalanche effect: Small changes in initial conditions, resulting in a dramatic change in results

Change the encryption algorithm authconfig--passalgo=sha256--Update

Attention:

This command is implemented by modifying the parameters in the /etc/login.defs file, so it is valid for everyone, the user encryption mode that has been created is not changed, but the modifications change, the new user uses the modified encryption algorithm, and the re-login is still valid

The second $ after is salt (salt): Can be abstracted as the role of spices, is the same password, add salt generated by the random number based on the avalanche effect, the resulting ciphertext is not the same, so that if someone else's password ciphertext and their own, and then calculate our password.

After the third $ is the true password cipher, very according to the number of encryption algorithm, and different length, but in the same algorithm, different length of the password, cipher ciphertext length is the same, so, the length of the cipher cipher is determined by the cipher encryption algorithm.

3. Group (primary group, additional group)

In a Linux system user's group we can be abstracted to understand as the department, the main group is the main department (that is, our relationship location), and the additional group is part-time department (such as the technical Department of the main professional technician, itself part-time PR Image Ambassador 650) this.width=650; "Src=" Http://img.baidu.com/hi/jx2/j_0028.gif "alt=" J_0028.gif "/>),

This article is from the "Autumn Wind Night Rain" blog, please be sure to keep this source http://2849159106.blog.51cto.com/7881853/1834326

Linux Operations Learning-sixth day-linux users, groups, and Rights management