Chapter Content
Security model for Linux
Users and Groups
User and Group Management commands
File permissions
Default Permissions
Special permissions
ACL access control
One: 3A certification
Authentication: Certification
Authorization: Authorization
Audition Audit
Authentication (authentication): Verify the user's identity (account number and password) and a range of services such as the available network
Authorization (Authorization): According to the results of the certification open Network and other services to users, the user's access to resources to centralized control.
Audition (Audit): The user all the operation log centralized records management and analysis, not only can monitor the user behavior, and can be through the centralized audit data mining, in order to facilitate the subsequent security incident responsibility identification.
The image is said that the user through the user name and password authentication, authentication to obtain token token (identity), the token is already authorized "identity card", have the token can access or operating system, but the activity content is authorized when the permission restrictions, rules what you can do , and audit is a kind of supervision and control measures, it keeps the log and other related systems, user activities, can control whether the user has abnormal operation and other unreasonable places.
And the Linux system in this process, the use of:
User name (UserID is UID)
Password (passwd)
Primary Group (GID)
Additional groups (secondary groups) (other)
File and Directory Permissions
ACL access Control List
Through the above, the user's system activities are initially managed
Ii. Users and Groups
1 user and User ID (UID)
Every user in a Linux system has his or her own username, but Linux does not recognize the username that we typed when we logged in, but the UID of the user name, and the UID is the real ID number, just like our ID card. The last to verify the identity of the identity card number is the reason. So the relationship between the user name and the user ID (UID) is as follows
User name: Class This name facilitates user memory operation login
User id: Class The real basis for identifying the identity of this ID number system
For example, we have a normal new user User1 in the system, specify the UID number is 1111, and then
Users (Uesrname and UID) in Linux are divided into
Administrative user (admin root uid=0)
Normal User (uid=1-65535)
System users (such as Nologin) CentOS6.8 default uid=1-499;centos7.2 default uid=1-999
Role: In order to enable a background process or service class process to run as a non-administrator, usually the system or application needs to create a number of ordinary users, such users do not have to log on to the system, just to let other processes run as its identity, so that only access to ordinary permissions, users can also be common system users themselves.
Login Interactive User (account of our daily login work) CentOS6.8 default uid=500-60000;centos7.2 default
uid=1000-60000
Role: The interactive account we use for our daily work is also the account that we normally recommend (root permission is too big, the operation is risky), have normal permission, can operate the maintenance system normally.
OK, let's take a look at the example to see how the UID affects the user name (account)
Example (1)
We normally create a normal login user user1, and specify uid=1111
Useradd-u 1111 User1
Then view the User1 user information in the/etc/passwd
Getent passwd user1
View information about the User1 home directory that exists in the user home directory list in the normal user home directory
Ll/home
Then delete the User1 account, but keep the home directory
Userdel user1
View the changes in the User1 home directory where the user home directory list in the normal user home directory is present
Ll/home
Add user user2, but specify its uid=1111, same as the original User1
Useradd-u 1111 User2
View/etc/passwd to see changes in user information and changes in the home directory
Getent Passwdll/home
650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M01/85/6A/wKiom1eiy0uxgsEIAASezKM1kPc783.jpg "title=" 1.jpg " alt= "Wkiom1eiy0uxgseiaasezkm1kpc783.jpg"/>650) this.width=650; src= http://s3.51cto.com/wyfs02/M00/85/69/ Wkiol1eiylhtyohkaadall1rvi8711.jpg "title=" 2.jpg "alt=" Wkiol1eiylhtyohkaadall1rvi8711.jpg "/>
Example 2
For this example, do a backup snapshot
We use the Nano or VIM text Editing tool to edit the root uid=2222 in/etc/passwd and User2 uid=0
First we have to activate the user2 password, otherwise we can not login
passwd User2
650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/85/6A/wKiom1ei0XqC3EqzAACdH3YmQKU614.jpg "title=" 3.jpg " alt= "Wkiom1ei0xqc3eqzaacdh3ymqku614.jpg"/> Then edit the configuration/etc/passwd information, change the root uid to 2222 to change the User2 uid to 0
vim/etc/passwd
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/85/6A/wKiom1ei0tPQA46IAABMNDUVgEo723.jpg "style=" float: Left; "title=" 4.jpg "alt=" Wkiom1ei0tpqa46iaabmnduvgeo723.jpg "/>
¥650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M02/85/69/wKioL1ei0tXANJvmAABxO6P55CQ284.jpg "title=" 5.jpg "alt=" Wkiol1ei0txanjvmaabxo6p55cq284.jpg "/>
We mentioned earlier that the administrator's command prompt is the default #, and the average user is $
Then we re-login to the system, the system will re-read the/etc/passwd file
Exit
Re-Login
650) this.width=650; "src=" http://s4.51cto.com/wyfs02/M01/85/6A/wKioL1ei1d-QpaWiAAFx44H5x8s343.jpg "title=" 6.jpg " alt= "wkiol1ei1d-qpawiaafx44h5x8s343.jpg"/> Login user2 will find the command prompt to # and the default Administrator's command prompt is # and switch user root does not require a password
But the root user originally only the administrator can view the/etc/shadow file should not be able to access the view, and the command prompt symbol becomes the default ordinary user $; switching back to User2 account requires a password! And be able to view/etc/shadow files.
As a result, we can see that the recognition mechanism in the system is based on the user ID or UID, not the user name we use.
Therefore, the UID in Linux can determine the user's identity, and affect their own relationship and permissions.
Note: The above restitution, the root and User2 uid back to the original value can be
User uid can be duplicated (created and modified with commands), but generally not recommended
/ETC/PASSWD is one of the global profiles in which the database file records information about the user account and can be used
Mans 5 passwd
Understand the meaning of the relevant parameters
650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M00/85/6B/wKiom1ei3MCDNSq3AABi_p1q6TA655.jpg "title=" 7.jpg " alt= "Wkiom1ei3mcdnsq3aabi_p1q6ta655.jpg"/>
2. Password
Account password is the key to user login authentication, we are here to get a preliminary understanding of the Linux user password, storage location in the system, and password composition and encryption algorithm
In the previous version of the Linux password stored in the database file/etc/passwd in the second parameter location, but later stored in the/etc/shadow, from the current mechanism, because the system is required to operate, passwd is all users can view, While the shadow file can only be viewed by the root administrator, it is for security reasons to transfer the storage location, if you want to return to the original storage mode, the method is as follows:
Pwunconv #关闭影子密码, the password is re-stored to/etc/passwd, not/etc/shadow pwconv #打开影子密码
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/85/6B/wKioL1ei4mDD14JHAAFyf8ILdkY934.jpg "style=" float: none; "title=" 8.jpg "alt=" Wkiol1ei4mdd14jhaafyf8ildky934.jpg "/>
650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/85/6B/wKiom1ei4mGhqZgPAACquGZAzBs389.jpg "style=" float: none; "title=" 9.jpg "alt=" Wkiom1ei4mghqzgpaacqugzazbs389.jpg "/>
We can see that when the shadow password is closed, the password has been stored in the/etc/passwd, and we will find that the/etc/shadowwen file is not!!! Re-open back to the system default shadow password mode,/etc/shadow file again, the password is not stored in the/etc/passwd, but also stored in the/etc/shadow
The composition of the password: the normal password composition in the system consists of three parts
650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M01/85/6B/wKiom1ei5DyCOUpLAAC-r1YEqZs102.jpg "title=" 10.jpg "alt=" Wkiom1ei5dycouplaac-r1yeqzs102.jpg "/>
The first $ after is the encryption algorithm, the corresponding relationship between the number and encryption algorithm is as follows:
1:MD5 128-bit
2:SHA1 160-bit
3:sha224 224-bit
4:SHA256 256-bit
5:sha384 384-bit
6:SHA512 512-bit
So we can see that User2 's encryption algorithm is sha512.
and early password algorithm with MD5 and SHA1, the number of bits did not show so long, at that time although there are more complex password, but considering the encryption and decryption verification, are to consume the system resources, and no one can crack this encryption algorithm, so in order to make system system resource utilization higher, Instead of using more complex algorithms, however, in 2005 by our mathematician Xiao female doctor! Woman doctor! Woman doctor! successful decryption also results in a change in password encryption algorithms for all important areas thereafter.
Celestial Mighty domineering, female Doctor invincible!!!!
Encryption mechanism:
Encryption: Clear-and redaction
Decryption: ciphertext-to-plaintext
One-way encryption: the same as the legal long output, get ciphertext irreversible introduction of raw data
hash algorithm, the original text is different, the ciphertext will be different
Avalanche effect: Small changes in initial conditions, resulting in a dramatic change in results
Change the encryption algorithm authconfig--passalgo=sha256--Update
Attention:
This command is implemented by modifying the parameters in the /etc/login.defs file, so it is valid for everyone, the user encryption mode that has been created is not changed, but the modifications change, the new user uses the modified encryption algorithm, and the re-login is still valid
The second $ after is salt (salt): Can be abstracted as the role of spices, is the same password, add salt generated by the random number based on the avalanche effect, the resulting ciphertext is not the same, so that if someone else's password ciphertext and their own, and then calculate our password.
After the third $ is the true password cipher, very according to the number of encryption algorithm, and different length, but in the same algorithm, different length of the password, cipher ciphertext length is the same, so, the length of the cipher cipher is determined by the cipher encryption algorithm.
3. Group (primary group, additional group)
In a Linux system user's group we can be abstracted to understand as the department, the main group is the main department (that is, our relationship location), and the additional group is part-time department (such as the technical Department of the main professional technician, itself part-time PR Image Ambassador 650) this.width=650; "Src=" Http://img.baidu.com/hi/jx2/j_0028.gif "alt=" J_0028.gif "/>),
This article is from the "Autumn Wind Night Rain" blog, please be sure to keep this source http://2849159106.blog.51cto.com/7881853/1834326
Linux Operations Learning-sixth day-linux users, groups, and Rights management